Skip to content

Bump jackson-core to 2.18.6 in ferstl-depgraph-dependencies (CVE-2025-52999)#21868

Open
Copilot wants to merge 4 commits into
mainfrom
copilot/bump-jackson-core-to-2150
Open

Bump jackson-core to 2.18.6 in ferstl-depgraph-dependencies (CVE-2025-52999)#21868
Copilot wants to merge 4 commits into
mainfrom
copilot/bump-jackson-core-to-2150

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 19, 2026
edited
Loading

jackson-core 2.14.1 bundled in ferstl-depgraph-dependencies is vulnerable to CVE-2025-52999 (StackOverflowError on deeply nested JSON, fixed in 2.15.0). This updates the companion github/codeql integration-test expected files to match the rebuilt plugin bundle.

Expected file updates

The internal semmle-code companion PR rebuilds depgraph-maven-plugin with:

  • Jackson 2.14.12.18.6 (fixes CVE; aligns with main CodeQL Java dependency set)
  • Plugin coordinate 4.0.3-CodeQL4.0.3-CodeQL-2 (ensures Maven cache invalidation)
  • jackson-parent 2.142.18.4, com/fasterxml/oss-parent 4869 (transitive POM parents)

Updated files:

  • maven-fetches.expected (×3: buildless-maven, buildless-maven-existing-settings-xml, buildless-maven-mirrorof) — new Jackson/oss-parent paths and plugin coordinate
  • diagnostics.expected (×2: buildless-maven-timeout, buildless-maven-tolerate-unavailable-dependency) — plugin version string in diagnostic messages

Auto-update script

Adds java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh to automate future dependency bumps. The script:

  1. Clones ferstl/depgraph-maven-plugin at tag depgraph-maven-plugin-4.0.3
  2. Patches pom.xml (version suffix, Guava, Jackson)
  3. Builds with mvn package install -DskipTests
  4. Packages the resolved local repo into a zip (to be dropped into semmle-code)
  5. Rewrites all affected *.expected files in-place
# Default: Jackson 2.18.6, Guava 33.4.0-jre
./java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh

# Override versions explicitly
./java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh 2.19.0 33.4.0-jre

Requires JDK 17, Maven 3.9.x (not 4.x), git, python3.

Bump jackson-core to 2.18.6 in ferstl-depgraph-dependencies (CVE-2025…
b161531 
…-52999)

- Update 3 maven-fetches.expected files: jackson 2.14.1→2.18.6,
  jackson-parent 2.14→2.18.4, oss-parent 48→69,
  plugin version 4.0.3-CodeQL→4.0.3-CodeQL-2
- Update 2 diagnostics.expected files: plugin version reference
  4.0.3-CodeQL→4.0.3-CodeQL-2
- Add update-ferstl-depgraph-dependencies.sh auto-update script
Copilot AI changed the title [WIP] Update jackson-core to version 2.15.0 for CVE-2025-52999 Bump jackson-core to 2.18.6 in ferstl-depgraph-dependencies (CVE-2025-52999) May 19, 2026
Copilot AI requested a review from oscarsj May 19, 2026 11:53
@github-actions github-actions Bot added the Java label May 19, 2026
@oscarsj oscarsj marked this pull request as ready for review May 20, 2026 12:00
@oscarsj oscarsj requested a review from a team as a code owner May 20, 2026 12:00
@oscarsj oscarsj requested review from Copilot and navntoft May 20, 2026 12:00
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the buildless Java extractor’s bundled ferstl-depgraph-dependencies integration-test expectations to reflect a rebuilt depgraph-maven-plugin bundle that pulls in a non-vulnerable Jackson version (addressing CVE-2025-52999), and adds an automation script to reproduce these updates.

Changes:

  • Add a new script to rebuild/package the ferstl/depgraph-maven-plugin dependency bundle and rewrite affected *.expected files.
  • Update maven-fetches.expected fixtures to reflect Jackson 2.18.6 (and updated transitive parent POMs) plus the bumped plugin coordinate 4.0.3-CodeQL-2.
  • Update diagnostics.expected fixtures to reflect the new plugin version string in diagnostic messages.
Show a summary per file
File Description
java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh New automation script to rebuild the depgraph plugin bundle and update integration-test expected files.
java/ql/integration-tests/java/buildless-maven/maven-fetches.expected Updates expected Maven fetches to new Jackson + plugin coordinate.
java/ql/integration-tests/java/buildless-maven-existing-settings-xml/maven-fetches.expected Same expected-fetch updates for the existing-settings scenario.
java/ql/integration-tests/java/buildless-maven-mirrorof/maven-fetches.expected Same expected-fetch updates for the mirror-of scenario.
java/ql/integration-tests/java/buildless-maven-timeout/diagnostics.expected Updates diagnostic message to reference the new plugin version.
java/ql/integration-tests/java/buildless-maven-tolerate-unavailable-dependency/diagnostics.expected Updates diagnostic message to reference the new plugin version.

Copilot's findings

  • Files reviewed: 6/6 changed files
  • Comments generated: 3

Comment thread java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh
Comment on lines +147 to +156
OLD_JACKSON="$(grep -oP 'jackson-core/\K[^/]+(?=/)' "${EXPECTED_FILE}" | head -1)"
OLD_PLUGIN="$(grep -oP 'depgraph-maven-plugin/\K[^/]+(?=/)' "${EXPECTED_FILE}" | head -1)"
OLD_OSS_PARENT="$(grep -oP 'fasterxml/oss-parent/\K[^/]+(?=/)' "${EXPECTED_FILE}" | head -1)"
OLD_JACKSON_PARENT="$(grep -oP 'jackson-parent/\K[^/]+(?=/)' "${EXPECTED_FILE}" | head -1)"

# Resolve new parent versions from the artifacts Maven just resolved.
NEW_JACKSON_PARENT="$(find "${LOCAL_REPO}/com/fasterxml/jackson/jackson-parent" \
-name "jackson-parent-*.pom" | sort | tail -1 | grep -oP '[\d.]+(?=\.pom)')"
NEW_OSS_PARENT="$(find "${LOCAL_REPO}/com/fasterxml/oss-parent" \
-name "oss-parent-*.pom" | sort | tail -1 | grep -oP '[0-9]+(?=\.pom)')"
Comment thread java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh
Comment on lines +153 to +157
NEW_JACKSON_PARENT="$(find "${LOCAL_REPO}/com/fasterxml/jackson/jackson-parent" \
-name "jackson-parent-*.pom" | sort | tail -1 | grep -oP '[\d.]+(?=\.pom)')"
NEW_OSS_PARENT="$(find "${LOCAL_REPO}/com/fasterxml/oss-parent" \
-name "oss-parent-*.pom" | sort | tail -1 | grep -oP '[0-9]+(?=\.pom)')"

Comment thread java/ql/integration-tests/update-ferstl-depgraph-dependencies.sh
Comment on lines +227 to +231
echo " 1. Copy ${ZIP_OUT} -> semmle-code resources/lib/ferstl-depgraph-dependencies/ferstl-depgraph-dependencies.zip"
echo " 2. In semmle-code, update autobuild/src/com/semmle/util/build/Maven.java:"
echo " bump the plugin version constant to '${PLUGIN_CODEQL_VERSION}'"
echo " 3. Commit and raise PRs in both repositories."
trap - EXIT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@navntoft navntoft Awaiting requested review from navntoft

+1 more reviewer

@oscarsj oscarsj oscarsj approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@oscarsj oscarsj

Copilot code review Copilot

Labels

Java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@oscarsj