From 4c44f42b793eaecb34de8c29e43c9a70512c5c04 Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Thu, 4 Jan 2024 09:10:20 +0100
Subject: [PATCH] fix vulnerability CVE-2022-1471 by forcing snakeyaml 2.2

---
 build.gradle                               | 13 +++++++++++--
 etc/owasp-dependency-check-suppression.xml |  9 +++++++++
 settings.gradle                            | 17 +++++++++++++++++
 3 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index 7f024d77..47dae2ac 100644
--- a/build.gradle
+++ b/build.gradle
@@ -50,8 +50,6 @@ ext {
     set('testcontainersVersion', "1.17.3")
 }
 
-// wrapper
-
 dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
     implementation 'org.springframework.boot:spring-boot-starter-data-rest'
@@ -71,6 +69,17 @@ dependencies {
     implementation 'org.iban4j:iban4j:3.2.7-RELEASE'
     implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.3.0'
 
+    // fixes vulnerability CVE-2022-1471
+    // The dependency usually comes from Spring Boot, just in the wrong version.
+    // TODO: Remove this explicit dependency once we are on SpringBoot 3.2.x
+    // as well as the related exclude in settings.gradle
+    // and the dependency suppression in owasp-dependency-check-suppression.xml.
+    implementation('org.yaml:snakeyaml') {
+        version {
+            strictly('2.2')
+        }
+    }
+
     compileOnly 'org.projectlombok:lombok'
     testCompileOnly 'org.projectlombok:lombok'
 
diff --git a/etc/owasp-dependency-check-suppression.xml b/etc/owasp-dependency-check-suppression.xml
index f04711a8..cdb329d5 100644
--- a/etc/owasp-dependency-check-suppression.xml
+++ b/etc/owasp-dependency-check-suppression.xml
@@ -49,4 +49,13 @@
         <packageUrl regex="true">^pkg:maven/org\.pitest/pitest\-command\-line@.*$</packageUrl>
         <cpe>cpe:/a:line:line</cpe>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+            We've explicitly bumped to 2.2, but the dependency checker does not seem to notice that.
+            TODO: Remove this suppression once we are on SpringBoot 3.2,
+            as well as the explicit version bump and the transient dependency exclude.
+       ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
+        <cve>CVE-2022-1471</cve>
+    </suppress>
 </suppressions>
diff --git a/settings.gradle b/settings.gradle
index 8c454c71..d437063a 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -7,4 +7,21 @@ pluginManagement {
     }
 }
 
+dependencyResolutionManagement {
+    components {
+        all {
+            allVariants {
+                withDependencies {
+                    removeAll {
+                        // TODO: Remove this transient dependency exclude once we are on SpringBoot 3.2.x
+                        // as well as the related explicit dependency in build.gradle
+                        // and the dependency suppression in owasp-dependency-check-suppression.xml.
+                        it.module in [ 'snakeyaml' ]
+                    }
+                }
+            }
+        }
+    }
+}
+
 rootProject.name = 'hsadmin-ng'