Hi @emre.toptanci! Let me try to clear this up
As you can see from https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-dependencies/2.7.3, this SnakeYAML vulnerability falls into category 2b below.
===
There are two different categories of dependency vulnerabilities for atlassian-connect-spring-boot:
1. Dependency where the version is managed by atlassian-connect-spring-boot.
For these dependencies, you can expect a new release of atlassian-connect-spring-boot with the dependency version upgraded.
Affected dependencies:
- org.springframework.security.oauth:spring-security-oauth2 (removed in 3.0.0-beta-1)
2. Dependency where the version is managed by Spring.
We expect for apps to typically manage the version of Spring Boot separately from the version of atlassian-connect-spring-boot (see for example our archetype POM).
I would recommend this approach, since while we will continuously upgrade the version of Spring Boot in atlassian-connect-spring-boot, we will not necessarily publish releases of atlassian-connect-spring-boot following those upgrades.
a) The latest version of Spring Boot has a version of the dependency without the vulnerability.
In this case, simply upgrade Spring Boot.
b) The latest version of Spring Boot still has a vulnerable version of the dependency.
Consider overriding the dependency version directly in your app.