Trivy scan shows critical vulnerability with snakeyaml

Consensys / tessera

Tessera - Enterprise Implementation of Quorum's transaction manager

https://docs.tessera.consensys.net/

Apache License 2.0

175 stars 105 forks source link

Trivy scan shows critical vulnerability with snakeyaml #1520

Closed henson-to-partior closed 1 year ago

henson-to-partior commented 1 year ago

Our image is using Tessera 22.10.1 and during our Trivy Scan it generated a bug report

Package: org.yaml:snakeyaml
Installed Version: 1.33
Vulnerability CVE-2022-1471
Severity: CRITICAL
Fixed Version: 2.0
Link: [CVE-2022-1471 (https://avd.aquasec.com/nvd/cve-2022-1471)](https://avd.aquasec.com/nvd/cve-2022-1471)

Impacted artifact(s): 
tessera/lib/snakeyaml-1.33.jar (from Line: 1 to 1)

I did a git pull of the latest Tesera build (23.4) just now and saw that it is still using snakeyaml 1.33

henson-to-partior commented 1 year ago

I did a grep and saw that the cve was actually added to the ignore list. Would it be possible to get a reason for this as I wasn't able to see why this was classified as False Positive.

macfarla commented 1 year ago

https://github.com/ConsenSys/tessera/pull/1512