[KOGITO-8432] - CVE-2022-25857 - Upgrade SnakeYAML on Spring Boot rel…

…ated components (#2721) Signed-off-by: Ricardo Zanini <zanini@redhat.com> Signed-off-by: Ricardo Zanini <zanini@redhat.com>
apache · Jan 10, 2023 · d7d3d88 · d7d3d88
1 parent 07d2134
commit d7d3d88
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 2 deletions.
diff --git a/kogito-build/kogito-dependencies-bom/pom.xml b/kogito-build/kogito-dependencies-bom/pom.xml
@@ -90,7 +90,7 @@
     <version.org.mvel>2.4.12.Final</version.org.mvel>
     <version.org.reactivestreams>1.0.3</version.org.reactivestreams>
     <version.org.reflections>0.9.11</version.org.reflections>
-    <version.org.slf4j>1.7.30</version.org.slf4j>
+    <version.org.slf4j>1.7.36</version.org.slf4j>
 
     <version.maven>3.6.3</version.maven>
     <version.maven.plugin>3.6.0</version.maven.plugin>

diff --git a/springboot/bom/pom.xml b/springboot/bom/pom.xml
@@ -21,8 +21,13 @@
     <!-- must be aligned with the Archetype plugin: https://maven.apache.org/archetype/maven-archetype-plugin/dependencies.html -->
     <version.org.codehaus.groovy>2.4.16</version.org.codehaus.groovy>
     <version.org.spockframework>1.3-groovy-2.4</version.org.spockframework>
+    <!-- Spring Boot Cloud aligned with Spring Boot Framework version. See: https://spring.io/projects/spring-cloud -->
+    <version.org.springframework.cloud.kubernetes.fabric8>2.1.1</version.org.springframework.cloud.kubernetes.fabric8>
+    <!-- CVE-2022-25857: Upgrading snakeyaml until we upgrade to Spring Boot 3.x -->
+    <!-- See: https://github.com/spring-projects/spring-boot/issues/32221 -->
+    <snakeyaml.version>1.31</snakeyaml.version>
   </properties>
-
+  
   <dependencyManagement>
     <dependencies>
       <dependency>
@@ -58,6 +63,16 @@
         <version>${version.org.spockframework}</version>
         <scope>test</scope>
       </dependency>
+      <dependency>
+        <groupId>org.springframework.cloud</groupId>
+        <artifactId>spring-cloud-starter-kubernetes-fabric8</artifactId>
+        <version>${version.org.springframework.cloud.kubernetes.fabric8}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.yaml</groupId>
+        <artifactId>snakeyaml</artifactId>
+        <version>${snakeyaml.version}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
   <build>