Skip to content

Commit

Permalink
Add links to AdaLogics Jackson Security Audit document
Browse files Browse the repository at this point in the history
  • Loading branch information
cowtowncoder committed Nov 2, 2022
1 parent 6d0d597 commit 561a5bf
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 9 deletions.
22 changes: 14 additions & 8 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
<a href="CONTRIBUTING.md" alt="Hacktoberfest"><img src="https://badgen.net/badge/hacktoberfest/friendly/pink" /></a>
[![Open Source](https://badges.frapsoft.com/os/v3/open-source.svg?v=103)](https://opensource.org/)


# Jackson Project Home @github

This is the home page of the Jackson Project.

## What is New?

* Nov 2, 2022: AdaLogics Security Audit for Jackson released -- see Document/Reports
* Oct 28, 2022: Jackson 2.14 Release Candidate 3 (2.14.0-rc3) released; 2.14.0 itself soon to be released!
* Sep 3, 2022: Jackson 2.13.4 patch released
* Sep 30, 2021: Jackson 2.13.0 (new stable) released
Expand Down Expand Up @@ -271,6 +271,16 @@ mailing address. Note that filing an issue to go with report is fine, but if you
DO NOT include details of security problem in the issue but only in email contact.
This is important to give us time to provide a patch, if necessary, for the problem.

### Note on reporting Bugs

Jackson bugs need to be reported against component they affect: for this reason, issue tracker
is not enabled for this project.
If you are unsure which specific project issue affects, the most likely component
is `jackson-databind`, so you would use
[Jackson Databind Issue Tracker](https://github.com/FasterXML/jackson-databind/issues).

For suggestions and new ideas, try [Jackson Future Ideas](../../../jackson-future-ideas)

## Documentation

### Web sites
Expand Down Expand Up @@ -299,15 +309,11 @@ and more specific tutorials:

* [Java67 Javakcson CSV Tutorial](https://www.java67.com/2019/05/how-to-read-csv-file-in-java-using-jackson-library.html) (CSV)

### Note on reporting Bugs
### Reports

Jackson bugs need to be reported against component they affect: for this reason, issue tracker
is not enabled for this project.
If you are unsure which specific project issue affects, the most likely component
is `jackson-databind`, so you would use
[Jackson Databind Issue Tracker](https://github.com/FasterXML/jackson-databind/issues).
Following reports have been published about Jackson components

For suggestions and new ideas, try [Jackson Future Ideas](../../../jackson-future-ideas)
* [AdaLogics Jackson Security Audit (2022)](../../blob/master/docs/AdaLogics-Security-Audit-Jackson-2022.pdf) (jackson-core, jackson-databind)

### Java JSON library comparisons

Expand Down
10 changes: 9 additions & 1 deletion SECURITY.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Security Policy

Last Updated: 2022-09-20
Last Updated: 2022-11-02

This policy covers ALL Jackson projects/repos: some repos may have their own copy of this policy document.

Expand Down Expand Up @@ -32,3 +32,11 @@ To verify that any given Jackson artifact has been signed with a valid key, have
https://github.com/FasterXML/jackson/blob/master/KEYS

which lists all known valid keys in use.

## Related documents

There is a published security audit about 2 main Jackson components (`jackson-core`, `jackson-databind`):

* [AdaLogics Jackson Security Audit (2022)](../../blob/master/docs/AdaLogics-Security-Audit-Jackson-2022.pdf)

which documents a thorough investigation into Jackson design, implementation, as well as some security design suggestions for developers using Jackson libraries.

0 comments on commit 561a5bf

Please sign in to comment.