Some security vulnerabilities were recently discovered in snakeyaml library. Our SCA tool (Cx) reports that our connect app has snakeyaml in it and that dependency comes from Atlassian Connect jars.
snakeyaml 1.32 is released with fixes. Any plans to upgrade?
Hi @emre.toptanci! Let me try to clear this up
As you can see from https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-dependencies/2.7.3, this SnakeYAML vulnerability falls into category 2b below.
There are two different categories of dependency vulnerabilities for atlassian-connect-spring-boot:
1. Dependency where the version is managed by atlassian-connect-spring-boot.
For these dependencies, you can expect a new release of atlassian-connect-spring-boot with the dependency version upgraded.
- org.springframework.security.oauth:spring-security-oauth2 (removed in 3.0.0-beta-1)
2. Dependency where the version is managed by Spring.
We expect for apps to typically manage the version of Spring Boot separately from the version of atlassian-connect-spring-boot (see for example our archetype POM).
I would recommend this approach, since while we will continuously upgrade the version of Spring Boot in atlassian-connect-spring-boot, we will not necessarily publish releases of atlassian-connect-spring-boot following those upgrades.
a) The latest version of Spring Boot has a version of the dependency without the vulnerability.
In this case, simply upgrade Spring Boot.
b) The latest version of Spring Boot still has a vulnerable version of the dependency.
Consider overriding the dependency version directly in your app.
Thanks for the info. We’ll look into this.