Update SnakeYAML to 1.32 (#643)

This closes #642
Netcentric · Sep 13, 2022 · cb4cda9 · cb4cda9
1 parent f9222cc
commit cb4cda9
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 12 deletions.
diff --git a/accesscontroltool-bundle/suppression.xml b/accesscontroltool-bundle/suppression.xml
@@ -1,18 +1,25 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-  <suppress>
-    <notes><![CDATA[
+    <suppress>
+        <notes><![CDATA[
 https://nvd.nist.gov/vuln/detail/CVE-2020-8022 marks it as vulnerable as it has version ranges without a lower bound for both tomcat 8 and 9.
 Reported at https://github.com/jeremylong/DependencyCheck/issues/3661.
    ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/tomcat\-jasper\-el@.*$</packageUrl>
-    <cve>CVE-2020-8022</cve>
-  </suppress>
-  <suppress>
-   <notes><![CDATA[
-   file name: tomcat-jasper-el-10.0.21.jar
+        <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/tomcat\-jasper\-el@.*$</packageUrl>
+        <cve>CVE-2020-8022</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+       file name: tomcat-jasper-el-10.0.21.jar
+       ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/tomcat\-jasper\-el@.*$</packageUrl>
+        <cve>CVE-2022-34305</cve><!-- only affects examples web app (https://lists.apache.org/thread/k04zk0nq6w57m72w5gb0r6z9ryhmvr4k) -->
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: snakeyaml-1.32.jar, 1.32 has the CVE issue fixed, reported at https://github.com/jeremylong/DependencyCheck/issues/4839
    ]]></notes>
-   <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat/tomcat\-jasper\-el@.*$</packageUrl>
-   <cve>CVE-2022-34305</cve><!-- only affects examples web app (https://lists.apache.org/thread/k04zk0nq6w57m72w5gb0r6z9ryhmvr4k) -->
-</suppress>
+        <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
+        <vulnerabilityName>CVE-2022-38752</vulnerabilityName>
+    </suppress>
 </suppressions>
diff --git a/pom.xml b/pom.xml
@@ -114,7 +114,7 @@
             <dependency>
                 <groupId>org.yaml</groupId>
                 <artifactId>snakeyaml</artifactId>
-                <version>1.28</version>
+                <version>1.32</version>
             </dependency>
             <!-- due to https://bugs.openjdk.java.net/browse/JDK-8231581 OOTB JRE is not sufficient -->
             <dependency>