hostsharing/hs.hsadmin.ng
6
0
Fork 0
Code Pull Requests 2 Activity

amendmends according to code review

Browse Source
This commit is contained in:
Michael Hoennig 2024-01-05 11:07:34 +01:00
parent 07dbc45c80
commit 1f49970e66
3 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
build.gradle
View File

@ -208,7 +208,6 @@ dependencyCheck {
apiKey = project.property('OWASP_API_KEY') // set it in ~/.gradle/gradle.properties
delay = 16000
}
// cveValidForHours = 4
format = 'ALL'
suppressionFile = 'etc/owasp-dependency-check-suppression.xml'
failOnError = true

6
etc/owasp-dependency-check-suppression.xml
View File

@ -51,7 +51,11 @@
</suppress>
<suppress>
<notes><![CDATA[
We've explicitly bumped to 2.2, but the dependency checker does not seem to notice that.
Spring Boot 3.1.x has a transient dependency to snakeyaml 1.3
which contains this vulnerability.
We've explicitly bumped to 2.2, but the vulnerability checker does not seem to notice that.
TODO: Remove this suppression once we are on SpringBoot 3.2,
as well as the explicit version bump and the transient dependency exclude.
]]></notes>

11
settings.gradle
View File

@ -13,8 +13,15 @@ dependencyResolutionManagement {
allVariants {
withDependencies {
removeAll {
// TODO: Remove this transient dependency exclude once we are on SpringBoot 3.2.x
// as well as the related explicit dependency in build.gradle
// Spring Boot 3.1.x has a transient dependency to snakeyaml 1.3
// which contains a severe vulnerability.
// Here we remove this transient dependency and in build.gradle
// we add an explicit dependency to snakeyaml 2.2,
// which does not have this vulnerability anymore.
//
// TODO: Check Once we are on SpringBoot 3.2.x, check if this exclude
// is still neccessary. If not:
// Remove it // as well as the related explicit dependency in build.gradle
// and the dependency suppression in owasp-dependency-check-suppression.xml.
it.module in [ 'snakeyaml' ]
}