The Twistlock scanner used at Nationwide has reported that the jar file net.minidev_json-smart from our ESP docker image has a critical vulnerability. It looks like moving from version 2.3 to 2.3.1 will resolve the issue. Two questions. Should we just patch it ourselves? Does Broadcom feel it would break anything moving to the newer version?
It is the image we use to install an ESP agent on Kubernetes pods.
Release : 12.0
Component : Workload Automation System Agent
json-smart.jar is specifically used by appservice webservice plugin.
If you don't use/enable this plugin, you can remove the json-smart.jar manually.
That should not cause any issue.
Otherwise, you can update the jar but you need to update the dependent jars as well.
net.minidev:json-smart has dependency on net.minidev:accessors-smart
Both jars can be updated to 2.3.1 version.