fix: 更新 jackson-databind 依赖版本以缓解 CVE-2022-42004 漏洞.

CVE-2022-42004 漏洞报告指出, 由于 jackson-databind 的有关错误, 导致对象序列化过程可能存在数据错误的问题,
目前 jackson-databind 已发布 2.13.4.2 版本以解决该问题, 由于引入 jackson-databind 的 telegrambots 库尚未发布针对该问题的修复版本,
故在本项目中引入新版依赖项, 以确保用户不受该问题影响.
该版本已在 TelegramBots 项目(版本 6.1.0)中进行测试, 测试通过.
------------------------------------------
https://devhub.checkmarx.com/cve-details/CVE-2022-42004/

scalabot-app/build.gradle.kts

@@ -32,6 +32,10 @@ dependencies {
     implementation("org.telegram:telegrambots-abilities:6.1.0")
     implementation("org.telegram:telegrambots:6.1.0")
 
+    // Added as a mitigation measure for vulnerabilities.
+    // When the relevant reference dependency updates it, it will be removed.
+    implementation("com.fasterxml.jackson.core:jackson-databind:2.13.4.2")
+
     implementation("io.prometheus:simpleclient:0.16.0")
     implementation("io.prometheus:simpleclient_httpserver:0.16.0")
 

scalabot-extension/build.gradle.kts

@@ -12,6 +12,10 @@ dependencies {
     api("org.telegram:telegrambots-abilities:6.1.0")
     api("org.slf4j:slf4j-api:2.0.0")
 
+    // Added as a mitigation measure for vulnerabilities.
+    // When the relevant reference dependency updates it, it will be removed.
+    implementation("com.fasterxml.jackson.core:jackson-databind:2.13.4.2")
+
     testImplementation("org.junit.jupiter:junit-jupiter-api:5.9.0")
     testImplementation("org.mockito:mockito-core:4.7.0")
     testRuntimeOnly("org.junit.jupiter:junit-jupiter-engine")

scalabot-meta/build.gradle.kts

@@ -14,6 +14,10 @@ dependencies {
 
     implementation("org.telegram:telegrambots-meta:6.1.0")
 
+    // Added as a mitigation measure for vulnerabilities.
+    // When the relevant reference dependency updates it, it will be removed.
+    implementation("com.fasterxml.jackson.core:jackson-databind:2.13.4.2")
+
     api("com.google.code.gson:gson:2.9.0")
 
     testImplementation(kotlin("test"))