vulnerable dependency maven:org.yaml:snakeyaml

Asked 13/12, 2022 at 8:11 Answered 21/10, 2023 at 15:21

Solved java spring-boot maven dependencies pom.xml

I am periodically checking vulnerabilities on my pom.xml and generally fix these problems by updating the dependency versions. However, I get the following error:

Provides transitive vulnerable dependency maven:org.yaml:snakeyaml:1.30 CVE-2022-25857 7.5 Uncontrolled Resource Consumption vulnerability pending CVSS allocation CVE-2022-38752 6.5 Out-of-bounds Write vulnerability with medium severity found CVE-2022-38749 6.5 Out-of-bounds Write vulnerability pending CVSS allocation CVE-2022-38750 5.5 Out-of-bounds Write vulnerability pending CVSS allocation CVE-2022-38751 6.5 Out-of-bounds Write vulnerability pending CVSS allocation CVE-2022-41854 6.5 Stack-based Buffer Overflow vulnerability with medium severity found CVE-2022-1471 9.8 Deserialization of Untrusted Data vulnerability with high severity found
Results powered by Checkmarx(c)

I I try to add <version> to the <artifactId>spring-boot-starter-web</artifactId> in my pom.xml, but it does not make any sense.

So, how can I fix this problem properly? I use IntelliJ default features to fix this kind of problems, but should I do any an extra useful plugins etc.?

Hudgens answered 13/12, 2022 at 8:11 Comment(1)

Does this answer your question? upgrade to SnakeYaml 1.31 in spring-boot-starter-parent 2.7.3 – Wenona 6/9, 2023 at 16:38

Unfortunately, Spring Boot 2.7.x still uses an older, vulnerable version of SnakeYAML (1.30). They still have not upgraded it to the last version (1.33). Spring Boot 3.0.0 does depend on version 1.33.

Assuming you cannot upgrade to Spring Boot 3.0.0 yet, the only thing that should work is to add a dependency to SnakeYAML 1.33 in your project. That version should then take precedence over Spring Boot's transitive dependency.

However, SnakeYAML 1.33 still has a vulnerability. Since that is the last version (SnakeYAML 2.x is not compatible with 1.x), that's something you can't get rid off until the SnakeYAML team fixes that.

Edit: with SnakeYAML 2.x, I meant this one. SnakeYAML 1.33 recently had a follow-up 2.0 version which is a different one. Compatibility between 1.33 and 2.0 is still not 100%, but Spring Boot 2.7.10+ and Spring Boot 3.x should support both.

Sizing answered 13/12, 2022 at 8:24 Comment(6)

1. There is no <version> for <artifactId>spring-boot-starter-web</artifactId> by default I think. Then, should we use <version> tag and set? Or should we keep it empty so that it uses the last version? I am just asking for spring-boot-starter-web, normally I try to set version in case new versions may cause incompatibility problems. – Hudgens 13/12, 2022 at 9:13

2. There was also some approaches by removing dependency and adding them on pom.xml. That was probably removing built in dependencies and then adding them separately. Is it also a proper way for some vulnerability situations? – Hudgens 13/12, 2022 at 9:15

1. The version for the starter probably comes from the parent you specified in your pom.xml, or otherwise from a dependency management section. You can leave that version out. For the SnakeYAML dependency you should set the version, as otherwise you'll still use the Spring Boot provided version. – Sizing 13/12, 2022 at 10:46

2. you can exclude dependencies of your dependencies, but if you need those anyway, including them as separate dependencies is easier. Direct dependencies always take precedence over transitive dependencies. – Sizing 13/12, 2022 at 10:47

THe latest version has a vulnerability too (mvnrepository.com/artifact/org.yaml/snakeyaml) - I'll try to use 2.0 and see if it works with Spring Boot 3.0.4 – Predict 21/3, 2023 at 9:4

Spring Boot 2.7.10 now officially supports SnakeYAML 2.0: github.com/spring-projects/spring-boot/issues/34405 – Sizing 23/3, 2023 at 9:56

SnakeYAML 2.2 version is compatible with SpringBoot 3.1.3.

<dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.yaml</groupId>
        <artifactId>snakeyaml</artifactId>
        <version>2.2</version>
    </dependency>

Copy and paste in your pom.xml and re-run your application.

Frodi answered 6/9, 2023 at 15:58 Comment(0)

Rob Spoor has already explained why, this warning can be eliminated by excluding dependencies:

<exclusions>
    <exclusion>
        <groupId>org.yaml</groupId>
        <artifactId>snakeyaml</artifactId>
    </exclusion>
</exclusions>

Add the above code to the corresponding <dependency> label.

Candlelight answered 6/1, 2023 at 4:39 Comment(2)

This dependency is not used by Spring Boot to parse application.yaml ? – Gigahertz 9/5, 2023 at 15:22

And we need to add implementation group: 'org.yaml', name: 'snakeyaml', version: '2.1' – Royce 16/8, 2023 at 14:50

I had the same warning in Springboot 3.0.6. It was working properly but it annoyed me a lot to see a huge yellow piece of code in pom.xml. I overcome this issue by adding exclusions to the code as was mentioned above.

Code with the warning:

<dependency>
  <artifactId>spring-boot-starter-data-mongodb</artifactId>
  <groupId>org.springframework.boot</groupId>
</dependency>

This is the working solution:

<dependency>
  <artifactId>spring-boot-starter-data-mongodb</artifactId>
  <groupId>org.springframework.boot</groupId>
  <exclusions>
    <exclusion>
      <artifactId>snakeyaml</artifactId>
      <groupId>org.yaml</groupId>
    </exclusion>
  </exclusions>
</dependency>

Bobine answered 18/5, 2023 at 15:29 Comment(0)

You need to update the SnakeYAML version to 2.0. To do this, add the below code in pom.xml and re-run your application.

<dependency>
    <groupId>org.yaml</groupId>
    <artifactId>snakeyaml</artifactId>
    <version>2.0</version>
</dependency>

Straka answered 5/6, 2023 at 19:43 Comment(2)

2.0 isn't compatible with Spring Boot at least 3.1.0 – Dorothadorothea 10/6, 2023 at 14:36

Thanks Eljah, yes we need Spring Boot version 3.1.0 for this to work. – Straka 11/6, 2023 at 17:18

When you have a maven setup, where spring-boot is your parent, you can also set the snakeyaml.version property to override its version:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>example.com</groupId>
    <artifactId>foo</artifactId>
    <version>1.13-SNAPSHOT</version>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.1.4</version>
        <relativePath />
    </parent>

    <properties>
        <snakeyaml.version>2.2</snakeyaml.version>
    </properties>
...

Tabby answered 21/10, 2023 at 15:21 Comment(0)

Recommended topics

Hot tags