CODEWITHSUNDEEP
javaspring-bootfortifysnakeyamlsnyk
Syed Rafi
Syed Rafi

Reputation: 915

upgrade to SnakeYaml 1.31 in spring-boot-starter-parent 2.7.3

Have springboot project in which wanted to either exclude snakeyaml 1.30 or upgrade it 1.31 inorder to avoid fortify issue reporting

with snakeyaml 1.30 version there is security vulnerability

<parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.7.3</version>
</parent>

Below is seen on the effective pom.xml of the project

  <dependency>
          <groupId>org.yaml</groupId>
          <artifactId>snakeyaml</artifactId>
          <version>1.30</version>
          <scope>compile</scope>
        </dependency>

Is there any possibility to upgrade as the remediation says to upgrade the version to snakeyaml 1.31 ?

Ref : https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360

Upvotes: 22

Views: 44141

Answers (4)

Dvir
Dvir

Reputation: 3129

If you are using gradle, you can override the version used by spring boot.

Use the io.spring.dependency-management plugin, it will automatically import the spring-boot-dependencies bom from the version of Spring Boot that you are using.

plugins {
   id 'org.springframework.boot' version '2.7.3'
}

Once done you can customize the versions spring is using just by setting the corresponding property:

ext {
   set('snakeyaml.version','1.32')
}

to see the full list of dependencies versions and their properties to override you can browse here:

https://docs.spring.io/spring-boot/docs/current/reference/html/dependency-versions.html#appendix.dependency-versions.properties

Now, when running ./gradlew dependencies you can see org.yaml.snakeyaml was upgraded to v1.32:

    +--- org.springframework.boot:spring-boot-starter-actuator -> 2.7.3
|    +--- org.springframework.boot:spring-boot-starter:2.7.3
|    |    +--- org.springframework.boot:spring-boot:2.7.3
|    |    |    +--- org.springframework:spring-core:5.3.22
|    |    |    |    \--- org.springframework:spring-jcl:5.3.22
|    |    |    \--- org.springframework:spring-context:5.3.22
|    |    |         +--- org.springframework:spring-aop:5.3.22
|    |    |         |    +--- org.springframework:spring-beans:5.3.22
|    |    |         |    |    \--- org.springframework:spring-core:5.3.22 (*)
|    |    |         |    \--- org.springframework:spring-core:5.3.22 (*)
|    |    |         +--- org.springframework:spring-beans:5.3.22 (*)
|    |    |         +--- org.springframework:spring-core:5.3.22 (*)
|    |    |         \--- org.springframework:spring-expression:5.3.22
|    |    |              \--- org.springframework:spring-core:5.3.22 (*)
|    |    +--- org.springframework.boot:spring-boot-autoconfigure:2.7.3
|    |    |    \--- org.springframework.boot:spring-boot:2.7.3 (*)
|    |    +--- org.springframework.boot:spring-boot-starter-logging:2.7.3
|    |    |    +--- ch.qos.logback:logback-classic:1.2.11
|    |    |    |    +--- ch.qos.logback:logback-core:1.2.11
|    |    |    |    \--- org.slf4j:slf4j-api:1.7.32 -> 1.7.36
|    |    |    +--- org.apache.logging.log4j:log4j-to-slf4j:2.17.2
|    |    |    |    +--- org.slf4j:slf4j-api:1.7.35 -> 1.7.36
|    |    |    |    \--- org.apache.logging.log4j:log4j-api:2.17.2
|    |    |    \--- org.slf4j:jul-to-slf4j:1.7.36
|    |    |         \--- org.slf4j:slf4j-api:1.7.36
|    |    +--- jakarta.annotation:jakarta.annotation-api:1.3.5
|    |    +--- org.springframework:spring-core:5.3.22 (*)
|    |    \--- org.yaml:snakeyaml:1.30 -> 1.32

This answer is based on spring docs for v2.7.3 which can be found here: https://docs.spring.io/spring-boot/docs/2.7.3/gradle-plugin/reference/htmlsingle/

Upvotes: 10

Pino
Pino

Reputation: 9303

I excluded snakeyaml dependency from my web apps and they work fine. Of course I use application.properties, not application.yml.

Upvotes: 3

Hamish Lawson
Hamish Lawson

Reputation: 592

SnakeYAML is a managed dependency in Spring Boot, so you can simply add the following to the properties section of pom.xml to have Spring Boot 2.3.7 use SnakeYAML 1.31 instead of 1.30:

<snakeyaml.version>1.31</snakeyaml.version>

Upvotes: 38

Markus
Markus

Reputation: 1767

You can always change the version number through the <dependencyManagement> block in your pom.xml:

<dependencyManagement>
    <dependencies>

      <dependency>
        <groupId>org.yaml</groupId>
        <artifactId>snakeyaml</artifactId>
        <version>1.31</version>
      </dependency>

   </dependencies>
</dependencyManagement>

This will automatically change the version your project will use. You can test this by running mvn dependency:tree afterwards. It should only show version 1.31 of snakeyaml.

Important remark: Make sure that you remove this block as soon as you integrate the next version of Spring Boot as it will very likely contain the increased version. Otherwise you may downgrade the version unintentionally after future updates.

Please also note that there may be incompatibilities between certain lib versions and Spring Boot, hence it may not always be possible to update the version this way.

Upvotes: 13

Related Questions