OSTIF is proud to share the results of our security audit of Jackson subprojects. Jackson-dataformats-binary, Jackson-dataformats-text, Jackson-dataformat-xml, Jackson-datatype-joda, and Jackson-datatypes-collections are open source subprojects that contribute to Jackson (described as “JSON for Java”). With the help of Ada Logics and the Sovereign Tech Fund, these subprojects will be more secure for users and maintainers will have a healthier understanding of their future security needs. 

All five subprojects of Jackson within the scope of this audit underwent manual auditing, a threat modeling process, and a fuzzing review and extension of existing fuzzing processes. As each subproject has different functions, upstreams, and rules, each one was individually audited and reviewed so as to consider the distinct vulnerabilities and attacker objectives possible. The resulting report of the audit breaks down each subproject’s individual audit experience and fuzzers. Using manual and static review as well as fuzzing, Ada Logics was able to identify a multitude of vulnerabilities as well as recommendations for further security hardening. 

Audit Results:

  • Developed threat models for each of the five modules
  • Added 1 new OSS-Fuzz project and extended 4 existing OSS-Fuzz Projects
  • Created 26 new fuzzers for the Jackson projects
  • Performed manual auditing of each of the codebases
  • Found and reported 19 issues in Jackson projects
    •  4 of moderate security severity 
  • Submitted patches for 14 of the issues found

Security audits don’t just create quantitative results but also result in documentation, insights, and recommendations that help project maintainers plan future security as well as releases and life cycles. This holistic audit was a part of the STF’s Bug Resilience Program, which aims to improve the security of open source infrastructure through contributions to FOSS projects, a bug and fix bounty program, and code audit program. 

Thank you to the individuals and groups that made this audit possible:

  • The maintainers and community around Jackson subprojects, and specifically Tatu Saloranta
  • Ada Logics- “Arthur” Sheung Chi Chan, Adam Korczynski, and David Korczynski
  • The Sovereign Tech Fund-Tara Tarakiyee, Adriana Groh, Fiona Krakenbürger, Paul Sharratt, and Powen Shiah

Read the Audit Report HERE

Everyone around the world depends on open source software being secure. If you’re interested in financially supporting this work, contact [email protected].