[Updated]Vulnerability fix based on SNYK report with Code Drop (#62)

* high severities fixed Signed-off-by: Deepika Karanji - d0k03k3 <[email protected]> * all fixed Signed-off-by: Deepika Karanji - d0k03k3 <[email protected]> * Added comments Signed-off-by: Deepika Karanji - d0k03k3 <[email protected]> * update to stable version Signed-off-by: Deepika Karanji - d0k03k3 <[email protected]> * exclusions Signed-off-by: Deepika Karanji - d0k03k3 <[email protected]> Signed-off-by: Deepika Karanji - d0k03k3 <[email protected]> Co-authored-by: Deepika Karanji - d0k03k3 <[email protected]>
hyperledger-labs · Oct 11, 2022 · f678258 · f678258
1 parent 7645d2e
commit f678258
Showing 1 changed file with 37 additions and 4 deletions.
diff --git a/pom.xml b/pom.xml
@@ -6,7 +6,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.7.1</version>
+		<version>2.7.4</version>
 		<relativePath /> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>hlf.java.client</groupId>
@@ -19,11 +19,11 @@
 	<properties>
 		<java.version>11</java.version>
 		<jacoco.version>0.8.8</jacoco.version>
-		<protobuf.version>3.19.2</protobuf.version>
+		<protobuf.version>3.19.6</protobuf.version>
 		<spring-cloud.version>2021.0.3</spring-cloud.version>
 	</properties>
 
-	<!-- Adding dependency management through the Spring BOM, so that we need 
+	<!-- Adding dependency management through the Spring BOM, so that we need
 		not manage versions ourselves -->
 	<dependencyManagement>
 		<dependencies>
@@ -36,11 +36,22 @@
 			</dependency>
 		</dependencies>
 	</dependencyManagement>
-
 	<dependencies>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter</artifactId>
+			<exclusions>
+				<!--Excluding default snakeyaml transitive dependency as remediation for CVE-2022-25857, CVE-2022-38749 -->
+				<exclusion>
+					<groupId>org.yaml</groupId>
+					<artifactId>snakeyaml</artifactId>
+				</exclusion>
+			</exclusions>
+		</dependency>
+		<dependency>
+			<groupId>org.yaml</groupId>
+			<artifactId>snakeyaml</artifactId>
+			<version>1.32</version>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
@@ -49,6 +60,28 @@
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-web</artifactId>
+			<exclusions>
+				<!--Excluding default jackson-databind dependency as remediation for CVE-2020-36518 -->
+				<exclusion>
+					<groupId>com.fasterxml.jackson.core</groupId>
+					<artifactId>jackson-databind</artifactId>
+				</exclusion>
+				<!--Excluding default tomcat-embed-core dependency as remediation for CVE-2021-43980 -->
+				<exclusion>
+					<groupId>org.apache.tomcat.embed</groupId>
+					<artifactId>tomcat-embed-core</artifactId>
+				</exclusion>
+			</exclusions>
+		</dependency>
+		<dependency>
+			<groupId>com.fasterxml.jackson.core</groupId>
+			<artifactId>jackson-databind</artifactId>
+			<version>2.13.4</version>
+		</dependency>
+		<dependency>
+			<groupId>org.apache.tomcat.embed</groupId>
+			<artifactId>tomcat-embed-core</artifactId>
+			<version>9.0.62</version>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>