We have ehcache-2.10.6.jar jar in our dependecies. It contains com.jackson.databind package that has marked as vulnerable by Trivy. No ehcache versions have non-vulnerable com.jackson.databind.
How we can shade or repackage the jar to make it missing com.jackson.databind package?
Shading or exclusion doesn't help:
shadowJar {
zip64 true
dependencies {
exclude(dependency("com.fasterxml.jackson.core:jackson-databind:2.9.6"))
}
relocate 'com.fasterxml.jackson', 'shadow.com.fasterxml.jackson'
}
Instead of excluding that package, use the line below to resolve the vulnerability-
group: 'net.sf.ehcache.internal', name: 'ehcache-core', version: '2.10.6'
Repository url - https://repo.terracotta.org/maven2/