Skip to content

Commit

Permalink
Merge pull request #574 from hmcts/PAY-6328
Browse files Browse the repository at this point in the history
PAY-6328: Fix CVE-2022-1471
  • Loading branch information
davejones74 authored May 3, 2024
2 parents 8423793 + 9857ee4 commit 056d190
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 32 deletions.
2 changes: 1 addition & 1 deletion api/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ dependencies {
exclude(module: 'commons-logging')
exclude(module: 'slf4j-simple')
}
implementation group: 'org.liquibase', name: 'liquibase-core', version: '4.23.1'
implementation group: 'org.liquibase', name: 'liquibase-core'
implementation group: 'com.github.hmcts.java-logging', name: 'logging-appinsights', version: javaLoggingVersion
implementation group: 'net.logstash.logback', name: 'logstash-logback-encoder', version:'5.0'
implementation group: 'org.springframework.boot', name: 'spring-boot-devtools'
Expand Down
6 changes: 5 additions & 1 deletion cve-resolution-strategy.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -63,9 +63,13 @@ configurations.all {
det.useVersion '42.7.3'
}

if (det.requested.name == 'liquibase-core') {
det.useVersion '4.27.0'
}

/* CVE-2017-18640, CVE-2022-41854 */
if(det.requested.name == 'snakeyaml'){
det.useVersion '1.32'
det.useVersion '2.2'
}

/*
Expand Down
30 changes: 0 additions & 30 deletions dependency-check-suppressions.xml
Original file line number Diff line number Diff line change
Expand Up @@ -41,11 +41,6 @@
<cve>CVE-2020-23171</cve>
</suppress>

<suppress>
<notes>Major liquibase update to version 4.8.0+ needed, this will require code refactoring</notes>
<cve>CVE-2022-0839</cve>
</suppress>

<suppress>
<notes>jackson-databind issue, upgrading to new version broke functional tests.</notes>
<cve>CVE-2020-36518</cve>
Expand Down Expand Up @@ -136,26 +131,6 @@
<cve>CVE-2020-0187</cve>
</suppress>

<suppress>
<notes>
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing
to nested depth limitation for collections.
</notes>
<cve>CVE-2022-25857</cve>
<cve>CVE-2022-38749</cve>
<cve>CVE-2022-38750</cve>
<cve>CVE-2022-38751</cve>
</suppress>

<suppress>
<notes>
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the
parser is running on user supplied input, an attacker may supply content that causes the parser to crash by
stack-overflow.
</notes>
<cve>CVE-2022-38752</cve>
</suppress>

<suppress>
<notes>
In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection
Expand Down Expand Up @@ -258,11 +233,6 @@
<notes>commons-fileupload</notes>
<cve>CVE-2023-24998</cve>
</suppress>
<suppress>
<notes>SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization.
</notes>
<cve>CVE-2022-1471</cve>
</suppress>
<suppress>
<notes>Tomcat-embed-core and websocket suppressed to fix appinsights issue
</notes>
Expand Down

0 comments on commit 056d190

Please sign in to comment.