Merge pull request #313 from hmcts/PAY-6220

PAY-6220: Fix CVE-2022-1471
hmcts · May 3, 2024 · 5300370 · 5300370
2 parents c26a775 + e47f391
commit 5300370
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 13 deletions.
diff --git a/config/owasp/suppressions.xml b/config/owasp/suppressions.xml
@@ -1,17 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-  <suppress>
-    <notes>SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization.
-    </notes>
-    <cve>CVE-2022-1471</cve>
-    <cve>CVE-2022-25857</cve>
-  </suppress>
-  <suppress>
-    <notes>
-      liquibase-core core needs major version latest 4.2.2. not resolving current CVE issue.
-    </notes>
-    <cve>CVE-2022-0839</cve>
-  </suppress>
   <suppress>
     <notes>
       Jackson core needs major version latest 2.12.7  not resolving current CVE issue. Same applies to json-path version 2.4.0.

diff --git a/cve-resolution-strategy.gradle b/cve-resolution-strategy.gradle
@@ -15,7 +15,7 @@ configurations.all {
 
       /*CVE-2022-25857, CVE-2022-38749, CVE-2022-38750, CVE-2022-38751 */
       if (details.requested.name == 'snakeyaml') {
-        details.useVersion '1.33'
+        details.useVersion '2.2'
       }
 
       /*