Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update dependencies starting with jakarta.el #1484

Merged
merged 15 commits into from
Oct 7, 2022

Conversation

macfarla
Copy link
Contributor

@macfarla macfarla commented Sep 5, 2022

Signed-off-by: Sally MacFarlane macfarla.github@gmail.com

Addresses CVE-2021-28170

  • update jakarta-el version

Addresses CVE-2022-38752

Updates jackson-databind to 2.14.0-rc1 to address CVE-2022-42003

Documentation

  • I thought about documentation and added the doc-change-required label to this PR if updates are required.

Changelog

  • I thought about adding a changelog entry, and added one if I deemed necessary.

Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
…itive dependency

Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
@macfarla
Copy link
Contributor Author

macfarla commented Sep 7, 2022

this is a new (unrelated) CVE since yesterday

One or more dependencies were identified with known vulnerabilities in tessera-dist:

snakeyaml-1.31.jar (pkg:maven/org.yaml/snakeyaml@1.31, cpe:2.3:a:snakeyaml_project:snakeyaml:1.31:*:*:*:*:*:*:*, cpe:2.3:a:yaml_project:yaml:1.31:*:*:*:*:*:*:*) : CVE-2022-38752

@macfarla
Copy link
Contributor Author

macfarla commented Sep 7, 2022

this required #1487 to be resolved for security advisories build step to pass

Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
@macfarla
Copy link
Contributor Author

macfarla commented Oct 5, 2022

Still with snakeyaml 1.33

One or more dependencies were identified with known vulnerabilities in tessera-dist:

snakeyaml-1.33.jar (pkg:maven/org.yaml/snakeyaml@1.33, cpe:2.3:a:snakeyaml_project:snakeyaml:1.33:::::::, cpe:2.3:a:yaml_project:yaml:1.33:::::::) : CVE-2022-38752

Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com>
@macfarla
Copy link
Contributor Author

macfarla commented Oct 6, 2022

I added a suppression for the snakeyaml 1.33 CVE since the NIST page says https://nvd.nist.gov/vuln/detail/CVE-2022-38752 excluding snakeyaml 1.32

@@ -4,7 +4,7 @@ plugins {

configurations.all {
resolutionStrategy {
force 'org.yaml:snakeyaml:1.31', 'com.fasterxml.jackson.core:jackson-databind:2.13.3'
force 'org.yaml:snakeyaml:1.33', 'com.fasterxml.jackson.core:jackson-databind:2.14.0-rc1'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are the rc versions explicitly required?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

@mark-terry mark-terry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@macfarla macfarla changed the title update version of jakarta.el update dependencies starting with jakarta.el Oct 6, 2022
@macfarla macfarla merged commit 9fc23cc into Consensys:master Oct 7, 2022
@Krish1979 Krish1979 added the dependencies Pull requests that update a dependency file label Nov 8, 2022
@macfarla macfarla deleted the uprev-jakarta-el branch November 14, 2022 07:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
22.10.0 dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants