Dependency org.yaml:snakeyaml, leading to CVE problem

[CVEDetect]

Hi, In */renren-common，there is a dependency org.yaml:snakeyaml:1.30 that calls the risk method.

CVE-2022-25857

The scope of this CVE affected version is ** [0,1.31)**

After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

CVE Bug Invocation Path : 
io.renren.common.utils.ConvertUtils: sourceToTarget(java.util.Collection,java.lang.Class)Ljava.util.List; /.m2/repository/org/springframework/data/spring-data-keyvalue/2.7.1/spring-data-keyvalue-2.7.1.jar
org.yaml.snakeyaml.Yaml$1: next()Ljava.lang.Object; /.m2/repository/org/springframework/data/spring-data-keyvalue/2.7.1/spring-data-keyvalue-2.7.1.jar
org.yaml.snakeyaml.constructor.BaseConstructor: getData()Ljava.lang.Object; /.m2/repository/org/springframework/data/spring-data-keyvalue/2.7.1/spring-data-keyvalue-2.7.1.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /.m2/repository/org/springframework/data/spring-data-keyvalue/2.7.1/spring-data-keyvalue-2.7.1.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Dependency tree--

[INFO] com.dy:renren-common:jar:5.0.0
[INFO] +- junit:junit:jar:4.13.2:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:2.2:test
[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.7.1:test
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:2.7.1:compile
[INFO] |  |  +- org.springframework.boot:spring-boot:jar:2.7.1:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.7.1:compile
[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.2.11:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.2.11:compile
[INFO] |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.2:compile
[INFO] |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.17.2:compile
[INFO] |  |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.36:compile
[INFO] |  |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] |  |  \- org.yaml:snakeyaml:jar:1.30:compile
[INFO] |  +- org.springframework.boot:spring-boot-test:jar:2.7.1:test
[INFO] |  +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.7.1:test
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.7.0:test
[INFO] |  |  \- net.minidev:json-smart:jar:2.4.8:test
[INFO] |  |     \- net.minidev:accessors-smart:jar:2.4.8:test
[INFO] |  |        \- org.ow2.asm:asm:jar:9.1:test
[INFO] |  +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:test
[INFO] |  |  \- jakarta.activation:jakarta.activation-api:jar:1.2.2:test
[INFO] |  +- org.assertj:assertj-core:jar:3.22.0:test
[INFO] |  +- org.hamcrest:hamcrest:jar:2.2:test
[INFO] |  +- org.junit.jupiter:junit-jupiter:jar:5.8.2:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-api:jar:5.8.2:test
[INFO] |  |  |  +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO] |  |  |  +- org.junit.platform:junit-platform-commons:jar:1.8.2:test
[INFO] |  |  |  \- org.apiguardian:apiguardian-api:jar:1.1.2:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-params:jar:5.8.2:test
[INFO] |  |  \- org.junit.jupiter:junit-jupiter-engine:jar:5.8.2:test
[INFO] |  |     \- org.junit.platform:junit-platform-engine:jar:1.8.2:test
[INFO] |  +- org.mockito:mockito-core:jar:4.5.1:test
[INFO] |  |  +- net.bytebuddy:byte-buddy:jar:1.12.11:compile
[INFO] |  |  +- net.bytebuddy:byte-buddy-agent:jar:1.12.11:test
[INFO] |  |  \- org.objenesis:objenesis:jar:3.2:test
[INFO] |  +- org.mockito:mockito-junit-jupiter:jar:4.5.1:test
[INFO] |  +- org.skyscreamer:jsonassert:jar:1.5.0:test
[INFO] |  |  \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
[INFO] |  +- org.springframework:spring-core:jar:5.3.21:compile
[INFO] |  |  \- org.springframework:spring-jcl:jar:5.3.21:compile
[INFO] |  +- org.springframework:spring-test:jar:5.3.21:test
[INFO] |  \- org.xmlunit:xmlunit-core:jar:2.9.0:test
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:2.7.1:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-json:jar:2.7.1:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.3:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.3:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.1:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.64:compile
[INFO] |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.64:compile
[INFO] |  +- org.springframework:spring-web:jar:5.3.21:compile
[INFO] |  \- org.springframework:spring-webmvc:jar:5.3.21:compile
[INFO] |     \- org.springframework:spring-expression:jar:5.3.21:compile
[INFO] +- org.springframework.boot:spring-boot-starter-aop:jar:2.7.1:compile
[INFO] |  +- org.springframework:spring-aop:jar:5.3.21:compile
[INFO] |  \- org.aspectj:aspectjweaver:jar:1.9.7:compile
[INFO] +- org.springframework.boot:spring-boot-starter-validation:jar:2.7.1:compile
[INFO] |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.64:compile
[INFO] |  \- org.hibernate.validator:hibernate-validator:jar:6.2.3.Final:compile
[INFO] |     +- jakarta.validation:jakarta.validation-api:jar:2.0.2:compile
[INFO] |     +- org.jboss.logging:jboss-logging:jar:3.4.3.Final:compile
[INFO] |     \- com.fasterxml:classmate:jar:1.5.1:compile
[INFO] +- org.springframework:spring-context-support:jar:5.3.21:compile
[INFO] |  +- org.springframework:spring-beans:jar:5.3.21:compile
[INFO] |  \- org.springframework:spring-context:jar:5.3.21:compile
[INFO] +- org.springframework.boot:spring-boot-starter-data-redis:jar:2.7.1:compile
[INFO] |  +- org.springframework.data:spring-data-redis:jar:2.7.1:compile
[INFO] |  |  +- org.springframework.data:spring-data-keyvalue:jar:2.7.1:compile
[INFO] |  |  |  \- org.springframework.data:spring-data-commons:jar:2.7.1:compile
[INFO] |  |  +- org.springframework:spring-tx:jar:5.3.21:compile
[INFO] |  |  \- org.springframework:spring-oxm:jar:5.3.21:compile
[INFO] |  \- io.lettuce:lettuce-core:jar:6.1.8.RELEASE:compile
[INFO] |     +- io.netty:netty-common:jar:4.1.78.Final:compile
[INFO] |     +- io.netty:netty-handler:jar:4.1.78.Final:compile
[INFO] |     |  +- io.netty:netty-resolver:jar:4.1.78.Final:compile
[INFO] |     |  +- io.netty:netty-buffer:jar:4.1.78.Final:compile
[INFO] |     |  +- io.netty:netty-transport-native-unix-common:jar:4.1.78.Final:compile
[INFO] |     |  \- io.netty:netty-codec:jar:4.1.78.Final:compile
[INFO] |     +- io.netty:netty-transport:jar:4.1.78.Final:compile
[INFO] |     \- io.projectreactor:reactor-core:jar:3.4.19:compile
[INFO] |        \- org.reactivestreams:reactive-streams:jar:1.0.4:compile
[INFO] +- org.springframework.boot:spring-boot-configuration-processor:jar:2.7.1:compile
[INFO] +- redis.clients:jedis:jar:4.2.2:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] |  +- org.apache.commons:commons-pool2:jar:2.11.1:compile
[INFO] |  \- org.json:json:jar:20211205:compile
[INFO] +- mysql:mysql-connector-java:jar:8.0.29:compile
[INFO] +- com.oracle:ojdbc6:jar:11.2.0.3:compile
[INFO] +- com.microsoft.sqlserver:sqljdbc4:jar:4.0:compile
[INFO] +- org.postgresql:postgresql:jar:42.3.6:compile
[INFO] |  \- org.checkerframework:checker-qual:jar:3.5.0:runtime
[INFO] +- com.alibaba:druid-spring-boot-starter:jar:1.2.11:compile
[INFO] |  +- com.alibaba:druid:jar:1.2.11:compile
[INFO] |  \- org.springframework.boot:spring-boot-autoconfigure:jar:2.7.1:compile
[INFO] +- com.baomidou:mybatis-plus-boot-starter:jar:3.5.2:compile
[INFO] |  +- com.baomidou:mybatis-plus:jar:3.5.2:compile
[INFO] |  |  +- com.baomidou:mybatis-plus-extension:jar:3.5.2:compile
[INFO] |  |  |  +- com.baomidou:mybatis-plus-core:jar:3.5.2:compile
[INFO] |  |  |  |  +- com.baomidou:mybatis-plus-annotation:jar:3.5.2:compile
[INFO] |  |  |  |  +- com.github.jsqlparser:jsqlparser:jar:4.4:compile
[INFO] |  |  |  |  \- org.mybatis:mybatis:jar:3.5.10:compile
[INFO] |  |  |  \- org.mybatis:mybatis-spring:jar:2.0.7:compile
[INFO] |  |  \- org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.6.21:compile
[INFO] |  |     \- org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.6.21:compile
[INFO] |  \- org.springframework.boot:spring-boot-starter-jdbc:jar:2.7.1:compile
[INFO] |     +- com.zaxxer:HikariCP:jar:4.0.3:compile
[INFO] |     \- org.springframework:spring-jdbc:jar:5.3.21:compile
[INFO] +- org.apache.commons:commons-lang3:jar:3.12.0:compile
[INFO] +- commons-fileupload:commons-fileupload:jar:1.4:compile
[INFO] +- commons-io:commons-io:jar:2.11.0:compile
[INFO] +- commons-codec:commons-codec:jar:1.15:compile
[INFO] +- com.google.guava:guava:jar:20.0:compile
[INFO] +- joda-time:joda-time:jar:2.10.14:compile
[INFO] +- com.google.code.gson:gson:jar:2.9.0:compile
[INFO] +- cn.hutool:hutool-all:jar:5.7.22:compile
[INFO] +- org.jsoup:jsoup:jar:1.11.3:compile
[INFO] +- com.github.xiaoymin:knife4j-spring-boot-starter:jar:2.0.9:compile
[INFO] |  +- com.github.xiaoymin:knife4j-spring-boot-autoconfigure:jar:2.0.9:compile
[INFO] |  |  \- com.github.xiaoymin:knife4j-spring:jar:2.0.9:compile
[INFO] |  |     +- com.github.xiaoymin:knife4j-annotations:jar:2.0.9:compile
[INFO] |  |     +- com.github.xiaoymin:knife4j-core:jar:2.0.9:compile
[INFO] |  |     +- org.javassist:javassist:jar:3.25.0-GA:compile
[INFO] |  |     +- io.swagger:swagger-models:jar:1.5.22:compile
[INFO] |  |     |  \- io.swagger:swagger-annotations:jar:1.5.22:compile
[INFO] |  |     +- io.springfox:springfox-swagger2:jar:2.10.5:compile
[INFO] |  |     |  +- io.springfox:springfox-spi:jar:2.10.5:compile
[INFO] |  |     |  |  \- io.springfox:springfox-core:jar:2.10.5:compile
[INFO] |  |     |  +- io.springfox:springfox-schema:jar:2.10.5:compile
[INFO] |  |     |  +- io.springfox:springfox-swagger-common:jar:2.10.5:compile
[INFO] |  |     |  +- io.springfox:springfox-spring-web:jar:2.10.5:compile
[INFO] |  |     |  |  \- io.github.classgraph:classgraph:jar:4.1.7:compile
[INFO] |  |     |  +- org.springframework.plugin:spring-plugin-core:jar:2.0.0.RELEASE:compile
[INFO] |  |     |  +- org.springframework.plugin:spring-plugin-metadata:jar:2.0.0.RELEASE:compile
[INFO] |  |     |  \- org.mapstruct:mapstruct:jar:1.3.1.Final:compile
[INFO] |  |     +- io.springfox:springfox-bean-validators:jar:2.10.5:compile
[INFO] |  |     \- io.springfox:springfox-spring-webmvc:jar:2.10.5:compile
[INFO] |  \- com.github.xiaoymin:knife4j-spring-ui:jar:2.0.9:compile
[INFO] +- org.projectlombok:lombok:jar:1.18.24:compile
[INFO] +- io.minio:minio:jar:8.3.7:compile
[INFO] |  +- com.carrotsearch.thirdparty:simple-xml-safe:jar:2.7.1:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.3:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.13.3:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.3:compile
[INFO] |  +- org.bouncycastle:bcprov-jdk15on:jar:1.69:compile
[INFO] |  +- org.apache.commons:commons-compress:jar:1.21:compile
[INFO] |  \- org.xerial.snappy:snappy-java:jar:1.1.8.4:compile
[INFO] +- com.squareup.okhttp3:okhttp:jar:4.9.3:compile
[INFO] |  +- com.squareup.okio:okio:jar:2.8.0:compile
[INFO] |  |  \- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.6.21:compile
[INFO] |  \- org.jetbrains.kotlin:kotlin-stdlib:jar:1.6.21:compile
[INFO] |     \- org.jetbrains:annotations:jar:13.0:compile
[INFO] +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.3:compile
[INFO] +- com.alibaba:fastjson:jar:2.0.12:compile
[INFO] |  \- com.alibaba.fastjson2:fastjson2-extension:jar:2.0.12:compile
[INFO] |     \- com.alibaba.fastjson2:fastjson2:jar:2.0.12:compile
[INFO] \- com.github.binarywang:weixin-java-miniapp:jar:4.4.1.B:compile
[INFO]    +- com.github.binarywang:weixin-java-common:jar:4.4.1.B:compile
[INFO]    |  +- com.thoughtworks.xstream:xstream:jar:1.4.19:compile
[INFO]    |  |  \- io.github.x-stream:mxparser:jar:1.2.2:compile
[INFO]    |  |     \- xmlpull:xmlpull:jar:1.1.3.1:compile
[INFO]    |  +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO]    |  |  \- org.apache.httpcomponents:httpcore:jar:4.4.15:compile
[INFO]    |  +- org.apache.httpcomponents:httpmime:jar:4.5.13:compile
[INFO]    |  +- org.slf4j:jcl-over-slf4j:jar:1.7.36:compile
[INFO]    |  +- javax.validation:validation-api:jar:2.0.1.Final:compile
[INFO]    |  \- org.dom4j:dom4j:jar:2.1.3:compile
[INFO]    \- org.bouncycastle:bcpkix-jdk15on:jar:1.68:compile

Suggested solutions:

Update dependency version

Thank you very much.