Fix snakeyaml in service and core poms (!158) · Merge requests · OSDU Software / OSDU Data Platform / Data Flow / Data Ingestion / External Data Sources / EDS DMS

Deepa Kumari requested to merge az/MS-38919-fix-snakeyaml into master May 15, 2024

Sankeyaml vulnerabilities still exist in service pom as well as core pom. Below is the output before the changes in this MR:

[INFO] ------------------------------------------------------------------------
[INFO] ---------------------< org.opengroup.osdu:eds-dms >---------------------
[INFO] Building eds-dms 0.27.0-SNAPSHOT                                   [1/5]
[INFO] --------------------------------[ pom ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ eds-dms ---
[INFO] org.opengroup.osdu:eds-dms:pom:0.27.0-SNAPSHOT
[INFO] \- org.springdoc:springdoc-openapi-ui:jar:1.7.0:compile
[INFO]    \- org.springdoc:springdoc-openapi-webmvc-core:jar:1.7.0:compile
[INFO]       \- org.springdoc:springdoc-openapi-common:jar:1.7.0:compile
[INFO]          \- io.swagger.core.v3:swagger-core:jar:2.2.9:compile
[INFO]             \- org.yaml:snakeyaml:jar:1.30:compile
[INFO]
[INFO] ------------------< org.opengroup.osdu:eds-dms-core >-------------------
[INFO] Building eds-dms-core 0.27.0-SNAPSHOT                              [2/5]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ eds-dms-core ---
[INFO] org.opengroup.osdu:eds-dms-core:jar:0.27.0-SNAPSHOT
[INFO] \- org.springframework.boot:spring-boot-starter-web:jar:2.7.18:compile
[INFO]    \- org.springframework.boot:spring-boot-starter:jar:2.7.18:compile
[INFO]       \- org.yaml:snakeyaml:jar:1.30:compile
[INFO]
[INFO] -------------------< org.opengroup.osdu:eds-dms-aws >-------------------
[INFO] Building eds-dms-aws 0.27.0-SNAPSHOT                               [3/5]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ eds-dms-aws ---
[INFO] org.opengroup.osdu:eds-dms-aws:jar:0.27.0-SNAPSHOT
[INFO] \- org.yaml:snakeyaml:jar:2.0:compile
[INFO]
[INFO] ------------------< org.opengroup.osdu:eds-dms-azure >------------------
[INFO] Building eds-dms-azure 0.27.0-SNAPSHOT                             [4/5]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ eds-dms-azure ---
[INFO] org.opengroup.osdu:eds-dms-azure:jar:0.27.0-SNAPSHOT
[INFO] \- org.yaml:snakeyaml:jar:2.0:compile
[INFO]
[INFO] -------------------< org.opengroup.osdu:eds-dms-gc >--------------------
[INFO] Building eds-dms-gc 0.27.0-SNAPSHOT                                [5/5]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ eds-dms-gc ---
[INFO] org.opengroup.osdu:eds-dms-gc:jar:0.27.0-SNAPSHOT
[INFO] \- org.yaml:snakeyaml:jar:2.0:compile
[INFO] ------------------------------------------------------------------------

In order to fix the inherited dependencies, exclusions were added and every module using their own versions, have been brought up to service layer for reuse.

In the process, upgraded os-core-common as well.

After the changes in this MR:

[INFO] ------------------------------------------------------------------------
[INFO] ---------------------< org.opengroup.osdu:eds-dms >---------------------
[INFO] Building eds-dms 0.27.0-SNAPSHOT                                   [1/5]
[INFO] --------------------------------[ pom ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ eds-dms ---
[INFO] org.opengroup.osdu:eds-dms:pom:0.27.0-SNAPSHOT
[INFO] \- org.yaml:snakeyaml:jar:2.2:compile
[INFO]
[INFO] ------------------< org.opengroup.osdu:eds-dms-core >-------------------
[INFO] Building eds-dms-core 0.27.0-SNAPSHOT                              [2/5]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ eds-dms-core ---
[INFO] org.opengroup.osdu:eds-dms-core:jar:0.27.0-SNAPSHOT
[INFO] \- org.yaml:snakeyaml:jar:2.2:compile
[INFO]
[INFO] -------------------< org.opengroup.osdu:eds-dms-aws >-------------------
[INFO] Building eds-dms-aws 0.27.0-SNAPSHOT                               [3/5]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ eds-dms-aws ---
[INFO] org.opengroup.osdu:eds-dms-aws:jar:0.27.0-SNAPSHOT
[INFO] \- org.yaml:snakeyaml:jar:2.2:compile
[INFO]
[INFO] ------------------< org.opengroup.osdu:eds-dms-azure >------------------
[INFO] Building eds-dms-azure 0.27.0-SNAPSHOT                             [4/5]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ eds-dms-azure ---
[INFO] org.opengroup.osdu:eds-dms-azure:jar:0.27.0-SNAPSHOT
[INFO] \- org.yaml:snakeyaml:jar:2.2:compile
[INFO]
[INFO] -------------------< org.opengroup.osdu:eds-dms-gc >--------------------
[INFO] Building eds-dms-gc 0.27.0-SNAPSHOT                                [5/5]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ eds-dms-gc ---
[INFO] org.opengroup.osdu:eds-dms-gc:jar:0.27.0-SNAPSHOT
[INFO] \- org.yaml:snakeyaml:jar:2.2:compile
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for eds-dms 0.27.0-SNAPSHOT:
[INFO]
[INFO] ------------------------------------------------------------------------

Fixes #22, #24

Edited May 15, 2024 by Deepa Kumari

Fix snakeyaml in service and core poms

Merge request reports