From 1cc6736c4eeed2e641e3754b5c1aa52a73165086 Mon Sep 17 00:00:00 2001 From: stedelia <144045955+stedelia@users.noreply.github.com> Date: Wed, 31 Jul 2024 11:05:36 +0200 Subject: [PATCH] fix: Update maven dependency to fix cve (#22) Co-authored-by: Vitolo-Andrea --- .grype.yaml | 10 ++++++++++ pom.xml | 38 +++++++++++++++++++++++++++++++++++++- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 .grype.yaml diff --git a/.grype.yaml b/.grype.yaml new file mode 100644 index 0000000..28e75a2 --- /dev/null +++ b/.grype.yaml @@ -0,0 +1,10 @@ +ignore: + - vulnerability: CVE-2022-1471 # solved in snakeyaml 2.2 + - vulnerability: CVE-2024-23672 # tomcat-embed-core 10.1.25 + - vulnerability: CVE-2024-24549 # tomcat-embed-websocket 10.1.25 + - vulnerability: CVE-2024-22243 # spring-web 6.0.22 + - vulnerability: CVE-2024-22259 # spring-web 6.0.22 + - vulnerability: CVE-2023-3635 # okio-jvm 3.9.0 + - vulnerability: CVE-2023-51074 # json-path 2.9.0 + - vulnerability: CVE-2024-26308 # commons-compress 1.26.2 + - vulnerability: CVE-2024-25710 # commons-compress 1.26.2 \ No newline at end of file diff --git a/pom.xml b/pom.xml index 2105923..ac4ac7e 100644 --- a/pom.xml +++ b/pom.xml @@ -110,6 +110,22 @@ + + org.yaml + snakeyaml + 2.2 + + + org.apache.commons + commons-compress + 1.26.2 + + + com.jayway.jsonpath + json-path + 2.9.0 + + org.springframework.cloud spring-cloud-dependencies @@ -117,7 +133,27 @@ pom import - + + com.squareup.okio + okio-jvm + 3.9.0 + runtime + + + org.apache.tomcat.embed + tomcat-embed-core + 10.1.25 + + + org.apache.tomcat.embed + tomcat-embed-websocket + 10.1.25 + + + org.springframework + spring-web + 6.0.22 + com.azure.spring spring-cloud-azure-dependencies