Document Tree
Document Properties
Kbid
2H9139
Last Modified
02-Dec-2022
Added to KB
18-Jul-2019
Public Access
Everyone
Status
Online
Doc Type
Guidelines
Product
ICM 7.10
Guide - 7.10.18.0 Security Update of Libraries

Introduction

Several libraries with vulnerabilities were updated and can potentially break the implementation.

LibraryOld VersionNew Version
com.fasterxml.jackson.core:jackson-annotations2.8.62.9.10
com.fasterxml.jackson.core:jackson-core2.8.62.9.10
com.fasterxml.jackson.core:jackson-databind2.8.62.9.10
com.fasterxml.jackson.dataformat:jackson-dataformat-cbor2.6.62.9.10
com.fasterxml.jackson.datatype:jackson-datatype-jdk82.8.62.9.10
com.fasterxml.jackson.datatype:jackson-datatype-jsr3102.8.62.9.10
com.fasterxml.jackson.jaxrs:jackson-jaxrs-base2.8.62.9.10
com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider2.8.62.9.10
com.fasterxml.jackson.module:jackson-module-jaxb-annotations2.8.62.9.10
com.google.guava:guava21.024.1-jre
com.google.errorprone:error_prone_annotations
2.3.1
com.google.protobuf:protobuf-java3.1.03.11.1
com.thoughtworks.xstream:xstream1.4.91.4.11
commons-beanutils:commons-beanutils1.9.31.9.4
commons-codec:commons-codec1.101.13
commons-fileupload:commons-fileupload1.3.21.4
org.jasypt:jasypt1.9.11.9.2

Migration

Version Conflict

In case of version conflicts of underlying and custom libraries, the version must be defined explicitly. The build.gradle can contain the following block:

build.gradle
versionRecommendation {
    provider {
        // thirdparty.version to resolve version conflicts of custom cartridges
        properties('thirdparty', file('thirdparty.version')) {}
    }
}

Example version file to resolve version conflict for library "error_prone_annotations".

thirdparty.version
com.google.errorprone:error_prone_annotations=2.3.1

Class Collision Check Failed

Some libraries can contain resources which have the same name. To exclude such resources, a configuration of the task must be adapted:

* What went wrong:
Execution failed for task ':<assembly>:checkClassCollisions'.
> There are class collisions in your dependencies
   > Collision between io.github.classgraph:classgraph:4.6.32 and net.bytebuddy:byte-buddy:1.9.10
      > META-INF.versions.9.module-info
build.gradle of assembly
// verify whole server classpath to be collision-free
checkClassCollisions {
    allCartridges = true
    ignore 'META-INF.versions.\\d+.module-info' // ignore module-info.class files in META-INF/**cd
}
Disclaimer
The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.
Home
Knowledge Base
Product Releases
Log on to continue
This Knowledge Base document is reserved for registered customers.
Log on with your Intershop Entra ID to continue.
Write an email to supportadmin@intershop.de if you experience login issues,
or if you want to register as customer.