Suppress jackson-databind CVE-2018-1000873, won't fix in 2.8.x series

Dwayne Bailey · Dwayne Bailey · commit b10abb831780 · 2019-01-29T13:07:31.000Z
Upstream is not fixing this issue in 2.8.x we need to upgrade to at least >= 2.9.8. Ref FasterXML/jackson-modules-java8#90 (comment) RDM-3796
diff --git a/dependency-check-suppressions.xml b/dependency-check-suppressions.xml
@@ -124,8 +124,11 @@
         <cve>CVE-2018-19362</cve>
     </suppress>
     <suppress>
-        <notes>Temporarily suppress jackson-databind CVE see RDM-3796</notes>
-        <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:.*$</gav>
+        <notes>jackson-databind 2.8.x will not get a fix for this CVE.  We need
+            to upgrade to 2.9.x. See
+            https://github.com/FasterXML/jackson-modules-java8/issues/90#issuecomment-450544881
+            and RDM-3796</notes>
+        <gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:2\.8\.11\.[3].*$</gav>
         <cve>CVE-2018-1000873</cve>
     </suppress>
     <suppress>
