amendmends according to code review

This commit is contained in:
Michael Hoennig 2024-01-05 11:07:34 +01:00
parent 07dbc45c80
commit 1f49970e66
3 changed files with 14 additions and 4 deletions

View File

@ -208,7 +208,6 @@ dependencyCheck {
apiKey = project.property('OWASP_API_KEY') // set it in ~/.gradle/gradle.properties apiKey = project.property('OWASP_API_KEY') // set it in ~/.gradle/gradle.properties
delay = 16000 delay = 16000
} }
// cveValidForHours = 4
format = 'ALL' format = 'ALL'
suppressionFile = 'etc/owasp-dependency-check-suppression.xml' suppressionFile = 'etc/owasp-dependency-check-suppression.xml'
failOnError = true failOnError = true

View File

@ -51,7 +51,11 @@
</suppress> </suppress>
<suppress> <suppress>
<notes><![CDATA[ <notes><![CDATA[
We've explicitly bumped to 2.2, but the dependency checker does not seem to notice that. Spring Boot 3.1.x has a transient dependency to snakeyaml 1.3
which contains this vulnerability.
We've explicitly bumped to 2.2, but the vulnerability checker does not seem to notice that.
TODO: Remove this suppression once we are on SpringBoot 3.2, TODO: Remove this suppression once we are on SpringBoot 3.2,
as well as the explicit version bump and the transient dependency exclude. as well as the explicit version bump and the transient dependency exclude.
]]></notes> ]]></notes>

View File

@ -13,8 +13,15 @@ dependencyResolutionManagement {
allVariants { allVariants {
withDependencies { withDependencies {
removeAll { removeAll {
// TODO: Remove this transient dependency exclude once we are on SpringBoot 3.2.x // Spring Boot 3.1.x has a transient dependency to snakeyaml 1.3
// as well as the related explicit dependency in build.gradle // which contains a severe vulnerability.
// Here we remove this transient dependency and in build.gradle
// we add an explicit dependency to snakeyaml 2.2,
// which does not have this vulnerability anymore.
//
// TODO: Check Once we are on SpringBoot 3.2.x, check if this exclude
// is still neccessary. If not:
// Remove it // as well as the related explicit dependency in build.gradle
// and the dependency suppression in owasp-dependency-check-suppression.xml. // and the dependency suppression in owasp-dependency-check-suppression.xml.
it.module in [ 'snakeyaml' ] it.module in [ 'snakeyaml' ]
} }