amendmends according to code review
This commit is contained in:
parent
07dbc45c80
commit
1f49970e66
@ -208,7 +208,6 @@ dependencyCheck {
|
|||||||
apiKey = project.property('OWASP_API_KEY') // set it in ~/.gradle/gradle.properties
|
apiKey = project.property('OWASP_API_KEY') // set it in ~/.gradle/gradle.properties
|
||||||
delay = 16000
|
delay = 16000
|
||||||
}
|
}
|
||||||
// cveValidForHours = 4
|
|
||||||
format = 'ALL'
|
format = 'ALL'
|
||||||
suppressionFile = 'etc/owasp-dependency-check-suppression.xml'
|
suppressionFile = 'etc/owasp-dependency-check-suppression.xml'
|
||||||
failOnError = true
|
failOnError = true
|
||||||
|
@ -51,7 +51,11 @@
|
|||||||
</suppress>
|
</suppress>
|
||||||
<suppress>
|
<suppress>
|
||||||
<notes><![CDATA[
|
<notes><![CDATA[
|
||||||
We've explicitly bumped to 2.2, but the dependency checker does not seem to notice that.
|
Spring Boot 3.1.x has a transient dependency to snakeyaml 1.3
|
||||||
|
which contains this vulnerability.
|
||||||
|
|
||||||
|
We've explicitly bumped to 2.2, but the vulnerability checker does not seem to notice that.
|
||||||
|
|
||||||
TODO: Remove this suppression once we are on SpringBoot 3.2,
|
TODO: Remove this suppression once we are on SpringBoot 3.2,
|
||||||
as well as the explicit version bump and the transient dependency exclude.
|
as well as the explicit version bump and the transient dependency exclude.
|
||||||
]]></notes>
|
]]></notes>
|
||||||
|
@ -13,8 +13,15 @@ dependencyResolutionManagement {
|
|||||||
allVariants {
|
allVariants {
|
||||||
withDependencies {
|
withDependencies {
|
||||||
removeAll {
|
removeAll {
|
||||||
// TODO: Remove this transient dependency exclude once we are on SpringBoot 3.2.x
|
// Spring Boot 3.1.x has a transient dependency to snakeyaml 1.3
|
||||||
// as well as the related explicit dependency in build.gradle
|
// which contains a severe vulnerability.
|
||||||
|
// Here we remove this transient dependency and in build.gradle
|
||||||
|
// we add an explicit dependency to snakeyaml 2.2,
|
||||||
|
// which does not have this vulnerability anymore.
|
||||||
|
//
|
||||||
|
// TODO: Check Once we are on SpringBoot 3.2.x, check if this exclude
|
||||||
|
// is still neccessary. If not:
|
||||||
|
// Remove it // as well as the related explicit dependency in build.gradle
|
||||||
// and the dependency suppression in owasp-dependency-check-suppression.xml.
|
// and the dependency suppression in owasp-dependency-check-suppression.xml.
|
||||||
it.module in [ 'snakeyaml' ]
|
it.module in [ 'snakeyaml' ]
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user