upgrading snakeyaml to version 1.31
301 views
Skip to first unread message
Anoop Chitreddy
Sep 7, 2022, 9:51:33 PM9/7/22
to WildFly
Hi,
We currently using wildfly-26.1.1.Final built using wildfly feature pack. Recently we received a warning from our dependency check tool indicating that org.yaml.snakeyaml-1.18.jar is triggering a High severity CVE https://nvd.nist.gov/vuln/detail/CVE-2022-25857
We would be safe to upgrade
snakeyaml to version 1.31. I am asking this question because the module file for snakeyaml in wildfly is marking it as a private dependency
------------------------------------------------------------------------------------------------------------------------
<module name="org.yaml.snakeyaml" xmlns="urn:jboss:module:1.9">
<properties>
<property name="jboss.api" value="private"/>
</properties>
<resources>
<resource-root path="snakeyaml-1.26.jar"/>
</resources>
<dependencies>
<module name="java.desktop"/>
<module name="java.logging"/>
<!--WFLY-14219 Remove deprecated <module name="javax.api"/> -->
</dependencies>
</module>
------------------------------------------------------------------------------------------------------------------------<properties>
<property name="jboss.api" value="private"/>
</properties>
<resources>
<resource-root path="snakeyaml-1.26.jar"/>
</resources>
<dependencies>
<module name="java.desktop"/>
<module name="java.logging"/>
<!--WFLY-14219 Remove deprecated <module name="javax.api"/> -->
</dependencies>
</module>
Appreciate your help.
Anoop
Emmanuel Hugonnet
Sep 8, 2022, 6:42:10 AM9/8/22
to Anoop Chitreddy, WildFly
Hello,
You shouldn't be affected if you are not using this module as it is only used locally.
Anyway, you can upgrade if you want/need.
Emmanuel
> --
> You received this message because you are subscribed to the Google Groups "WildFly" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/wildfly/c23e5e73-0051-491e-8d59-1df405a92320n%40googlegroups.com
> <https://groups.google.com/d/msgid/wildfly/c23e5e73-0051-491e-8d59-1df405a92320n%40googlegroups.com?utm_medium=email&utm_source=footer>.
You shouldn't be affected if you are not using this module as it is only used locally.
Anyway, you can upgrade if you want/need.
Emmanuel
> You received this message because you are subscribed to the Google Groups "WildFly" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/wildfly/c23e5e73-0051-491e-8d59-1df405a92320n%40googlegroups.com
> <https://groups.google.com/d/msgid/wildfly/c23e5e73-0051-491e-8d59-1df405a92320n%40googlegroups.com?utm_medium=email&utm_source=footer>.
Reply all
Reply to author
Forward
0 new messages