From 1f49970e66e2b83a176673327195015c56c8895f Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Fri, 5 Jan 2024 11:07:34 +0100 Subject: [PATCH] amendmends according to code review --- build.gradle | 1 - etc/owasp-dependency-check-suppression.xml | 6 +++++- settings.gradle | 11 +++++++++-- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/build.gradle b/build.gradle index 968b80d1..b43f22e1 100644 --- a/build.gradle +++ b/build.gradle @@ -208,7 +208,6 @@ dependencyCheck { apiKey = project.property('OWASP_API_KEY') // set it in ~/.gradle/gradle.properties delay = 16000 } - // cveValidForHours = 4 format = 'ALL' suppressionFile = 'etc/owasp-dependency-check-suppression.xml' failOnError = true diff --git a/etc/owasp-dependency-check-suppression.xml b/etc/owasp-dependency-check-suppression.xml index cdb329d5..39d77b47 100644 --- a/etc/owasp-dependency-check-suppression.xml +++ b/etc/owasp-dependency-check-suppression.xml @@ -51,7 +51,11 @@ diff --git a/settings.gradle b/settings.gradle index d437063a..2423c63e 100644 --- a/settings.gradle +++ b/settings.gradle @@ -13,8 +13,15 @@ dependencyResolutionManagement { allVariants { withDependencies { removeAll { - // TODO: Remove this transient dependency exclude once we are on SpringBoot 3.2.x - // as well as the related explicit dependency in build.gradle + // Spring Boot 3.1.x has a transient dependency to snakeyaml 1.3 + // which contains a severe vulnerability. + // Here we remove this transient dependency and in build.gradle + // we add an explicit dependency to snakeyaml 2.2, + // which does not have this vulnerability anymore. + // + // TODO: Check Once we are on SpringBoot 3.2.x, check if this exclude + // is still neccessary. If not: + // Remove it // as well as the related explicit dependency in build.gradle // and the dependency suppression in owasp-dependency-check-suppression.xml. it.module in [ 'snakeyaml' ] }