Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set Snakeyaml to 1.33 in parent pom #16382

Merged
merged 1 commit into from Jan 12, 2023
Merged

Set Snakeyaml to 1.33 in parent pom #16382

merged 1 commit into from Jan 12, 2023

Conversation

stianst
Copy link
Contributor

@stianst stianst commented Jan 11, 2023
edited

We actually have 6 different versions of Snakeyaml throughout:

 - 1.33 [LATEST] (from org.keycloak:keycloak-quarkus-server)
 - 1.32 (from com.openshift:openshift-restclient-java)
 - 1.29 (from com.github.ua-parser:uap-java)
 - 1.27 (from org.springframework.boot:spring-boot-starter:2.4.13)
 - 1.26 (from com.github.ua-parser:uap-java)
 - 1.19 (from org.springframework.boot:spring-boot-starter:2.0.5)

This sets the version in the parent pom to align everything to one version

Closes #15339

@stianst stianst marked this pull request as ready for review January 11, 2023 09:41
@stianst stianst mentioned this pull request Jan 11, 2023
Closed
@abstractj
Copy link
Contributor

abstractj commented Jan 11, 2023
edited

@stianst +1 about those changes. But I believe we need to think together about efficient ways to ban some 3rd party dependencies, like @pedroigor suggested with https://maven.apache.org/enforcer/enforcer-rules/bannedDependencies.html.

For example, updating SnakeYAML to 1.33 will solve a couple of CVEs, on the other hand release 1.33 already has a new CVE (https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471) but maintainers didn't provide a new release.

More details:

@stianst
Copy link
Contributor Author

stianst commented Jan 11, 2023

@abstractj I agree with the banning of dependencies, but that's certainly a follow-up and not something to cover in this issue

abstractj
abstractj approved these changes Jan 11, 2023
View reviewed changes
Copy link
Contributor

@abstractj abstractj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@stianst stianst merged commit 0319e0f into keycloak:main Jan 12, 2023
stianst added a commit to stianst/keycloak that referenced this pull request Jan 12, 2023
@stianst
Set Snakeyaml to 1.33 in parent pom (keycloak#16382)
c38f627 
Closes keycloak#15339
vmuzikar pushed a commit that referenced this pull request Jan 12, 2023
@stianst @vmuzikar
Set Snakeyaml to 1.33 in parent pom (#16382)
8313baa 
Closes #15339
@stianst stianst deleted the update-snakeyaml branch February 8, 2023 08:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abstractj abstractj abstractj approved these changes

@vmuzikar vmuzikar Awaiting requested review from vmuzikar

@pedroigor pedroigor Awaiting requested review from pedroigor

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

snakeyaml vulnerability GHSA-3mc7-4q67-w48m impacting CLI
2 participants
@stianst @abstractj