search

Athou / commafeed

Google Reader inspired self-hosted personal RSS reader.
https://www.commafeed.com
Apache License 2.0
2.7k stars 367 forks source link

Dependency org.yaml:snakeyaml, leading to CVE problem #1042

Closed CVEDetect closed 1 year ago

CVEDetect commented 1 year ago

Hi, In /,there is a dependency org.yaml:snakeyaml:1.30 that calls the risk method.

CVE-2022-25857

The scope of this CVE affected version is [0,1.31)

After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

CVE Bug Invocation Path : 
com.commafeed.CommaFeedApplication: run(com.commafeed.CommaFeedConfiguration,io.dropwizard.setup.Environment)V /home/hjf/.m2/repository/org/jboss/jandex/2.4.2.Final/jandex-2.4.2.Final.jar
org.yaml.snakeyaml.Yaml$1: next()Ljava.lang.Object; /home/hjf/.m2/repository/org/jboss/jandex/2.4.2.Final/jandex-2.4.2.Final.jar
org.yaml.snakeyaml.constructor.BaseConstructor: getData()Ljava.lang.Object; /home/hjf/.m2/repository/org/jboss/jandex/2.4.2.Final/jandex-2.4.2.Final.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /home/hjf/.m2/repository/org/jboss/jandex/2.4.2.Final/jandex-2.4.2.Final.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Dependency tree--

[INFO] com.commafeed:commafeed:jar:2.6.0
[INFO] +- org.projectlombok:lombok:jar:1.18.22:provided
[INFO] +- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] +- org.slf4j:jcl-over-slf4j:jar:1.7.36:compile
[INFO] +- com.google.inject:guice:jar:5.1.0:compile
[INFO] |  +- javax.inject:javax.inject:jar:1:compile
[INFO] |  +- aopalliance:aopalliance:jar:1.0:compile
[INFO] |  \- com.google.guava:guava:jar:31.1-jre:compile
[INFO] |     +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |     +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |     +- com.google.errorprone:error_prone_annotations:jar:2.10.0:compile
[INFO] |     \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] +- io.dropwizard:dropwizard-core:jar:2.1.1:compile
[INFO] |  +- io.dropwizard:dropwizard-util:jar:2.1.1:compile
[INFO] |  +- io.dropwizard:dropwizard-jackson:jar:2.1.1:compile
[INFO] |  |  +- com.github.ben-manes.caffeine:caffeine:jar:2.9.3:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.3:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.3:compile
[INFO] |  |  +- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.3:compile
[INFO] |  |  +- com.fasterxml.jackson.module:jackson-module-blackbird:jar:2.13.3:compile
[INFO] |  |  \- com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.13.3:compile
[INFO] |  +- io.dropwizard:dropwizard-validation:jar:2.1.1:compile
[INFO] |  |  +- com.fasterxml:classmate:jar:1.5.1:compile
[INFO] |  |  \- org.glassfish:jakarta.el:jar:3.0.4:compile
[INFO] |  +- io.dropwizard:dropwizard-configuration:jar:2.1.1:compile
[INFO] |  |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.13.3:compile
[INFO] |  |  |  \- org.yaml:snakeyaml:jar:1.30:compile
[INFO] |  |  \- org.apache.commons:commons-text:jar:1.9:compile
[INFO] |  +- io.dropwizard:dropwizard-logging:jar:2.1.1:compile
[INFO] |  |  +- io.dropwizard.metrics:metrics-logback:jar:4.2.10:compile
[INFO] |  |  +- org.slf4j:jul-to-slf4j:jar:1.7.36:compile
[INFO] |  |  +- ch.qos.logback:logback-core:jar:1.2.11:compile
[INFO] |  |  +- io.dropwizard.logback:logback-throttling-appender:jar:1.1.9:compile
[INFO] |  |  \- org.slf4j:log4j-over-slf4j:jar:1.7.36:runtime
[INFO] |  +- io.dropwizard:dropwizard-metrics:jar:2.1.1:compile
[INFO] |  +- io.dropwizard:dropwizard-jersey:jar:2.1.1:compile
[INFO] |  |  +- org.glassfish.jersey.ext:jersey-metainf-services:jar:2.36:runtime
[INFO] |  |  +- org.glassfish.jersey.inject:jersey-hk2:jar:2.36:runtime
[INFO] |  |  |  \- org.glassfish.hk2:hk2-locator:jar:2.6.1:runtime
[INFO] |  |  +- io.dropwizard.metrics:metrics-jersey2:jar:4.2.10:compile
[INFO] |  |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] |  |  +- joda-time:joda-time:jar:2.10.14:compile
[INFO] |  |  +- org.glassfish.hk2:hk2-api:jar:2.6.1:compile
[INFO] |  |  |  +- org.glassfish.hk2:hk2-utils:jar:2.6.1:compile
[INFO] |  |  |  \- org.glassfish.hk2.external:aopalliance-repackaged:jar:2.6.1:compile
[INFO] |  |  \- org.glassfish.jersey.containers:jersey-container-servlet:jar:2.36:runtime
[INFO] |  +- io.dropwizard:dropwizard-servlets:jar:2.1.1:compile
[INFO] |  +- io.dropwizard:dropwizard-jetty:jar:2.1.1:compile
[INFO] |  |  +- org.eclipse.jetty:jetty-servlets:jar:9.4.48.v20220622:compile
[INFO] |  |  |  \- org.eclipse.jetty:jetty-continuation:jar:9.4.48.v20220622:compile
[INFO] |  |  \- org.eclipse.jetty:jetty-http:jar:9.4.48.v20220622:compile
[INFO] |  +- io.dropwizard:dropwizard-lifecycle:jar:2.1.1:compile
[INFO] |  +- io.dropwizard:dropwizard-health:jar:2.1.1:compile
[INFO] |  +- io.dropwizard.metrics:metrics-core:jar:4.2.10:compile
[INFO] |  +- io.dropwizard.metrics:metrics-jetty9:jar:4.2.10:compile
[INFO] |  +- io.dropwizard.metrics:metrics-jvm:jar:4.2.10:compile
[INFO] |  +- io.dropwizard.metrics:metrics-jmx:jar:4.2.10:compile
[INFO] |  +- io.dropwizard.metrics:metrics-servlets:jar:4.2.10:compile
[INFO] |  |  \- com.helger:profiler:jar:1.1.1:compile
[INFO] |  +- io.dropwizard.metrics:metrics-healthchecks:jar:4.2.10:compile
[INFO] |  +- io.dropwizard:dropwizard-request-logging:jar:2.1.1:compile
[INFO] |  |  \- ch.qos.logback:logback-access:jar:1.2.11:compile
[INFO] |  +- ch.qos.logback:logback-classic:jar:1.2.11:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.3:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.3:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  +- jakarta.servlet:jakarta.servlet-api:jar:4.0.4:compile
[INFO] |  +- jakarta.validation:jakarta.validation-api:jar:2.0.2:compile
[INFO] |  +- jakarta.ws.rs:jakarta.ws.rs-api:jar:2.1.6:compile
[INFO] |  +- net.sourceforge.argparse4j:argparse4j:jar:0.9.0:compile
[INFO] |  +- org.eclipse.jetty:jetty-security:jar:9.4.48.v20220622:compile
[INFO] |  +- org.eclipse.jetty:jetty-server:jar:9.4.48.v20220622:compile
[INFO] |  +- org.eclipse.jetty:jetty-servlet:jar:9.4.48.v20220622:compile
[INFO] |  |  \- org.eclipse.jetty:jetty-util-ajax:jar:9.4.48.v20220622:compile
[INFO] |  +- org.eclipse.jetty:jetty-util:jar:9.4.48.v20220622:compile
[INFO] |  +- org.eclipse.jetty.toolchain.setuid:jetty-setuid-java:jar:1.0.4:compile
[INFO] |  +- jakarta.inject:jakarta.inject-api:jar:1.0.5:compile
[INFO] |  +- org.glassfish.jersey.core:jersey-common:jar:2.36:compile
[INFO] |  |  +- org.glassfish.hk2.external:jakarta.inject:jar:2.6.1:compile
[INFO] |  |  \- org.glassfish.hk2:osgi-resource-locator:jar:1.0.3:compile
[INFO] |  +- org.glassfish.jersey.ext:jersey-bean-validation:jar:2.36:compile
[INFO] |  \- org.hibernate.validator:hibernate-validator:jar:6.2.3.Final:compile
[INFO] |     \- org.jboss.logging:jboss-logging:jar:3.4.1.Final:compile
[INFO] +- io.dropwizard:dropwizard-hibernate:jar:2.1.1:compile
[INFO] |  +- io.dropwizard:dropwizard-db:jar:2.1.1:compile
[INFO] |  +- com.fasterxml.jackson.datatype:jackson-datatype-hibernate5:jar:2.13.3:compile
[INFO] |  +- javax.persistence:javax.persistence-api:jar:2.2:compile
[INFO] |  +- org.apache.tomcat:tomcat-jdbc:jar:9.0.64:compile
[INFO] |  |  \- org.apache.tomcat:tomcat-juli:jar:9.0.64:compile
[INFO] |  +- org.glassfish.jersey.core:jersey-client:jar:2.36:compile
[INFO] |  +- org.glassfish.jersey.core:jersey-server:jar:2.36:compile
[INFO] |  +- org.javassist:javassist:jar:3.29.0-GA:compile
[INFO] |  +- org.jadira.usertype:usertype.core:jar:7.0.0.CR1:runtime
[INFO] |  |  \- org.jadira.usertype:usertype.spi:jar:7.0.0.CR1:runtime
[INFO] |  +- org.hibernate:hibernate-core:jar:5.6.9.Final:compile
[INFO] |  |  +- antlr:antlr:jar:2.7.7:compile
[INFO] |  |  +- org.jboss.spec.javax.transaction:jboss-transaction-api_1.2_spec:jar:1.1.1.Final:compile
[INFO] |  |  +- org.jboss:jandex:jar:2.4.2.Final:compile
[INFO] |  |  +- org.hibernate.common:hibernate-commons-annotations:jar:5.1.2.Final:compile
[INFO] |  |  \- org.glassfish.jaxb:jaxb-runtime:jar:2.3.1:compile
[INFO] |  |     +- org.glassfish.jaxb:txw2:jar:2.3.1:compile
[INFO] |  |     +- com.sun.istack:istack-commons-runtime:jar:3.0.7:compile
[INFO] |  |     +- org.jvnet.staxex:stax-ex:jar:1.8:compile
[INFO] |  |     \- com.sun.xml.fastinfoset:FastInfoset:jar:1.2.15:compile
[INFO] |  +- jakarta.activation:jakarta.activation-api:jar:1.2.2:compile
[INFO] |  \- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
[INFO] +- org.liquibase:liquibase-core:jar:4.12.0:compile
[INFO] |  \- com.opencsv:opencsv:jar:5.6:compile
[INFO] |     \- org.apache.commons:commons-lang3:jar:3.12.0:compile
[INFO] +- io.dropwizard:dropwizard-assets:jar:2.1.1:compile
[INFO] +- io.dropwizard:dropwizard-forms:jar:2.1.1:compile
[INFO] |  \- org.glassfish.jersey.media:jersey-media-multipart:jar:2.36:compile
[INFO] |     \- org.jvnet.mimepull:mimepull:jar:1.9.13:compile
[INFO] +- io.dropwizard.metrics:metrics-graphite:jar:4.2.10:compile
[INFO] |  \- com.rabbitmq:amqp-client:jar:5.15.0:compile
[INFO] +- io.dropwizard.metrics:metrics-json:jar:4.2.10:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-core:jar:2.13.3:compile
[INFO] +- io.dropwizard.modules:dropwizard-web:jar:1.5.0:compile
[INFO] +- javax.xml.bind:jaxb-api:jar:2.3.0:compile
[INFO] +- com.fasterxml.jackson.module:jackson-module-afterburner:jar:2.13.3:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] |  \- org.apache.httpcomponents:httpcore:jar:4.4.15:compile
[INFO] +- io.swagger:swagger-annotations:jar:1.5.22:compile
[INFO] +- com.querydsl:querydsl-apt:jar:hibernate:4.2.1:provided
[INFO] |  \- com.querydsl:querydsl-codegen:jar:4.2.1:provided
[INFO] |     +- com.mysema.codegen:codegen:jar:0.6.8:provided
[INFO] |     |  \- org.eclipse.jdt.core.compiler:ecj:jar:4.3.1:provided
[INFO] |     \- org.reflections:reflections:jar:0.9.9:provided
[INFO] |        \- com.google.code.findbugs:annotations:jar:2.0.1:provided
[INFO] +- com.querydsl:querydsl-jpa:jar:4.2.1:compile
[INFO] |  \- com.querydsl:querydsl-core:jar:4.2.1:compile
[INFO] |     +- com.mysema.commons:mysema-commons-lang:jar:0.2.4:compile
[INFO] |     \- com.infradna.tool:bridge-method-annotation:jar:1.13:compile
[INFO] +- commons-io:commons-io:jar:2.11.0:compile
[INFO] +- org.apache.commons:commons-collections4:jar:4.4:compile
[INFO] +- commons-codec:commons-codec:jar:1.15:compile
[INFO] +- org.apache.commons:commons-math3:jar:3.6.1:compile
[INFO] +- org.apache.commons:commons-jexl:jar:2.1.1:compile
[INFO] +- org.passay:passay:jar:1.6.1:compile
[INFO] +- redis.clients:jedis:jar:2.7.2:compile
[INFO] |  \- org.apache.commons:commons-pool2:jar:2.3:compile
[INFO] +- com.sun.mail:javax.mail:jar:1.5.3:compile
[INFO] |  \- javax.activation:activation:jar:1.1:compile
[INFO] +- com.rometools:rome:jar:1.18.0:compile
[INFO] |  +- com.rometools:rome-utils:jar:1.18.0:compile
[INFO] |  \- org.jdom:jdom2:jar:2.0.6.1:compile
[INFO] +- com.rometools:rome-modules:jar:1.18.0:compile
[INFO] +- com.rometools:rome-opml:jar:1.18.0:compile
[INFO] |  \- org.hamcrest:hamcrest-library:jar:2.2:compile
[INFO] |     \- org.hamcrest:hamcrest-core:jar:2.2:compile
[INFO] +- org.ahocorasick:ahocorasick:jar:0.6.3:compile
[INFO] +- org.jsoup:jsoup:jar:1.14.3:compile
[INFO] +- com.ibm.icu:icu4j:jar:70.1:compile
[INFO] +- net.sourceforge.cssparser:cssparser:jar:0.9.29:compile
[INFO] |  \- org.w3c.css:sac:jar:1.3:compile
[INFO] +- edu.uci.ics:crawler4j:jar:3.5:compile
[INFO] |  +- com.sleepycat:je:jar:4.0.92:compile
[INFO] |  \- org.apache.tika:tika-parsers:jar:1.0:compile
[INFO] |     +- org.apache.tika:tika-core:jar:1.0:compile
[INFO] |     +- org.apache.james:apache-mime4j-core:jar:0.7:compile
[INFO] |     +- org.apache.james:apache-mime4j-dom:jar:0.7:compile
[INFO] |     +- org.apache.commons:commons-compress:jar:1.3:compile
[INFO] |     +- org.apache.geronimo.specs:geronimo-stax-api_1.0_spec:jar:1.0.1:compile
[INFO] |     +- org.ccil.cowan.tagsoup:tagsoup:jar:1.2.1:compile
[INFO] |     +- asm:asm:jar:3.1:compile
[INFO] |     +- com.drewnoakes:metadata-extractor:jar:2.4.0-beta-1:compile
[INFO] |     \- de.l3s.boilerpipe:boilerpipe:jar:1.1.0:compile
[INFO] +- com.google.gwt:gwt-servlet:jar:2.9.0:compile
[INFO] +- io.github.hakky54:sslcontext-kickstart:jar:7.2.0:compile
[INFO] +- com.google.apis:google-api-services-youtube:jar:v3-rev139-1.20.0:compile
[INFO] |  \- com.google.api-client:google-api-client:jar:1.20.0:compile
[INFO] |     +- com.google.oauth-client:google-oauth-client:jar:1.20.0:compile
[INFO] |     |  \- com.google.http-client:google-http-client:jar:1.20.0:compile
[INFO] |     \- com.google.http-client:google-http-client-jackson2:jar:1.20.0:compile
[INFO] +- com.h2database:h2:jar:2.1.214:compile
[INFO] +- mysql:mysql-connector-java:jar:8.0.28:compile
[INFO] |  \- com.google.protobuf:protobuf-java:jar:3.11.4:compile
[INFO] +- org.postgresql:postgresql:jar:42.4.1:compile
[INFO] |  \- org.checkerframework:checker-qual:jar:3.22.2:compile
[INFO] +- net.sourceforge.jtds:jtds:jar:1.3.1:compile
[INFO] +- org.junit.jupiter:junit-jupiter-engine:jar:5.8.2:test
[INFO] |  +- org.junit.platform:junit-platform-engine:jar:1.8.2:test
[INFO] |  |  +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO] |  |  \- org.junit.platform:junit-platform-commons:jar:1.8.2:test
[INFO] |  +- org.junit.jupiter:junit-jupiter-api:jar:5.8.2:test
[INFO] |  \- org.apiguardian:apiguardian-api:jar:1.1.2:test
[INFO] +- org.mockito:mockito-core:jar:4.6.1:test
[INFO] |  +- net.bytebuddy:byte-buddy:jar:1.12.12:compile
[INFO] |  +- net.bytebuddy:byte-buddy-agent:jar:1.12.10:test
[INFO] |  \- org.objenesis:objenesis:jar:3.2:test
[INFO] +- org.mock-server:mockserver-junit-jupiter:jar:5.13.2:test
[INFO] |  \- org.mock-server:mockserver-netty:jar:5.13.2:test
[INFO] |     +- org.mock-server:mockserver-client-java:jar:5.13.2:test
[INFO] |     +- org.mock-server:mockserver-core:jar:5.13.2:test
[INFO] |     |  +- com.lmax:disruptor:jar:3.4.4:test
[INFO] |     |  +- javax.servlet:javax.servlet-api:jar:4.0.1:test
[INFO] |     |  +- io.netty:netty-codec-socks:jar:4.1.75.Final:test
[INFO] |     |  +- io.netty:netty-handler-proxy:jar:4.1.75.Final:test
[INFO] |     |  +- com.jcraft:jzlib:jar:1.1.3:test
[INFO] |     |  +- com.fasterxml.uuid:java-uuid-generator:jar:4.0.1:test
[INFO] |     |  +- org.bouncycastle:bcprov-jdk15on:jar:1.70:test
[INFO] |     |  +- org.bouncycastle:bcpkix-jdk15on:jar:1.70:test
[INFO] |     |  |  \- org.bouncycastle:bcutil-jdk15on:jar:1.70:test
[INFO] |     |  +- com.nimbusds:nimbus-jose-jwt:jar:9.21:test
[INFO] |     |  |  \- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:test
[INFO] |     |  +- org.apache.velocity:velocity-engine-scripting:jar:2.3:test
[INFO] |     |  +- org.apache.velocity:velocity-engine-core:jar:2.3:test
[INFO] |     |  +- org.apache.velocity.tools:velocity-tools-generic:jar:3.1:test
[INFO] |     |  |  +- commons-beanutils:commons-beanutils:jar:1.9.4:test
[INFO] |     |  |  |  +- commons-logging:commons-logging:jar:1.2:test
[INFO] |     |  |  |  \- commons-collections:commons-collections:jar:3.2.2:test
[INFO] |     |  |  +- org.apache.commons:commons-digester3:jar:3.2:test
[INFO] |     |  |  \- com.github.cliftonlabs:json-simple:jar:3.0.2:test
[INFO] |     |  +- com.samskivert:jmustache:jar:1.15:test
[INFO] |     |  +- net.javacrumbs.json-unit:json-unit-core:jar:2.33.0:test
[INFO] |     |  +- com.networknt:json-schema-validator:jar:1.0.68:test
[INFO] |     |  |  \- com.ethlo.time:itu:jar:1.5.1:test
[INFO] |     |  +- com.jayway.jsonpath:json-path:jar:2.7.0:test
[INFO] |     |  |  \- net.minidev:json-smart:jar:2.4.7:test
[INFO] |     |  |     \- net.minidev:accessors-smart:jar:2.4.7:test
[INFO] |     |  |        \- org.ow2.asm:asm:jar:9.1:test
[INFO] |     |  +- io.swagger.parser.v3:swagger-parser:jar:2.0.32:test
[INFO] |     |  |  +- io.swagger.parser.v3:swagger-parser-v2-converter:jar:2.0.32:test
[INFO] |     |  |  |  +- io.swagger:swagger-core:jar:1.6.6:test
[INFO] |     |  |  |  |  \- io.swagger:swagger-models:jar:1.6.6:test
[INFO] |     |  |  |  +- io.swagger:swagger-parser:jar:1.0.59:test
[INFO] |     |  |  |  +- io.swagger:swagger-compat-spec-parser:jar:1.0.59:test
[INFO] |     |  |  |  |  +- com.github.java-json-tools:json-schema-validator:jar:2.2.14:test
[INFO] |     |  |  |  |  |  +- com.github.java-json-tools:jackson-coreutils-equivalence:jar:1.0:test
[INFO] |     |  |  |  |  |  +- com.github.java-json-tools:json-schema-core:jar:1.2.14:test
[INFO] |     |  |  |  |  |  |  +- com.github.java-json-tools:uri-template:jar:0.10:test
[INFO] |     |  |  |  |  |  |  \- org.mozilla:rhino:jar:1.7.7.2:test
[INFO] |     |  |  |  |  |  +- com.sun.mail:mailapi:jar:1.6.2:test
[INFO] |     |  |  |  |  |  +- com.googlecode.libphonenumber:libphonenumber:jar:8.11.1:test
[INFO] |     |  |  |  |  |  \- net.sf.jopt-simple:jopt-simple:jar:5.0.4:test
[INFO] |     |  |  |  |  \- com.github.java-json-tools:json-patch:jar:1.13:test
[INFO] |     |  |  |  |     +- com.github.java-json-tools:msg-simple:jar:1.2:test
[INFO] |     |  |  |  |     |  \- com.github.java-json-tools:btf:jar:1.3:test
[INFO] |     |  |  |  |     \- com.github.java-json-tools:jackson-coreutils:jar:2.0:test
[INFO] |     |  |  |  +- io.swagger.core.v3:swagger-models:jar:2.2.0:test
[INFO] |     |  |  |  \- io.swagger.parser.v3:swagger-parser-core:jar:2.0.32:test
[INFO] |     |  |  \- io.swagger.parser.v3:swagger-parser-v3:jar:2.0.32:test
[INFO] |     |  |     \- io.swagger.core.v3:swagger-core:jar:2.2.0:test
[INFO] |     |  |        \- io.swagger.core.v3:swagger-annotations:jar:2.2.0:test
[INFO] |     |  +- com.sun.xml.bind:jaxb-impl:jar:3.0.2:test
[INFO] |     |  |  \- com.sun.xml.bind:jaxb-core:jar:3.0.2:test
[INFO] |     |  |     \- com.sun.activation:jakarta.activation:jar:2.0.1:test
[INFO] |     |  +- org.xmlunit:xmlunit-core:jar:2.9.0:test
[INFO] |     |  +- org.xmlunit:xmlunit-placeholders:jar:2.9.0:test
[INFO] |     |  \- io.github.classgraph:classgraph:jar:4.8.143:test
[INFO] |     +- io.netty:netty-buffer:jar:4.1.75.Final:test
[INFO] |     +- io.netty:netty-codec:jar:4.1.75.Final:test
[INFO] |     +- io.netty:netty-codec-http:jar:4.1.75.Final:test
[INFO] |     +- io.netty:netty-common:jar:4.1.75.Final:test
[INFO] |     +- io.netty:netty-handler:jar:4.1.75.Final:test
[INFO] |     |  \- io.netty:netty-resolver:jar:4.1.75.Final:test
[INFO] |     +- io.netty:netty-transport:jar:4.1.75.Final:test
[INFO] |     \- io.netty:netty-tcnative-boringssl-static:jar:2.0.51.Final:test
[INFO] |        +- io.netty:netty-tcnative-classes:jar:2.0.51.Final:test
[INFO] |        +- io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64:2.0.51.Final:test
[INFO] |        +- io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64:2.0.51.Final:test
[INFO] |        +- io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64:2.0.51.Final:test
[INFO] |        +- io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64:2.0.51.Final:test
[INFO] |        \- io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64:2.0.51.Final:test
[INFO] +- io.dropwizard:dropwizard-testing:jar:2.1.1:test
[INFO] |  +- io.dropwizard.metrics:metrics-annotation:jar:4.2.10:compile
[INFO] |  +- com.fasterxml.jackson.datatype:jackson-datatype-guava:jar:2.13.3:compile
[INFO] |  +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.13.3:compile
[INFO] |  |  +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.13.3:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.13.3:compile
[INFO] |  +- org.eclipse.jetty:jetty-io:jar:9.4.48.v20220622:compile
[INFO] |  +- org.glassfish.jersey.containers:jersey-container-servlet-core:jar:2.36:compile
[INFO] |  +- org.glassfish.jersey.connectors:jersey-grizzly-connector:jar:2.36:test
[INFO] |  |  +- org.glassfish.grizzly:grizzly-http-client:jar:1.16:test
[INFO] |  |  +- org.glassfish.grizzly:grizzly-websockets:jar:2.4.4:test
[INFO] |  |  |  +- org.glassfish.grizzly:grizzly-framework:jar:2.4.4:test
[INFO] |  |  |  \- org.glassfish.grizzly:grizzly-http:jar:2.4.4:test
[INFO] |  |  \- org.glassfish.grizzly:connection-pool:jar:2.4.4:test
[INFO] |  +- org.glassfish.jersey.test-framework:jersey-test-framework-core:jar:2.36:test
[INFO] |  |  +- org.glassfish.jersey.media:jersey-media-jaxb:jar:2.36:test
[INFO] |  |  \- junit:junit:jar:4.13.2:test
[INFO] |  \- org.glassfish.jersey.test-framework.providers:jersey-test-framework-provider-inmemory:jar:2.36:test
[INFO] \- org.awaitility:awaitility:jar:4.2.0:test
[INFO]    \- org.hamcrest:hamcrest:jar:2.1:compile

Suggested solutions:

Update dependency version

Thank you very much.

Athou commented 1 year ago

yml is only used for configuration, therefore DoS is not possible.