Hi Jeffrey, The dependencyUpdate task in the build is already flagging that dependency as needing updating. We are prompted by dependabot for some of our dependencies and others we check before doing a new release. So, there is no action needed but feel free to create a Jira task if you want better visibility (details on https://groovy.apache.org/).
If you use a build system rather than groovy-binary, you can manually select updated Jackson or SnakeYAML dependencies with the current releases. If you are using groovy-binary but aren't parsing untrusted yaml source files, you can ignore the CVE flag as a false positive since it doesn't affect you. If you are using groovy-binary and are parsing untrusted yaml source files directly yourself, and you have turned on SnakeYAML security features yourself, you can ignore the CVE flag as a false positive since it doesn't affect you. Cheers, Paul. On Tue, Apr 25, 2023 at 7:47 AM Jeffrey Adamson via dev < dev@groovy.apache.org> wrote: > Similar to several historical issues, I would like to bring attention to > the recent release of Jackson 2.15.0. It addresses a snakyaml update for > CVE-2022-1471. > > In particular, I am currently using groovy-binary 3.0.17 and have a static > analysis tool which is flagging that artifact with that CVE. Is there a > preferred method for requesting this dependency be updated from 2.14.2 to > 2.15.0? > ::DISCLAIMER:: > ------------------------------ > The contents of this e-mail and any attachment(s) are confidential and > intended for the named recipient(s) only. E-mail transmission is not > guaranteed to be secure or error-free as information could be intercepted, > corrupted, lost, destroyed, arrive late or incomplete, or may contain > viruses in transmission. The e mail and its contents (with or without > referred errors) shall therefore not attach any liability on the originator > or HCL or its affiliates. Views or opinions, if any, presented in this > email are solely those of the author and may not necessarily reflect the > views or opinions of HCL or its affiliates. Any form of reproduction, > dissemination, copying, disclosure, modification, distribution and / or > publication of this message without the prior written consent of authorized > representative of HCL is strictly prohibited. If you have received this > email in error please delete it and notify the sender immediately. Before > opening any email and/or attachments, please check them for viruses and > other defects. > ------------------------------ >
