From f7c2a3998ac4da9ce6fb0bcdab418afc8bdac90e Mon Sep 17 00:00:00 2001
From: Chad Wilson <chadw@thoughtworks.com>
Date: Wed, 30 Mar 2022 13:56:19 +1300
Subject: [PATCH] Bump jackson-databind to 2.13.2.2 via switching to BOM

Individual libs in Jackson don't necessarily all get released at the same time. The BOM is the right way to ensure versions are all on latest. In this case, to get a CVE patched within databind. See https://github.com/FasterXML/jackson-databind/issues/3428 for more detail
---
 dependencies.gradle           | 5 ++---
 spark/spark-base/build.gradle | 5 +++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/dependencies.gradle b/dependencies.gradle
index 2a4d5cd236f..790693192b5 100644
--- a/dependencies.gradle
+++ b/dependencies.gradle
@@ -61,7 +61,7 @@ final Map<String, String> libraries = [
   hamcrest            : 'org.hamcrest:hamcrest-core:2.2',
   hibernate           : 'org.hibernate:hibernate-ehcache:3.6.10.Final',
   httpClientMock      : 'com.github.paweladamski:HttpClientMock:1.10.0',
-  jackson             : 'com.fasterxml.jackson.core:jackson-core:2.13.2',
+  jacksonBom          : 'com.fasterxml.jackson:jackson-bom:2.13.2.20220328',
   javaAssist          : 'javassist:javassist:3.12.1.GA',
   javaxAnnotation     : 'javax.annotation:javax.annotation-api:1.3.2',
   jaxb                : 'javax.xml.bind:jaxb-api:2.3.1',
@@ -142,7 +142,7 @@ final Map<String, String> v = [
   h2                  : versionOf(libraries.h2),
   hamcrest            : versionOf(libraries.hamcrest),
   hibernate           : versionOf(libraries.hibernate),
-  jackson             : versionOf(libraries.jackson),
+  jacksonBom          : versionOf(libraries.jacksonBom),
   javaAssist          : versionOf(libraries.javaAssist),
   javaxAnnotation     : versionOf(libraries.javaxAnnotation),
   jaxb                : versionOf(libraries.jaxb),
@@ -196,7 +196,6 @@ final Map<String, String> related = [
   aspectjWeaver           : "org.aspectj:aspectjweaver:${v.aspectj}",
   bouncyCastlePkix        : "org.bouncycastle:bcpkix-jdk15on:${v.bouncyCastle}",
   hamcrestLibrary         : "org.hamcrest:hamcrest-library:${v.hamcrest}",
-  jacksonDatabind         : "com.fasterxml.jackson.core:jackson-databind:${v.jackson}",
   jaxbRuntime             : "org.glassfish.jaxb:jaxb-runtime:${v.jaxb}",
   jettyDeploy             : "org.eclipse.jetty:jetty-deploy:${v.jetty}",
   jettyJmx                : "org.eclipse.jetty:jetty-jmx:${v.jetty}",
diff --git a/spark/spark-base/build.gradle b/spark/spark-base/build.gradle
index 54c58507c3b..476c63c0fda 100644
--- a/spark/spark-base/build.gradle
+++ b/spark/spark-base/build.gradle
@@ -20,8 +20,9 @@ dependencies {
   api project(':common')
   api project(':server')
 
-  implementation project.deps.jackson
-  implementation project.deps.jacksonDatabind
+  implementation(platform(project.deps.jacksonBom))
+  implementation 'com.fasterxml.jackson.core:jackson-core'
+  implementation 'com.fasterxml.jackson.core:jackson-databind'
   implementation project.deps.springWeb
 
   api(project.deps.spark) {