18

Have springboot project in which wanted to either exclude snakeyaml 1.30 or upgrade it 1.31 inorder to avoid fortify issue reporting

with snakeyaml 1.30 version there is security vulnerability

<parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.7.3</version>
</parent>

Below is seen on the effective pom.xml of the project

  <dependency>
          <groupId>org.yaml</groupId>
          <artifactId>snakeyaml</artifactId>
          <version>1.30</version>
          <scope>compile</scope>
        </dependency>

Is there any possibility to upgrade as the remediation says to upgrade the version to snakeyaml 1.31 ?

Ref : https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360

Syed Rafi
  • 825
  • 2
  • 12
  • 35
  • snakeyaml 1.30 and also 1.31 contain vulnerabilites that need to be patched. in future versions of Spring-boot (3.0.0 and up) this was fixed by using snakeyaml 1.32 and up. – Tom Elias Dec 27 '22 at 10:07

4 Answers4

35

SnakeYAML is a managed dependency in Spring Boot, so you can simply add the following to the properties section of pom.xml to have Spring Boot 2.3.7 use SnakeYAML 1.31 instead of 1.30:

<snakeyaml.version>1.31</snakeyaml.version>
Hamish Lawson
  • 540
  • 1
  • 3
  • 7
12

You can always change the version number through the <dependencyManagement> block in your pom.xml:

<dependencyManagement>
    <dependencies>

      <dependency>
        <groupId>org.yaml</groupId>
        <artifactId>snakeyaml</artifactId>
        <version>1.31</version>
      </dependency>

   </dependencies>
</dependencyManagement>

This will automatically change the version your project will use. You can test this by running mvn dependency:tree afterwards. It should only show version 1.31 of snakeyaml.

Important remark: Make sure that you remove this block as soon as you integrate the next version of Spring Boot as it will very likely contain the increased version. Otherwise you may downgrade the version unintentionally after future updates.

Please also note that there may be incompatibilities between certain lib versions and Spring Boot, hence it may not always be possible to update the version this way.

Markus
  • 1,649
  • 1
  • 22
  • 41
  • On the effective pom.xml I could see snakeyaml:1.30 but on command execution could only see snakeyaml:1.31 and also On demand fortify run, I could see the high reporting about snakeyaml:1.30 – Syed Rafi Sep 15 '22 at 05:26
  • Make sure that you don't have an explicit dependency to `snakeyaml` with the version 1.30 in your poms. You can remove the `` now that you use the `` – Markus Sep 15 '22 at 06:02
  • 1
    is it safe just to upgrade the snakeyaml dependency? how do we know the compatibility of upgraded snakeyaml with the spring boot? – Aleson Jan 10 '23 at 03:00
  • @Aleson, that's what your integration tests are for. – Leponzo Feb 25 '23 at 18:40
10

If you are using gradle, you can override the version used by spring boot.

Use the io.spring.dependency-management plugin, it will automatically import the spring-boot-dependencies bom from the version of Spring Boot that you are using.

plugins {
   id 'org.springframework.boot' version '2.7.3'
}

Once done you can customize the versions spring is using just by setting the corresponding property:

ext {
   set('snakeyaml.version','1.32')
}

to see the full list of dependencies versions and their properties to override you can browse here:

https://docs.spring.io/spring-boot/docs/current/reference/html/dependency-versions.html#appendix.dependency-versions.properties

Now, when running ./gradlew dependencies you can see org.yaml.snakeyaml was upgraded to v1.32:

    +--- org.springframework.boot:spring-boot-starter-actuator -> 2.7.3
|    +--- org.springframework.boot:spring-boot-starter:2.7.3
|    |    +--- org.springframework.boot:spring-boot:2.7.3
|    |    |    +--- org.springframework:spring-core:5.3.22
|    |    |    |    \--- org.springframework:spring-jcl:5.3.22
|    |    |    \--- org.springframework:spring-context:5.3.22
|    |    |         +--- org.springframework:spring-aop:5.3.22
|    |    |         |    +--- org.springframework:spring-beans:5.3.22
|    |    |         |    |    \--- org.springframework:spring-core:5.3.22 (*)
|    |    |         |    \--- org.springframework:spring-core:5.3.22 (*)
|    |    |         +--- org.springframework:spring-beans:5.3.22 (*)
|    |    |         +--- org.springframework:spring-core:5.3.22 (*)
|    |    |         \--- org.springframework:spring-expression:5.3.22
|    |    |              \--- org.springframework:spring-core:5.3.22 (*)
|    |    +--- org.springframework.boot:spring-boot-autoconfigure:2.7.3
|    |    |    \--- org.springframework.boot:spring-boot:2.7.3 (*)
|    |    +--- org.springframework.boot:spring-boot-starter-logging:2.7.3
|    |    |    +--- ch.qos.logback:logback-classic:1.2.11
|    |    |    |    +--- ch.qos.logback:logback-core:1.2.11
|    |    |    |    \--- org.slf4j:slf4j-api:1.7.32 -> 1.7.36
|    |    |    +--- org.apache.logging.log4j:log4j-to-slf4j:2.17.2
|    |    |    |    +--- org.slf4j:slf4j-api:1.7.35 -> 1.7.36
|    |    |    |    \--- org.apache.logging.log4j:log4j-api:2.17.2
|    |    |    \--- org.slf4j:jul-to-slf4j:1.7.36
|    |    |         \--- org.slf4j:slf4j-api:1.7.36
|    |    +--- jakarta.annotation:jakarta.annotation-api:1.3.5
|    |    +--- org.springframework:spring-core:5.3.22 (*)
|    |    \--- org.yaml:snakeyaml:1.30 -> 1.32

This answer is based on spring docs for v2.7.3 which can be found here: https://docs.spring.io/spring-boot/docs/2.7.3/gradle-plugin/reference/htmlsingle/

Benjamin Shen
  • 3
  • 2
DeJaVo
  • 3,091
  • 2
  • 17
  • 32
3

I excluded snakeyaml dependency from my web apps and they work fine. Of course I use application.properties, not application.yml.

Pino
  • 7,468
  • 6
  • 50
  • 69