DSE jar is using Jackson-databind library. Twistlock informed critical vulnerabilities for the Jackson-databind version used in DSE. I tried to use different version by dependency in pom.xml
However DSE is not using the secured version suggested by twistlock report. Is it tightly coupled with the older version? This critical vulnerability is blocking deployment in K8S cluster.
I tried following dependencies
<dependency> <groupId>com.datastax.oss</groupId> <artifactId>java-driver-core</artifactId> <version>4.7.2</version> </dependency> <dependency> <groupId>com.datastax.dse</groupId> <artifactId>dse-java-driver-graph</artifactId> <version>1.9.0</version> </dependency> <dependency> <groupId>io.dropwizard.metrics</groupId> <artifactId>metrics-core</artifactId> <version>3.2.2</version> </dependency>
Can you provide us pom dependencies to remove existing vulnerabilities?