fix vulnerability CVE-2022-1471 by forcing snakeyaml 2.2
This commit is contained in:
parent
73f147c557
commit
4c44f42b79
13
build.gradle
13
build.gradle
@ -50,8 +50,6 @@ ext {
|
|||||||
set('testcontainersVersion', "1.17.3")
|
set('testcontainersVersion', "1.17.3")
|
||||||
}
|
}
|
||||||
|
|
||||||
// wrapper
|
|
||||||
|
|
||||||
dependencies {
|
dependencies {
|
||||||
implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
|
implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
|
||||||
implementation 'org.springframework.boot:spring-boot-starter-data-rest'
|
implementation 'org.springframework.boot:spring-boot-starter-data-rest'
|
||||||
@ -71,6 +69,17 @@ dependencies {
|
|||||||
implementation 'org.iban4j:iban4j:3.2.7-RELEASE'
|
implementation 'org.iban4j:iban4j:3.2.7-RELEASE'
|
||||||
implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.3.0'
|
implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.3.0'
|
||||||
|
|
||||||
|
// fixes vulnerability CVE-2022-1471
|
||||||
|
// The dependency usually comes from Spring Boot, just in the wrong version.
|
||||||
|
// TODO: Remove this explicit dependency once we are on SpringBoot 3.2.x
|
||||||
|
// as well as the related exclude in settings.gradle
|
||||||
|
// and the dependency suppression in owasp-dependency-check-suppression.xml.
|
||||||
|
implementation('org.yaml:snakeyaml') {
|
||||||
|
version {
|
||||||
|
strictly('2.2')
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
compileOnly 'org.projectlombok:lombok'
|
compileOnly 'org.projectlombok:lombok'
|
||||||
testCompileOnly 'org.projectlombok:lombok'
|
testCompileOnly 'org.projectlombok:lombok'
|
||||||
|
|
||||||
|
@ -49,4 +49,13 @@
|
|||||||
<packageUrl regex="true">^pkg:maven/org\.pitest/pitest\-command\-line@.*$</packageUrl>
|
<packageUrl regex="true">^pkg:maven/org\.pitest/pitest\-command\-line@.*$</packageUrl>
|
||||||
<cpe>cpe:/a:line:line</cpe>
|
<cpe>cpe:/a:line:line</cpe>
|
||||||
</suppress>
|
</suppress>
|
||||||
|
<suppress>
|
||||||
|
<notes><![CDATA[
|
||||||
|
We've explicitly bumped to 2.2, but the dependency checker does not seem to notice that.
|
||||||
|
TODO: Remove this suppression once we are on SpringBoot 3.2,
|
||||||
|
as well as the explicit version bump and the transient dependency exclude.
|
||||||
|
]]></notes>
|
||||||
|
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
|
||||||
|
<cve>CVE-2022-1471</cve>
|
||||||
|
</suppress>
|
||||||
</suppressions>
|
</suppressions>
|
||||||
|
@ -7,4 +7,21 @@ pluginManagement {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
dependencyResolutionManagement {
|
||||||
|
components {
|
||||||
|
all {
|
||||||
|
allVariants {
|
||||||
|
withDependencies {
|
||||||
|
removeAll {
|
||||||
|
// TODO: Remove this transient dependency exclude once we are on SpringBoot 3.2.x
|
||||||
|
// as well as the related explicit dependency in build.gradle
|
||||||
|
// and the dependency suppression in owasp-dependency-check-suppression.xml.
|
||||||
|
it.module in [ 'snakeyaml' ]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
rootProject.name = 'hsadmin-ng'
|
rootProject.name = 'hsadmin-ng'
|
||||||
|
Loading…
Reference in New Issue
Block a user