Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detekt Gradle plugin v1.21.0 pulls in snakeyaml v1.30, which has vulnerability CVE-2022-25857 #5271

Closed
volkert-fastned opened this issue Sep 2, 2022 · 3 comments
Closed

Detekt Gradle plugin v1.21.0 pulls in snakeyaml v1.30, which has vulnerability CVE-2022-25857 #5271

volkert-fastned opened this issue Sep 2, 2022 · 3 comments
Labels
bug

Comments

@volkert-fastned
Copy link

volkert-fastned commented Sep 2, 2022
edited

Expected Behavior

A Gradle project should build without any vulnerabilities flagged in either the Detekt plugin or any of its transitive dependencies.

Observed Behavior

When building a Gradle project that has both the Detekt Gradle plugin v1.21.0 and the OWASP Dependency Check Gradle plugin v7.1.2 configured, the latter plugin (as of the time of the opening of this issue) will flag the following vulnerability:

snakeyaml-1.30.jar (pkg:maven/org.yaml/snakeyaml@1.30, cpe:2.3:a:snakeyaml_project:snakeyaml:1.30:*:*:*:*:*:*:*, cpe:2.3:a:yaml_project:yaml:1.30:*:*:*:*:*:*:*) : CVE-2022-25857

When ./gradlew -q dependencies is subsequently run, it becomes clear that snakeyaml v1.30 is being pulled in by Detekt. I encountered this in both v1.20.0 and v1.21.0 of the Detekt Gradle plugin.

Steps to Reproduce

  • Enable both the the Detekt Gradle plugin v1.21.0 and the OWASP Dependency Check Gradle plugin v7.1.2 in a Gradle project
  • Build the project with Gradle, or run ./gradlew dependencyCheckAnalyze on it

Context

I'm not sure if there is a realistic way for an attacker to exploit the vulnerability described in CVE-2022-25857 when this dependency is used by Detekt. However, the simplest and safest way to resolve this issue is by upgrading the snakeyaml dependency to v1.31 or higher, which should mitigate this vulnerability.

Your Environment

  • Version of detekt used: v1.20.0 and v1.21.0
  • Version of Gradle used (if applicable): 7.5.1 (with the Gradle Wrapper, if that matters)
  • Operating System and version: a recent Linux distro, but this should be reproducable on other platforms as well
@volkert-fastned volkert-fastned mentioned this issue Sep 2, 2022
Open
@3flex
Copy link
Member

3flex commented Sep 3, 2022

Thanks for the report! This will be fixed in the next release by #5250

Although there might be some time before the next release, I agree that there's very little risk to detekt users in the meantime, so I don't think we'll rush a release just for this.

If anyone is concerned you could use the SNAPSHOT build which uses the new dependency version.

@3flex 3flex closed this as completed Sep 3, 2022
@volkert-fastned
Copy link
Author

@3flex I see v1.22.0 is still at release candidate status. Would it be too late to bump up the snakeyaml version to 1.32 for that release? An additional vulnerability was published that also affects 1.31.

If you need me to create a separate Jira issue for this, let me know.

Thanks. 🙂

@3flex
Copy link
Member

3flex commented Sep 26, 2022

The dependency will be updated to 1.33 in #5354 and this should be part of the final detekt 1.22 release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@3flex @volkert-fastned