fix vulnerability CVE-2022-1471 by forcing snakeyaml 2.2

2024-01-04 09:10:20 +01:00 · 2024-01-04 09:10:20 +01:00 · 4c44f42b79
commit 4c44f42b79
parent 73f147c557
3 changed files with 37 additions and 2 deletions
--- a/build.gradle
+++ b/build.gradle
@ -50,8 +50,6 @@ ext {
    set('testcontainersVersion', "1.17.3")
 }

-// wrapper
-
 dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
    implementation 'org.springframework.boot:spring-boot-starter-data-rest'
@ -71,6 +69,17 @@ dependencies {
    implementation 'org.iban4j:iban4j:3.2.7-RELEASE'
    implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.3.0'

+    // fixes vulnerability CVE-2022-1471
+    // The dependency usually comes from Spring Boot, just in the wrong version.
+    // TODO: Remove this explicit dependency once we are on SpringBoot 3.2.x
+    // as well as the related exclude in settings.gradle
+    // and the dependency suppression in owasp-dependency-check-suppression.xml.
+    implementation('org.yaml:snakeyaml') {
+        version {
+            strictly('2.2')
+        }
+    }
+
    compileOnly 'org.projectlombok:lombok'
    testCompileOnly 'org.projectlombok:lombok'

--- a/etc/owasp-dependency-check-suppression.xml
+++ b/etc/owasp-dependency-check-suppression.xml
@ -49,4 +49,13 @@
        <packageUrl regex="true">^pkg:maven/org\.pitest/pitest\-command\-line@.*$</packageUrl>
        <cpe>cpe:/a:line:line</cpe>
    </suppress>
+    <suppress>
+        <notes><![CDATA[
+            We've explicitly bumped to 2.2, but the dependency checker does not seem to notice that.
+            TODO: Remove this suppression once we are on SpringBoot 3.2,
+            as well as the explicit version bump and the transient dependency exclude.
+       ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
+        <cve>CVE-2022-1471</cve>
+    </suppress>
 </suppressions>
--- a/settings.gradle
+++ b/settings.gradle
@ -7,4 +7,21 @@ pluginManagement {
    }
 }

+dependencyResolutionManagement {
+    components {
+        all {
+            allVariants {
+                withDependencies {
+                    removeAll {
+                        // TODO: Remove this transient dependency exclude once we are on SpringBoot 3.2.x
+                        // as well as the related explicit dependency in build.gradle
+                        // and the dependency suppression in owasp-dependency-check-suppression.xml.
+                        it.module in [ 'snakeyaml' ]
+                    }
+                }
+            }
+        }
+    }
+}
+
 rootProject.name = 'hsadmin-ng'