-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update dependencies starting with jakarta.el #1484
Conversation
Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
…itive dependency Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
this is a new (unrelated) CVE since yesterday
|
this required #1487 to be resolved for security advisories build step to pass |
Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
Still with snakeyaml 1.33 One or more dependencies were identified with known vulnerabilities in tessera-dist: snakeyaml-1.33.jar (pkg:maven/org.yaml/snakeyaml@1.33, cpe:2.3:a:snakeyaml_project:snakeyaml:1.33:::::::, cpe:2.3:a:yaml_project:yaml:1.33:::::::) : CVE-2022-38752 |
Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
I added a suppression for the snakeyaml 1.33 CVE since the NIST page says https://nvd.nist.gov/vuln/detail/CVE-2022-38752 excluding snakeyaml 1.32 |
@@ -4,7 +4,7 @@ plugins { | |||
|
|||
configurations.all { | |||
resolutionStrategy { | |||
force 'org.yaml:snakeyaml:1.31', 'com.fasterxml.jackson.core:jackson-databind:2.13.3' | |||
force 'org.yaml:snakeyaml:1.33', 'com.fasterxml.jackson.core:jackson-databind:2.14.0-rc1' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are the rc versions explicitly required?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
2.14.0 hasn't been released yet https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
Signed-off-by: Sally MacFarlane macfarla.github@gmail.com
Addresses CVE-2021-28170
Addresses CVE-2022-38752
Updates jackson-databind to 2.14.0-rc1 to address CVE-2022-42003
Documentation
doc-change-required
label to this PR if updates are required.Changelog