Skip to content

Upgrade json-smart version to 2.5.2 in response to CVE-2024-57699#24631

Merged
yingsu00 merged 2 commits intoprestodb:masterfrom
ShahimSharafudeen:CVE-2024-57699_json-smart_fix
Mar 5, 2025
Merged

Upgrade json-smart version to 2.5.2 in response to CVE-2024-57699#24631
yingsu00 merged 2 commits intoprestodb:masterfrom
ShahimSharafudeen:CVE-2024-57699_json-smart_fix

Conversation

@ShahimSharafudeen
Copy link
Contributor

@ShahimSharafudeen ShahimSharafudeen commented Feb 26, 2025
edited
Loading

Description

Upgrade the json-smart dependency to version 2.5.2 to address CVE-2024-57699. The json-smart dependency is a transitive dependency of com.jayway.jsonpath:json-path:2.9.0, which uses an older version that contains this vulnerability. Therefore, upgrading the json-smart dependency to 2.5.2 resolves the issue. 'json-smart' 2.5.2 uses the latest version of org.ow2.asm:asm 9.7.1, therefore avoiding future conflicts by upgrading the asm version to 9.7.1.

Motivation and Context

Impact

Test Plan

Contributor checklist

  • Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes

* Upgrade json-smart version to 2.5.2 in response to `CVE-2024-57699 <https://nvd.nist.gov/vuln/detail/CVE-2024-57699>`_.

@prestodb-ci prestodb-ci added the from:IBM PR from IBM label Feb 26, 2025
@ShahimSharafudeen ShahimSharafudeen force-pushed the CVE-2024-57699_json-smart_fix branch 2 times, most recently from 815a53e to 4c63e80 Compare February 26, 2025 18:11
@ShahimSharafudeen ShahimSharafudeen marked this pull request as ready for review February 27, 2025 04:12
@ShahimSharafudeen ShahimSharafudeen requested a review from a team as a code owner February 27, 2025 04:12
@prestodb-ci prestodb-ci requested review from a team, jp-sivaprasad and nishithakbhaskaran and removed request for a team February 27, 2025 04:12
nishithakbhaskaran
nishithakbhaskaran approved these changes Feb 27, 2025
View reviewed changes
Copy link
Contributor

@nishithakbhaskaran nishithakbhaskaran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix!

agrawalreetika
agrawalreetika previously approved these changes Feb 27, 2025
View reviewed changes
ZacBlanco
ZacBlanco reviewed Feb 27, 2025
View reviewed changes
Copy link
Contributor

@ZacBlanco ZacBlanco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that this PR is necessary. I could not find a usage of json-smart with version other than 2.5.0 in the dependency tree when running ./mvnw dependency:tree. This PR doesn't effectively do anything other than pinning the version to 2.5.0 - which all of our modules already use. We should avoid pinning a transitive dependency unless it is pulling up a version for a specific module.

@ShahimSharafudeen
Copy link
Contributor Author

ShahimSharafudeen commented Feb 28, 2025

I don't think that this PR is necessary. I could not find a usage of json-smart with version other than 2.5.0 in the dependency tree when running ./mvnw dependency:tree. This PR doesn't effectively do anything other than pinning the version to 2.5.0 - which all of our modules already use. We should avoid pinning a transitive dependency unless it is pulling up a version for a specific module.

@ZacBlanco – The json-smart:2.5.0 is a transitive dependency of com.jayway.jsonpath:json-path:2.9.0, and json-path:2.9.0 is the latest release version in the Maven repository, which contains this(CVE-2024-57699) vulnerability. json-smart:2.5.2 addresses this high-severity vulnerability.

ZacBlanco
ZacBlanco previously approved these changes Feb 28, 2025
View reviewed changes
Copy link
Contributor

@ZacBlanco ZacBlanco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry when I was reviewing earlier I must have had the wrong branch checked out. I looked again and see that 2.5.2 replaces 2.5.0 everywhere. This should be good

@ShahimSharafudeen
Upgrade asm dependencies
4b8771e 
Upgrade the asm dependencies from 9.3 to 9.7.1
@ShahimSharafudeen ShahimSharafudeen force-pushed the CVE-2024-57699_json-smart_fix branch from 4c63e80 to 8435bd6 Compare March 4, 2025 05:43
@ShahimSharafudeen ShahimSharafudeen force-pushed the CVE-2024-57699_json-smart_fix branch from 8435bd6 to b760b15 Compare March 4, 2025 08:13
@ShahimSharafudeen
Copy link
Contributor Author

ShahimSharafudeen commented Mar 4, 2025

@ZacBlanco - 'json-smart' 2.5.2 uses the latest version of org.ow2.asm:asm 9.7.1, therefore avoiding future conflicts by upgrading the asm dependency version to 9.7.1.

@ShahimSharafudeen
Copy link
Contributor Author

ShahimSharafudeen commented Mar 5, 2025

@yingsu00 / @jaystarshot Can you please have a look whenever you get a chance? Thanks.

@yingsu00 yingsu00 merged commit 7537e2a into prestodb:master Mar 5, 2025
53 checks passed
This was referenced Mar 10, 2025
Closed
Closed
@prestodb-ci prestodb-ci mentioned this pull request Mar 28, 2025
Merged
30 tasks
@prestodb-ci prestodb-ci requested review from a team and sh-shamsan and removed request for a team April 3, 2025 04:03
@unidevel unidevel mentioned this pull request Apr 25, 2025
Closed
30 tasks
This was referenced May 6, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ZacBlanco ZacBlanco ZacBlanco approved these changes

@agrawalreetika agrawalreetika agrawalreetika approved these changes

@yingsu00 yingsu00 yingsu00 approved these changes

@nishithakbhaskaran nishithakbhaskaran nishithakbhaskaran approved these changes

@jaystarshot jaystarshot Awaiting requested review from jaystarshot jaystarshot is a code owner automatically assigned from prestodb/committers

@jp-sivaprasad jp-sivaprasad Awaiting requested review from jp-sivaprasad jp-sivaprasad was automatically assigned from prestodb/ibm-reviewers

@sh-shamsan sh-shamsan Awaiting requested review from sh-shamsan sh-shamsan was automatically assigned from prestodb/ibm-reviewers

Assignees

No one assigned

Labels

from:IBM PR from IBM Security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@ShahimSharafudeen @ZacBlanco @agrawalreetika @yingsu00 @nishithakbhaskaran @ethanyzhang @prestodb-ci