CVE-2017-7525 is a Vulnerability in `jackson-databind`, not Apache Struts

[nuthanmunaiah]

Description

According to NVD, CVE-2017-7525 is a vulnerability in jackson-databind, not Apache Struts. The vulnerability was fixed in FasterXML/jackson-databind#1599. Apache Struts was merely modified in apache/struts@0d42ff5, apache/struts@941374e, and apache/struts@a2824b7 to upgrade to Jackson version 2.9.2.

Should CVE-2017-7525 be curated as a vulnerability in the Apache Struts project?

[beefstew]

During discussion with Andy and Nuthan, we agreed that "supply chain vulnerabilities" are a fundamentally different type than a VCC. Therefore, in this this example, VCC should be null.

Regarding supply chain vulnerability lifecycle:
Date of introduction is the point that a vulnerability is published, or a fix version becomes available, in the upstream project.