diff --git a/build.gradle b/build.gradle
index 7f024d77..47dae2ac 100644
--- a/build.gradle
+++ b/build.gradle
@@ -50,8 +50,6 @@ ext {
set('testcontainersVersion', "1.17.3")
}
-// wrapper
-
dependencies {
implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
implementation 'org.springframework.boot:spring-boot-starter-data-rest'
@@ -71,6 +69,17 @@ dependencies {
implementation 'org.iban4j:iban4j:3.2.7-RELEASE'
implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.3.0'
+ // fixes vulnerability CVE-2022-1471
+ // The dependency usually comes from Spring Boot, just in the wrong version.
+ // TODO: Remove this explicit dependency once we are on SpringBoot 3.2.x
+ // as well as the related exclude in settings.gradle
+ // and the dependency suppression in owasp-dependency-check-suppression.xml.
+ implementation('org.yaml:snakeyaml') {
+ version {
+ strictly('2.2')
+ }
+ }
+
compileOnly 'org.projectlombok:lombok'
testCompileOnly 'org.projectlombok:lombok'
diff --git a/etc/owasp-dependency-check-suppression.xml b/etc/owasp-dependency-check-suppression.xml
index f04711a8..cdb329d5 100644
--- a/etc/owasp-dependency-check-suppression.xml
+++ b/etc/owasp-dependency-check-suppression.xml
@@ -49,4 +49,13 @@
^pkg:maven/org\.pitest/pitest\-command\-line@.*$
cpe:/a:line:line
+
+
+ ^pkg:maven/org\.yaml/snakeyaml@.*$
+ CVE-2022-1471
+
diff --git a/settings.gradle b/settings.gradle
index 8c454c71..d437063a 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -7,4 +7,21 @@ pluginManagement {
}
}
+dependencyResolutionManagement {
+ components {
+ all {
+ allVariants {
+ withDependencies {
+ removeAll {
+ // TODO: Remove this transient dependency exclude once we are on SpringBoot 3.2.x
+ // as well as the related explicit dependency in build.gradle
+ // and the dependency suppression in owasp-dependency-check-suppression.xml.
+ it.module in [ 'snakeyaml' ]
+ }
+ }
+ }
+ }
+ }
+}
+
rootProject.name = 'hsadmin-ng'