Moved snakeyaml version from providers to service layer (!271) · Merge requests · OSDU Software / OSDU Data Platform / Domain Data Management Services / Well-Planning-Execution / Well Delivery

Deepa Kumari requested to merge az/MS-39194-fix-snakeyaml into master May 17, 2024

Sankeyaml vulnerabilities still exist in service pom as well as core pom. Below is the output before the changes in this MR

[INFO] org.opengroup.osdu.wd:well-delivery-service:pom:0.27.0-SNAPSHOT
[INFO] \- org.springdoc:springdoc-openapi-ui:jar:1.7.0:compile
[INFO]    \- org.springdoc:springdoc-openapi-webmvc-core:jar:1.7.0:compile
[INFO]       \- org.springdoc:springdoc-openapi-common:jar:1.7.0:compile
[INFO]          \- io.swagger.core.v3:swagger-core:jar:2.2.9:compile
[INFO]             \- org.yaml:snakeyaml:jar:1.30:compile
[INFO]
[INFO] --------------< org.opengroup.osdu.wd:well-delivery-core >--------------
[INFO] Building well-delivery-core 0.27.0-SNAPSHOT                        [2/6]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ well-delivery-core ---
[INFO] org.opengroup.osdu.wd:well-delivery-core:jar:0.27.0-SNAPSHOT
[INFO] \- org.springframework.boot:spring-boot-starter-web:jar:2.7.18:compile
[INFO]    \- org.springframework.boot:spring-boot-starter:jar:2.7.18:compile
[INFO]       \- org.yaml:snakeyaml:jar:1.30:compile
[INFO]
[INFO] ---------< org.opengroup.osdu.wd:well-delivery-service-azure >----------
[INFO] Building well-delivery-service-azure 0.27.0-SNAPSHOT               [3/6]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ well-delivery-service-azure ---
[INFO] org.opengroup.osdu.wd:well-delivery-service-azure:jar:0.27.0-SNAPSHOT
[INFO] \- org.yaml:snakeyaml:jar:2.0:compile
[INFO]
[INFO] -----------< org.opengroup.osdu.wd:well-delivery-service-gc >-----------
[INFO] Building well-delivery-service-gc 0.27.0-SNAPSHOT                  [4/6]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ well-delivery-service-gc ---
[INFO] org.opengroup.osdu.wd:well-delivery-service-gc:jar:0.27.0-SNAPSHOT
[INFO] \- org.springframework.boot:spring-boot-starter-test:jar:2.7.18:test
[INFO]    \- org.springframework.boot:spring-boot-starter:jar:2.7.18:compile
[INFO]       \- org.yaml:snakeyaml:jar:1.30:compile
[INFO]
[INFO] ----------< org.opengroup.osdu.wd:well-delivery-service-aws >-----------
[INFO] Building well-delivery-service-aws 0.27.0-SNAPSHOT                 [5/6]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ well-delivery-service-aws ---
[INFO] org.opengroup.osdu.wd:well-delivery-service-aws:jar:0.27.0-SNAPSHOT
[INFO] \- org.yaml:snakeyaml:jar:2.0:compile
[INFO]
[INFO] ----------< org.opengroup.osdu.wd:well-delivery-service-ibm >-----------
[INFO] Building well-delivery-service-ibm 0.27.0-SNAPSHOT                 [6/6]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ well-delivery-service-ibm ---
[INFO] org.opengroup.osdu.wd:well-delivery-service-ibm:jar:0.27.0-SNAPSHOT
[INFO] \- org.yaml:snakeyaml:jar:1.33:compile

Either inherited or direct, dependency versions are different for each provider. So, added dependency in the service and inherited them in the providers.

After the changes, below is the version present:

[INFO] 
[INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ well-delivery-service ---
[INFO] org.opengroup.osdu.wd:well-delivery-service:pom:0.27.0-SNAPSHOT
[INFO] \- org.springdoc:springdoc-openapi-ui:jar:1.7.0:compile
[INFO]    \- org.springdoc:springdoc-openapi-webmvc-core:jar:1.7.0:compile
[INFO]       \- org.springdoc:springdoc-openapi-common:jar:1.7.0:compile
[INFO]          \- io.swagger.core.v3:swagger-core:jar:2.2.9:compile
[INFO]             \- org.yaml:snakeyaml:jar:2.2:compile
[INFO]
[INFO] --------------< org.opengroup.osdu.wd:well-delivery-core >--------------
[INFO] Building well-delivery-core 0.27.0-SNAPSHOT                        [2/6]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ well-delivery-core ---
[INFO] org.opengroup.osdu.wd:well-delivery-core:jar:0.27.0-SNAPSHOT
[INFO] \- org.springframework.boot:spring-boot-starter-web:jar:2.7.18:compile
[INFO]    \- org.springframework.boot:spring-boot-starter:jar:2.7.18:compile
[INFO]       \- org.yaml:snakeyaml:jar:2.2:compile
[INFO]
[INFO] ---------< org.opengroup.osdu.wd:well-delivery-service-azure >----------
[INFO] Building well-delivery-service-azure 0.27.0-SNAPSHOT               [3/6]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ well-delivery-service-azure ---
[INFO] org.opengroup.osdu.wd:well-delivery-service-azure:jar:0.27.0-SNAPSHOT
[INFO] \- org.yaml:snakeyaml:jar:2.2:compile
[INFO]
[INFO] -----------< org.opengroup.osdu.wd:well-delivery-service-gc >-----------
[INFO] Building well-delivery-service-gc 0.27.0-SNAPSHOT                  [4/6]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ well-delivery-service-gc ---
[INFO] org.opengroup.osdu.wd:well-delivery-service-gc:jar:0.27.0-SNAPSHOT
[INFO] \- org.springframework.boot:spring-boot-starter-test:jar:2.7.18:test
[INFO]    \- org.springframework.boot:spring-boot-starter:jar:2.7.18:compile
[INFO]       \- org.yaml:snakeyaml:jar:2.2:compile
[INFO]
[INFO] ----------< org.opengroup.osdu.wd:well-delivery-service-aws >-----------
[INFO] Building well-delivery-service-aws 0.27.0-SNAPSHOT                 [5/6]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ well-delivery-service-aws ---
[INFO] org.opengroup.osdu.wd:well-delivery-service-aws:jar:0.27.0-SNAPSHOT
[INFO] \- org.yaml:snakeyaml:jar:2.2:compile
[INFO]
[INFO] ----------< org.opengroup.osdu.wd:well-delivery-service-ibm >-----------
[INFO] Building well-delivery-service-ibm 0.27.0-SNAPSHOT                 [6/6]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] org.opengroup.osdu.wd:well-delivery-service-ibm:jar:0.27.0-SNAPSHOT

Edited May 17, 2024 by Deepa Kumari

Moved snakeyaml version from providers to service layer

Merge request reports