Multiple Critical/High severity CVE's in the version of Jackson Databind

[jswingle-git]

The version of jackson-databind is subject to the following:

critical CVE's
CVE-2018-14719
CVE-2019-20330
CVE-2019-14892
CVE-2018-19360
CVE-2020-9547
CVE-2020-9546
CVE-2018-19362
CVE-2018-19361
CVE-2018-14720
CVE-2017-15095
CVE-2019-14379
CVE-2019-14540
CVE-2019-17267
CVE-2019-14893
CVE-2018-14718
CVE-2018-7489
CVE-2020-9548
CVE-2020-8840
CVE-2018-11307
CVE-2019-16335
CVE-2019-16943
CVE-2017-17485
CVE-2019-17531
CVE-2018-14721
CVE-2019-16942

High CVE's
CVE-2020-14195
CVE-2020-36185
CVE-2020-36184
CVE-2020-14195
CVE-2020-24750
CVE-2020-35728
CVE-2019-12086
CVE-2020-36185
CVE-2020-36187
CVE-2020-24616
CVE-2018-5968
CVE-2020-36182
CVE-2020-11113
CVE-2020-11619
CVE-2020-11111
CVE-2018-12023
CVE-2020-11112
CVE-2020-11620
CVE-2020-10673
CVE-2020-10968
CVE-2020-10672
CVE-2020-10969
CVE-2020-14060
CVE-2019-14439
CVE-2018-12022
CVE-2020-14061

Can the jackson-databind dependency be updated to 2.9.10.8 or above?

[tronda]

jackson-databind is used by Spark. In order to get this dependency to a version without CVE's the dependecy need to be bumped to latest in version 3.3.X or 3.2.X. I've tried to upgrade to the latest version of Spark, but then I get a compilation error on flatMapValues method which seems to have changed the signature. I have no knowledge of Spark so not sure what the best approach forward is here.

[tronda]

We have overridden the Jackson dependencies and created a custom docker container which we are using internally. Addresses the critical vulnerabilities:
https://github.com/DIPSAS/spark-dependencies

[ruospalo]

I've created #135 that bumped spark to the latest version and fixes all the above CVEs