Security - Latest 5.15.0 mockserver-netty depends on io.swagger.parser.v3:swagger-parser:jar:2.1.10 which depends on org.yaml:snakeyaml:1.33 which has a security issue with CVE-2022-1471 #1894
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the issue
Latest 5.15.0 mockserver-netty depends on io.swagger.parser.v3:swagger-parser:jar:2.1.10 which depends on org.yaml:snakeyaml:1.33 which has a security issue with CVE-2022-1471
https://nvd.nist.gov/vuln/detail/CVE-2022-1471
Fix should be to upgrade swagger to 2.1.22 which uses latest snakeyaml 2.2
2.2 version of snakeyaml doesn't contain the issue
See https://repo1.maven.org/maven2/io/swagger/parser/v3/swagger-parser-project/2.1.10/swagger-parser-project-2.1.10.pom which contains:
1.33
Swagger parser 2.1.22
https://repo1.maven.org/maven2/io/swagger/parser/v3/swagger-parser-project/2.1.22/swagger-parser-project-2.1.22.pom contains:
2.2
We're running SonaType IQ server which detects such security issues, and it showed up.
I'm not necessarily saying that mockserver-netty actually uses the functionality that is exploitable under CVE-2022-1471 and is actually vulnerable, but IQ server makes a report on the whole library version as a result. org.yaml:snakeyaml:1.33 contains a vulnerability so it is red-flagged.
What you are trying to do
Build applications that don't contain security reports
MockServer version
5.15.0
To Reproduce
mvn dependency:tree shows the following output:
[INFO] | | +- io.swagger.parser.v3:swagger-parser:jar:2.1.10:compile [INFO] | | | +- io.swagger.parser.v3:swagger-parser-v2-converter:jar:2.1.10:c ompile [INFO] | | | | +- io.swagger:swagger-core:jar:1.6.9:compile [INFO] | | | | | \- io.swagger:swagger-models:jar:1.6.9:compile [INFO] | | | | +- io.swagger:swagger-parser:jar:1.0.64:compile [INFO] | | | | +- io.swagger:swagger-compat-spec-parser:jar:1.0.64:compile [INFO] | | | | | +- com.github.java-json-tools:json-schema-validator:jar:2. 2.14:compile [INFO] | | | | | | +- com.github.java-json-tools:jackson-coreutils-equival ence:jar:1.0:compile [INFO] | | | | | | +- com.github.java-json-tools:json-schema-core:jar:1.2. 14:compile [INFO] | | | | | | | +- com.github.java-json-tools:uri-template:jar:0.10: compile [INFO] | | | | | | | \- org.mozilla:rhino:jar:1.7.7.2:compile [INFO] | | | | | | +- com.sun.mail:mailapi:jar:1.6.2:compile [INFO] | | | | | | +- com.googlecode.libphonenumber:libphonenumber:jar:8.1 1.1:compile [INFO] | | | | | | \- net.sf.jopt-simple:jopt-simple:jar:5.0.4:compile [INFO] | | | | | \- com.github.java-json-tools:json-patch:jar:1.13:compile [INFO] | | | | | +- com.github.java-json-tools:msg-simple:jar:1.2:compil e [INFO] | | | | | | \- com.github.java-json-tools:btf:jar:1.3:compile [INFO] | | | | | \- com.github.java-json-tools:jackson-coreutils:jar:2.0 :compile [INFO] | | | | +- io.swagger.core.v3:swagger-models:jar:2.2.8:compile [INFO] | | | | \- io.swagger.parser.v3:swagger-parser-core:jar:2.1.10:compil e [INFO] | | | +- io.swagger.parser.v3:swagger-parser-v3:jar:2.1.10:compile [INFO] | | | | +- io.swagger.core.v3:swagger-core:jar:2.2.8:compile [INFO] | | | | | +- io.swagger.core.v3:swagger-annotations:jar:2.2.8:compil e [INFO] | | | | | \- jakarta.validation:jakarta.validation-api:jar:2.0.2:com pile [INFO] | | | | \- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:j ar:2.14.0:compile [INFO] | | | \- org.yaml:snakeyaml:jar:1.33:compileExpected behaviour
No security warnings from SonaType IQ server
MockServer Log
n/a
The text was updated successfully, but these errors were encountered: