You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A Gradle project should build without any vulnerabilities flagged in either the Detekt plugin or any of its transitive dependencies.
Observed Behavior
When building a Gradle project that has both the Detekt Gradle plugin v1.21.0 and the OWASP Dependency Check Gradle pluginv7.1.2 configured, the latter plugin (as of the time of the opening of this issue) will flag the following vulnerability:
When ./gradlew -q dependencies is subsequently run, it becomes clear that snakeyaml v1.30 is being pulled in by Detekt. I encountered this in both v1.20.0 and v1.21.0 of the Detekt Gradle plugin.
Build the project with Gradle, or run ./gradlew dependencyCheckAnalyze on it
Context
I'm not sure if there is a realistic way for an attacker to exploit the vulnerability described in CVE-2022-25857 when this dependency is used by Detekt. However, the simplest and safest way to resolve this issue is by upgrading the snakeyaml dependency to v1.31 or higher, which should mitigate this vulnerability.
Your Environment
Version of detekt used: v1.20.0 and v1.21.0
Version of Gradle used (if applicable): 7.5.1 (with the Gradle Wrapper, if that matters)
Operating System and version: a recent Linux distro, but this should be reproducable on other platforms as well
The text was updated successfully, but these errors were encountered:
Thanks for the report! This will be fixed in the next release by #5250
Although there might be some time before the next release, I agree that there's very little risk to detekt users in the meantime, so I don't think we'll rush a release just for this.
If anyone is concerned you could use the SNAPSHOT build which uses the new dependency version.
@3flex I see v1.22.0 is still at release candidate status. Would it be too late to bump up the snakeyaml version to 1.32 for that release? An additional vulnerability was published that also affects 1.31.
If you need me to create a separate Jira issue for this, let me know.
Expected Behavior
A Gradle project should build without any vulnerabilities flagged in either the Detekt plugin or any of its transitive dependencies.
Observed Behavior
When building a Gradle project that has both the Detekt Gradle plugin
v1.21.0
and the OWASP Dependency Check Gradle pluginv7.1.2
configured, the latter plugin (as of the time of the opening of this issue) will flag the following vulnerability:When
./gradlew -q dependencies
is subsequently run, it becomes clear thatsnakeyaml
v1.30 is being pulled in by Detekt. I encountered this in bothv1.20.0
andv1.21.0
of the Detekt Gradle plugin.Steps to Reproduce
v1.21.0
and the OWASP Dependency Check Gradle pluginv7.1.2
in a Gradle project./gradlew dependencyCheckAnalyze
on itContext
I'm not sure if there is a realistic way for an attacker to exploit the vulnerability described in CVE-2022-25857 when this dependency is used by Detekt. However, the simplest and safest way to resolve this issue is by upgrading the snakeyaml dependency to
v1.31
or higher, which should mitigate this vulnerability.Your Environment
v1.20.0
andv1.21.0
7.5.1
(with the Gradle Wrapper, if that matters)The text was updated successfully, but these errors were encountered: