From 90110335f5ce438426ff88916a7e099e9bfb6bf3 Mon Sep 17 00:00:00 2001
From: LamGC <lam827@lamgc.net>
Date: Thu, 20 Oct 2022 01:41:48 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E6=9B=B4=E6=96=B0=20jackson-databind=20?=
 =?UTF-8?q?=E4=BE=9D=E8=B5=96=E7=89=88=E6=9C=AC=E4=BB=A5=E7=BC=93=E8=A7=A3?=
 =?UTF-8?q?=20CVE-2022-42004=20=E6=BC=8F=E6=B4=9E.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2022-42004 漏洞报告指出, 由于 jackson-databind 的有关错误, 导致对象序列化过程可能存在数据错误的问题,
目前 jackson-databind 已发布 2.13.4.2 版本以解决该问题, 由于引入 jackson-databind 的 telegrambots 库尚未发布针对该问题的修复版本,
故在本项目中引入新版依赖项, 以确保用户不受该问题影响.
该版本已在 TelegramBots 项目(版本 6.1.0)中进行测试, 测试通过.
------------------------------------------
https://devhub.checkmarx.com/cve-details/CVE-2022-42004/
---
 scalabot-app/build.gradle.kts       | 4 ++++
 scalabot-extension/build.gradle.kts | 4 ++++
 scalabot-meta/build.gradle.kts      | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/scalabot-app/build.gradle.kts b/scalabot-app/build.gradle.kts
index 5f22cf8..4870f3c 100644
--- a/scalabot-app/build.gradle.kts
+++ b/scalabot-app/build.gradle.kts
@@ -32,6 +32,10 @@ dependencies {
     implementation("org.telegram:telegrambots-abilities:6.1.0")
     implementation("org.telegram:telegrambots:6.1.0")
 
+    // Added as a mitigation measure for vulnerabilities.
+    // When the relevant reference dependency updates it, it will be removed.
+    implementation("com.fasterxml.jackson.core:jackson-databind:2.13.4.2")
+
     implementation("io.prometheus:simpleclient:0.16.0")
     implementation("io.prometheus:simpleclient_httpserver:0.16.0")
 
diff --git a/scalabot-extension/build.gradle.kts b/scalabot-extension/build.gradle.kts
index ddb3e01..0b792cb 100644
--- a/scalabot-extension/build.gradle.kts
+++ b/scalabot-extension/build.gradle.kts
@@ -12,6 +12,10 @@ dependencies {
     api("org.telegram:telegrambots-abilities:6.1.0")
     api("org.slf4j:slf4j-api:2.0.0")
 
+    // Added as a mitigation measure for vulnerabilities.
+    // When the relevant reference dependency updates it, it will be removed.
+    implementation("com.fasterxml.jackson.core:jackson-databind:2.13.4.2")
+
     testImplementation("org.junit.jupiter:junit-jupiter-api:5.9.0")
     testImplementation("org.mockito:mockito-core:4.7.0")
     testRuntimeOnly("org.junit.jupiter:junit-jupiter-engine")
diff --git a/scalabot-meta/build.gradle.kts b/scalabot-meta/build.gradle.kts
index 0d00f8f..7d6e409 100644
--- a/scalabot-meta/build.gradle.kts
+++ b/scalabot-meta/build.gradle.kts
@@ -14,6 +14,10 @@ dependencies {
 
     implementation("org.telegram:telegrambots-meta:6.1.0")
 
+    // Added as a mitigation measure for vulnerabilities.
+    // When the relevant reference dependency updates it, it will be removed.
+    implementation("com.fasterxml.jackson.core:jackson-databind:2.13.4.2")
+
     api("com.google.code.gson:gson:2.9.0")
 
     testImplementation(kotlin("test"))