Closed CVEDetect closed 1 year ago
Hi, In /qanary_component-template,there is a dependency org.yaml:snakeyaml:1.29 that calls the risk method.
CVE-2022-25857
The scope of this CVE affected version is [0,1.31)
After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
CVE Bug Invocation Path : eu.wdaqua.qanary.component.QanaryServiceController: showDescriptionOnGetRequestOnRoot(javax.servlet.http.HttpServletResponse,org.springframework.ui.Model,javax.servlet.http.HttpSession)Ljava.lang.String; .m2/repository/com/complexible/stardog/reasoning/http/stardog-reasoning-protocols-http-client/8.2.2/stardog-reasoning-protocols-http-client-8.2.2.jar org.yaml.snakeyaml.Yaml$2: next()Ljava.lang.Object; .m2/repository/com/complexible/stardog/reasoning/http/stardog-reasoning-protocols-http-client/8.2.2/stardog-reasoning-protocols-http-client-8.2.2.jar org.yaml.snakeyaml.Yaml$2: next()Lorg.yaml.snakeyaml.nodes.Node; .m2/repository/com/complexible/stardog/reasoning/http/stardog-reasoning-protocols-http-client/8.2.2/stardog-reasoning-protocols-http-client-8.2.2.jar org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; .m2/repository/com/complexible/stardog/reasoning/http/stardog-reasoning-protocols-http-client/8.2.2/stardog-reasoning-protocols-http-client-8.2.2.jar org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Dependency tree--
[INFO] eu.wdaqua.qanary:qa.component:jar:3.7.1 [INFO] +- org.springframework.boot:spring-boot:jar:2.6.7:compile [INFO] | +- org.springframework:spring-core:jar:5.3.19:compile [INFO] | | \- org.springframework:spring-jcl:jar:5.3.19:compile [INFO] | \- org.springframework:spring-context:jar:5.3.19:compile [INFO] | +- org.springframework:spring-aop:jar:5.3.19:compile [INFO] | +- org.springframework:spring-beans:jar:5.3.19:compile [INFO] | \- org.springframework:spring-expression:jar:5.3.19:compile [INFO] +- org.springframework.boot:spring-boot-starter-web:jar:2.6.7:compile [INFO] | +- org.springframework.boot:spring-boot-starter:jar:2.6.7:compile [INFO] | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.6.7:compile [INFO] | | | +- ch.qos.logback:logback-classic:jar:1.2.11:compile [INFO] | | | | \- ch.qos.logback:logback-core:jar:1.2.11:compile [INFO] | | | \- org.slf4j:jul-to-slf4j:jar:1.7.36:compile [INFO] | | +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile [INFO] | | \- org.yaml:snakeyaml:jar:1.29:compile [INFO] | +- org.springframework.boot:spring-boot-starter-json:jar:2.6.7:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.1:compile [INFO] | | | \- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.2:compile [INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.2:compile [INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.2:compile [INFO] | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.2:compile [INFO] | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.6.7:compile [INFO] | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.62:compile [INFO] | | +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.62:compile [INFO] | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.62:compile [INFO] | +- org.springframework:spring-web:jar:5.3.19:compile [INFO] | \- org.springframework:spring-webmvc:jar:5.3.19:compile [INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.6.7:test [INFO] | +- org.springframework.boot:spring-boot-test:jar:2.6.7:test [INFO] | +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.6.7:test [INFO] | +- com.jayway.jsonpath:json-path:jar:2.6.0:test [INFO] | +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile [INFO] | | \- jakarta.activation:jakarta.activation-api:jar:1.2.2:compile [INFO] | +- org.assertj:assertj-core:jar:3.21.0:test [INFO] | +- org.hamcrest:hamcrest:jar:2.2:compile [INFO] | +- org.junit.jupiter:junit-jupiter:jar:5.8.2:test [INFO] | | \- org.junit.jupiter:junit-jupiter-params:jar:5.8.2:test [INFO] | +- org.mockito:mockito-core:jar:4.0.0:test [INFO] | | +- net.bytebuddy:byte-buddy:jar:1.11.22:test [INFO] | | +- net.bytebuddy:byte-buddy-agent:jar:1.11.22:test [INFO] | | \- org.objenesis:objenesis:jar:3.2:test [INFO] | +- org.mockito:mockito-junit-jupiter:jar:4.0.0:test [INFO] | +- org.skyscreamer:jsonassert:jar:1.5.0:test [INFO] | | \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test [INFO] | +- org.springframework:spring-test:jar:5.3.19:test [INFO] | \- org.xmlunit:xmlunit-core:jar:2.8.4:test [INFO] +- org.springframework.boot:spring-boot-devtools:jar:2.6.7:compile (optional) [INFO] | \- org.springframework.boot:spring-boot-autoconfigure:jar:2.6.7:compile [INFO] +- org.springframework.boot:spring-boot-starter-thymeleaf:jar:2.6.7:compile [INFO] | +- org.thymeleaf:thymeleaf-spring5:jar:3.0.15.RELEASE:compile [INFO] | | \- org.thymeleaf:thymeleaf:jar:3.0.15.RELEASE:compile [INFO] | | +- org.attoparser:attoparser:jar:2.0.5.RELEASE:compile [INFO] | | \- org.unbescape:unbescape:jar:1.1.6.RELEASE:compile [INFO] | \- org.thymeleaf.extras:thymeleaf-extras-java8time:jar:3.0.4.RELEASE:compile [INFO] +- de.codecentric:spring-boot-admin-starter-client:jar:2.6.7:compile [INFO] | \- de.codecentric:spring-boot-admin-client:jar:2.6.7:compile [INFO] | \- org.springframework.boot:spring-boot-starter-actuator:jar:2.6.7:compile [INFO] | +- org.springframework.boot:spring-boot-actuator-autoconfigure:jar:2.6.7:compile [INFO] | | \- org.springframework.boot:spring-boot-actuator:jar:2.6.7:compile [INFO] | \- io.micrometer:micrometer-core:jar:1.8.5:compile [INFO] | +- org.hdrhistogram:HdrHistogram:jar:2.1.12:compile [INFO] | \- org.latencyutils:LatencyUtils:jar:2.0.3:runtime [INFO] +- net.sf.json-lib:json-lib-ext-spring:jar:1.0.2:compile [INFO] | \- net.sf.json-lib:json-lib:jar:jdk15:2.2.2:compile [INFO] | +- commons-beanutils:commons-beanutils:jar:1.9.2:compile [INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile [INFO] | +- commons-lang:commons-lang:jar:2.4:compile [INFO] | +- commons-logging:commons-logging:jar:1.1.1:compile [INFO] | \- net.sf.ezmorph:ezmorph:jar:1.0.4:compile [INFO] +- net.minidev:json-smart:jar:2.4.8:compile [INFO] | \- net.minidev:accessors-smart:jar:2.4.8:compile [INFO] | \- org.ow2.asm:asm:jar:9.1:compile [INFO] +- org.slf4j:jcl-over-slf4j:jar:1.7.36:compile [INFO] | \- org.slf4j:slf4j-api:jar:1.7.36:compile [INFO] +- org.junit.jupiter:junit-jupiter-engine:jar:5.8.2:test [INFO] | +- org.junit.platform:junit-platform-engine:jar:1.8.2:test [INFO] | | +- org.opentest4j:opentest4j:jar:1.2.0:test [INFO] | | \- org.junit.platform:junit-platform-commons:jar:1.8.2:test [INFO] | +- org.junit.jupiter:junit-jupiter-api:jar:5.8.2:test [INFO] | \- org.apiguardian:apiguardian-api:jar:1.1.2:test [INFO] +- junit:junit:jar:4.13.2:compile [INFO] | \- org.hamcrest:hamcrest-core:jar:2.2:compile [INFO] +- javax.inject:javax.inject:jar:1:compile [INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile [INFO] | +- org.apache.httpcomponents:httpcore:jar:4.4.15:compile [INFO] | \- commons-codec:commons-codec:jar:1.15:compile [INFO] +- eu.wdaqua.qanary:qa.commons:jar:3.7.1:compile [INFO] | +- org.json:json:jar:20190722:compile [INFO] | +- com.google.guava:guava:jar:18.0:compile [INFO] | +- org.apache.jena:jena-arq:jar:4.4.0:compile [INFO] | | +- org.apache.jena:jena-core:jar:4.4.0:compile [INFO] | | | +- org.apache.jena:jena-base:jar:4.4.0:compile [INFO] | | | | +- org.apache.jena:jena-shaded-guava:jar:4.4.0:compile [INFO] | | | | +- org.apache.commons:commons-csv:jar:1.9.0:compile [INFO] | | | | +- org.apache.commons:commons-compress:jar:1.21:compile [INFO] | | | | \- com.github.andrewoma.dexx:collection:jar:0.7:compile [INFO] | | | +- org.apache.jena:jena-iri:jar:4.4.0:compile [INFO] | | | \- commons-cli:commons-cli:jar:1.5.0:compile [INFO] | | +- com.github.jsonld-java:jsonld-java:jar:0.13.4:compile [INFO] | | | \- commons-io:commons-io:jar:2.8.0:compile [INFO] | | +- org.apache.httpcomponents:httpclient-cache:jar:4.5.13:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-core:jar:2.13.2:compile [INFO] | | +- com.apicatalog:titanium-json-ld:jar:1.2.0:compile [INFO] | | +- org.glassfish:jakarta.json:jar:2.0.1:compile [INFO] | | +- com.google.protobuf:protobuf-java:jar:3.19.3:compile [INFO] | | +- org.apache.thrift:libthrift:jar:0.15.0:compile [INFO] | | | \- javax.annotation:javax.annotation-api:jar:1.3.2:compile [INFO] | | \- org.apache.commons:commons-lang3:jar:3.12.0:compile [INFO] | +- org.apache.jena:jena-rdfconnection:jar:4.4.0:compile [INFO] | +- org.apache.jena:apache-jena-libs:pom:4.4.0:compile [INFO] | | +- org.apache.jena:jena-shacl:jar:4.4.0:compile [INFO] | | +- org.apache.jena:jena-shex:jar:4.4.0:compile [INFO] | | +- org.apache.jena:jena-tdb:jar:4.4.0:compile [INFO] | | \- org.apache.jena:jena-tdb2:jar:4.4.0:compile [INFO] | | \- org.apache.jena:jena-dboe-storage:jar:4.4.0:compile [INFO] | | \- org.apache.jena:jena-dboe-trans-data:jar:4.4.0:compile [INFO] | | +- org.apache.jena:jena-dboe-transaction:jar:4.4.0:compile [INFO] | | | \- org.apache.jena:jena-dboe-base:jar:4.4.0:compile [INFO] | | \- org.apache.jena:jena-dboe-index:jar:4.4.0:compile [INFO] | +- org.springframework.boot:spring-boot-starter-cache:jar:2.6.7:compile [INFO] | | \- org.springframework:spring-context-support:jar:5.3.19:compile [INFO] | +- com.github.ben-manes.caffeine:caffeine:jar:2.9.3:compile [INFO] | | +- org.checkerframework:checker-qual:jar:3.19.0:compile [INFO] | | \- com.google.errorprone:error_prone_annotations:jar:2.10.0:compile [INFO] | +- com.complexible.stardog:client-http:jar:8.2.2:compile (version selected from constraint [8.0.0,9.0.0)) [INFO] | | +- com.sun.activation:javax.activation:jar:1.2.0:compile [INFO] | | +- com.opencsv:opencsv:jar:4.6:compile [INFO] | | | +- org.apache.commons:commons-text:jar:1.3:compile [INFO] | | | \- org.apache.commons:commons-collections4:jar:4.2:compile [INFO] | | +- org.apache.logging.log4j:log4j-iostreams:jar:2.17.2:compile [INFO] | | +- com.complexible.stardog.protocols.http:stardog-protocols-http-client:jar:8.2.2:compile [INFO] | | | +- org.apache.httpcomponents:httpmime:jar:4.5.13:compile [INFO] | | | +- com.complexible.stardog.core:stardog-core-shared:jar:8.2.2:compile [INFO] | | | | +- org.quartz-scheduler:quartz:jar:2.3.2:compile [INFO] | | | | +- com.amazonaws:aws-java-sdk-s3:jar:1.11.442:compile [INFO] | | | | | +- com.amazonaws:aws-java-sdk-kms:jar:1.11.442:compile [INFO] | | | | | +- com.amazonaws:aws-java-sdk-core:jar:1.11.442:compile [INFO] | | | | | | +- software.amazon.ion:ion-java:jar:1.0.2:compile [INFO] | | | | | | +- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.13.2:compile [INFO] | | | | | | \- joda-time:joda-time:jar:2.5:compile [INFO] | | | | | \- com.amazonaws:jmespath-java:jar:1.11.442:compile [INFO] | | | | +- com.google.cloud:google-cloud-storage:jar:1.113.14-sp.4:compile [INFO] | | | | | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile [INFO] | | | | | +- org.checkerframework:checker-compat-qual:jar:2.5.5:compile [INFO] | | | | | +- com.google.j2objc:j2objc-annotations:jar:1.3:compile [INFO] | | | | | +- com.google.http-client:google-http-client:jar:1.39.0:compile [INFO] | | | | | +- io.opencensus:opencensus-contrib-http-util:jar:0.28.0:compile [INFO] | | | | | +- com.google.http-client:google-http-client-jackson2:jar:1.39.0:compile [INFO] | | | | | +- com.google.api-client:google-api-client:jar:1.31.3:compile [INFO] | | | | | +- com.google.oauth-client:google-oauth-client:jar:1.31.4:compile [INFO] | | | | | +- com.google.http-client:google-http-client-gson:jar:1.39.0:compile [INFO] | | | | | +- com.google.http-client:google-http-client-apache-v2:jar:1.39.0:compile [INFO] | | | | | +- com.google.apis:google-api-services-storage:jar:v1-rev20210127-1.31.0:compile [INFO] | | | | | +- com.google.cloud:google-cloud-core:jar:1.94.3:compile [INFO] | | | | | +- com.google.auto.value:auto-value-annotations:jar:1.7.4:compile [INFO] | | | | | +- com.google.api.grpc:proto-google-common-protos:jar:2.1.0:compile [INFO] | | | | | +- com.google.cloud:google-cloud-core-http:jar:1.94.3:compile [INFO] | | | | | +- com.google.http-client:google-http-client-appengine:jar:1.39.0:compile [INFO] | | | | | +- com.google.api:gax-httpjson:jar:0.79.0:compile [INFO] | | | | | +- com.google.api:gax:jar:1.62.0:compile [INFO] | | | | | +- com.google.auth:google-auth-library-credentials:jar:0.24.1:compile [INFO] | | | | | +- com.google.auth:google-auth-library-oauth2-http:jar:0.24.1:compile [INFO] | | | | | +- com.google.api:api-common:jar:1.10.1:compile [INFO] | | | | | +- io.opencensus:opencensus-api:jar:0.28.0:compile [INFO] | | | | | +- io.grpc:grpc-context:jar:1.36.0:compile [INFO] | | | | | +- com.google.api.grpc:proto-google-iam-v1:jar:1.0.10:compile [INFO] | | | | | +- com.google.protobuf:protobuf-java-util:jar:3.15.5:compile [INFO] | | | | | \- org.threeten:threetenbp:jar:1.5.0:compile [INFO] | | | | +- com.azure:azure-storage-blob:jar:12.19.1:compile [INFO] | | | | | +- com.azure:azure-core:jar:1.32.0:compile [INFO] | | | | | | +- com.fasterxml.jackson.dataformat:jackson-dataformat-xml:jar:2.13.2:compile [INFO] | | | | | | | +- org.codehaus.woodstox:stax2-api:jar:4.2.1:compile [INFO] | | | | | | | \- com.fasterxml.woodstox:woodstox-core:jar:6.2.7:compile [INFO] | | | | | | \- io.projectreactor:reactor-core:jar:3.4.17:compile [INFO] | | | | | | \- org.reactivestreams:reactive-streams:jar:1.0.3:compile [INFO] | | | | | +- com.azure:azure-core-http-netty:jar:1.12.5:compile [INFO] | | | | | | +- io.netty:netty-handler-proxy:jar:4.1.76.Final:compile [INFO] | | | | | | | \- io.netty:netty-codec-socks:jar:4.1.76.Final:compile [INFO] | | | | | | +- io.netty:netty-buffer:jar:4.1.76.Final:compile [INFO] | | | | | | +- io.netty:netty-codec-http:jar:4.1.76.Final:compile [INFO] | | | | | | +- io.netty:netty-codec-http2:jar:4.1.76.Final:compile [INFO] | | | | | | +- io.netty:netty-transport-native-unix-common:jar:4.1.76.Final:compile [INFO] | | | | | | +- io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.76.Final:compile [INFO] | | | | | | +- io.netty:netty-transport-native-kqueue:jar:osx-x86_64:4.1.76.Final:compile [INFO] | | | | | | | \- io.netty:netty-transport-classes-kqueue:jar:4.1.76.Final:compile [INFO] | | | | | | +- io.netty:netty-tcnative-boringssl-static:jar:2.0.51.Final:compile [INFO] | | | | | | | +- io.netty:netty-tcnative-classes:jar:2.0.51.Final:compile [INFO] | | | | | | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64:2.0.51.Final:compile [INFO] | | | | | | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64:2.0.51.Final:compile [INFO] | | | | | | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64:2.0.51.Final:compile [INFO] | | | | | | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64:2.0.51.Final:compile [INFO] | | | | | | | \- io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64:2.0.51.Final:compile [INFO] | | | | | | \- io.projectreactor.netty:reactor-netty-http:jar:1.0.18:compile [INFO] | | | | | | +- io.netty:netty-resolver-dns:jar:4.1.76.Final:compile [INFO] | | | | | | | \- io.netty:netty-codec-dns:jar:4.1.76.Final:compile [INFO] | | | | | | +- io.netty:netty-resolver-dns-native-macos:jar:osx-x86_64:4.1.76.Final:compile [INFO] | | | | | | | \- io.netty:netty-resolver-dns-classes-macos:jar:4.1.76.Final:compile [INFO] | | | | | | \- io.projectreactor.netty:reactor-netty-core:jar:1.0.18:compile [INFO] | | | | | +- com.azure:azure-storage-common:jar:12.18.1:compile [INFO] | | | | | \- com.azure:azure-storage-internal-avro:jar:12.4.2:compile [INFO] | | | | \- com.complexible.stardog.memory:stardog-memory:jar:8.2.2:compile [INFO] | | | +- com.complexible.stardog.cluster:stardog-pack-replication-shared:jar:8.2.2:compile [INFO] | | | | +- org.apache.zookeeper:zookeeper:jar:3.7.1:compile [INFO] | | | | | +- org.apache.zookeeper:zookeeper-jute:jar:3.7.1:compile [INFO] | | | | | +- org.apache.yetus:audience-annotations:jar:0.12.0:compile [INFO] | | | | | +- io.netty:netty-handler:jar:4.1.76.Final:compile [INFO] | | | | | | +- io.netty:netty-common:jar:4.1.76.Final:compile [INFO] | | | | | | +- io.netty:netty-resolver:jar:4.1.76.Final:compile [INFO] | | | | | | +- io.netty:netty-transport:jar:4.1.76.Final:compile [INFO] | | | | | | \- io.netty:netty-codec:jar:4.1.76.Final:compile [INFO] | | | | | \- io.netty:netty-transport-native-epoll:jar:4.1.76.Final:compile [INFO] | | | | | \- io.netty:netty-transport-classes-epoll:jar:4.1.76.Final:compile [INFO] | | | | +- org.apache.curator:curator-framework:jar:5.4.0:compile [INFO] | | | | | \- org.apache.curator:curator-client:jar:5.4.0:compile [INFO] | | | | +- org.apache.curator:curator-recipes:jar:5.4.0:compile [INFO] | | | | +- org.apache.logging.log4j:log4j-1.2-api:jar:2.17.2:compile [INFO] | | | | | \- org.apache.logging.log4j:log4j-api:jar:2.17.2:compile [INFO] | | | | \- com.complexible.stardog.core:stardog:jar:8.2.2:compile [INFO] | | | | +- org.apache.logging.log4j:log4j-core:jar:2.17.2:compile [INFO] | | | | +- com.complexible.stardog.security:stardog-core-security:jar:8.2.2:compile [INFO] | | | | | +- org.mindrot:jbcrypt:jar:0.4:compile [INFO] | | | | | +- com.auth0:java-jwt:jar:3.11.0:compile [INFO] | | | | | +- com.auth0:jwks-rsa:jar:0.14.0:compile [INFO] | | | | | \- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.13.2:compile [INFO] | | | | +- com.complexible.stardog.graphql:stardog-graphql-shared:jar:8.2.2:compile [INFO] | | | | | \- com.graphql-java:graphql-java:jar:14.0:compile [INFO] | | | | | +- org.antlr:antlr4-runtime:jar:4.7.2:compile [INFO] | | | | | \- com.graphql-java:java-dataloader:jar:2.2.3:compile [INFO] | | | | +- com.complexible.common.protocols.api:stardog-protocols-api-server:jar:8.2.2:compile [INFO] | | | | +- com.complexible.license:license-core:jar:3.0.10:compile [INFO] | | | | +- de.schlichtherle.truelicense:truelicense-core:jar:1.33:compile [INFO] | | | | | \- de.schlichtherle.truelicense:truelicense-xml:jar:1.33:compile [INFO] | | | | +- commons-math:commons-math:jar:1.2:compile [INFO] | | | | +- org.apache.lucene:lucene-core:jar:7.4.0:compile [INFO] | | | | +- io.dropwizard.metrics:metrics-core:jar:4.2.9:compile [INFO] | | | | +- io.dropwizard.metrics:metrics-jvm:jar:4.2.9:compile [INFO] | | | | +- com.upplication:s3fs:jar:2.2.2:compile [INFO] | | | | +- org.ehcache:sizeof:jar:0.3.0:compile [INFO] | | | | +- net.openhft:zero-allocation-hashing:jar:0.8:compile [INFO] | | | | +- com.google.inject.extensions:guice-assistedinject:jar:4.2.3:compile [INFO] | | | | +- com.google.inject.extensions:guice-throwingproviders:jar:4.2.3:compile [INFO] | | | | +- aopalliance:aopalliance:jar:1.0:compile [INFO] | | | | \- org.apache.shiro:shiro-core:jar:1.10.0:compile [INFO] | | | | +- org.apache.shiro:shiro-lang:jar:1.10.0:compile [INFO] | | | | +- org.apache.shiro:shiro-cache:jar:1.10.0:compile [INFO] | | | | +- org.apache.shiro:shiro-crypto-hash:jar:1.10.0:compile [INFO] | | | | | \- org.apache.shiro:shiro-crypto-core:jar:1.10.0:compile [INFO] | | | | +- org.apache.shiro:shiro-crypto-cipher:jar:1.10.0:compile [INFO] | | | | +- org.apache.shiro:shiro-config-core:jar:1.10.0:compile [INFO] | | | | +- org.apache.shiro:shiro-config-ogdl:jar:1.10.0:compile [INFO] | | | | \- org.apache.shiro:shiro-event:jar:1.10.0:compile [INFO] | | | +- com.complexible.stardog.protocols.http:stardog-protocols-http-shared:jar:8.2.2:compile [INFO] | | | | +- io.swagger.core.v3:swagger-jaxrs2:jar:2.2.2:compile [INFO] | | | | | +- io.github.classgraph:classgraph:jar:4.8.149:compile [INFO] | | | | | +- org.javassist:javassist:jar:3.18.1-GA:compile [INFO] | | | | | +- io.swagger.core.v3:swagger-models:jar:2.2.2:compile [INFO] | | | | | +- io.swagger.core.v3:swagger-integration:jar:2.2.2:compile [INFO] | | | | | | \- io.swagger.core.v3:swagger-core:jar:2.2.2:compile [INFO] | | | | | | \- jakarta.validation:jakarta.validation-api:jar:2.0.2:compile [INFO] | | | | | \- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.13.2:compile [INFO] | | | | | +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.13.2:compile [INFO] | | | | | \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.13.2:compile [INFO] | | | | \- io.swagger.core.v3:swagger-annotations:jar:2.2.2:compile [INFO] | | | +- com.complexible.stardog.icv:stardog-icv-api:jar:8.2.2:compile [INFO] | | | | \- com.complexible.stardog.icv:stardog-icv-shared:jar:8.2.2:compile [INFO] | | | +- com.complexible.stardog.utils:stardog-utils-rdf:jar:8.2.2:compile [INFO] | | | | +- com.stardog.stark:stardog-stark-model:jar:8.2.2:compile [INFO] | | | | +- com.stardog.stark.io:stardog-stark-io-binary:jar:8.2.2:compile [INFO] | | | | | \- com.stardog.stark.io:stardog-stark-io-api:jar:8.2.2:compile [INFO] | | | | +- com.stardog.stark.io:stardog-stark-io-nquads:jar:8.2.2:compile [INFO] | | | | +- com.stardog.stark.io:stardog-stark-io-ntriples:jar:8.2.2:compile [INFO] | | | | +- com.stardog.stark.io:stardog-stark-io-rdfjson:jar:8.2.2:compile [INFO] | | | | +- com.stardog.stark.io:stardog-stark-io-rdfxml:jar:8.2.2:compile [INFO] | | | | +- com.stardog.stark.io:stardog-stark-io-turtle:jar:8.2.2:compile [INFO] | | | | +- com.stardog.stark.io:stardog-stark-io-trig:jar:8.2.2:compile [INFO] | | | | +- com.stardog.stark.io:stardog-stark-io-n3:jar:8.2.2:compile [INFO] | | | | +- com.stardog.stark.io:stardog-stark-io-jsonld:jar:8.2.2:compile [INFO] | | | | +- com.stardog.stark.query.io:stardog-stark-query-binary:jar:8.2.2:compile [INFO] | | | | | \- com.stardog.stark.query.io:stardog-stark-query-io:jar:8.2.2:compile [INFO] | | | | | \- com.stardog.stark.query:stardog-stark-query-api:jar:8.2.2:compile [INFO] | | | | +- com.stardog.stark.query.io:stardog-stark-query-json:jar:8.2.2:compile [INFO] | | | | +- com.stardog.stark.query.io:stardog-stark-query-xml:jar:8.2.2:compile [INFO] | | | | +- com.stardog.stark.query.io:stardog-stark-query-text:jar:8.2.2:compile [INFO] | | | | +- org.apache.httpcomponents:httpclient-osgi:jar:4.5.13:compile [INFO] | | | | | \- org.apache.httpcomponents:fluent-hc:jar:4.5.13:compile [INFO] | | | | +- xerces:xercesImpl:jar:2.12.1:compile [INFO] | | | | | \- xml-apis:xml-apis:jar:1.4.01:compile [INFO] | | | | +- com.brsanthu:data-exporter:jar:1.0.4:compile [INFO] | | | | \- com.carrotsearch:hppc:jar:0.7.1:compile [INFO] | | | \- com.complexible.stardog.virtual:stardog-virtual-api:jar:8.2.2:compile [INFO] | | +- com.complexible.stardog.icv.http:stardog-icv-protocols-http-client:jar:8.2.2:compile [INFO] | | | +- javax.mail:mailapi:jar:1.4.3:compile [INFO] | | | +- com.complexible.stardog.icv:stardog-icv-api_snarl:jar:8.2.2:compile [INFO] | | | \- com.complexible.stardog.cache:stardog-cache-api:jar:8.2.2:compile [INFO] | | +- com.complexible.stardog.reasoning.http:stardog-reasoning-protocols-http-client:jar:8.2.2:compile [INFO] | | | +- com.complexible.stardog.reasoning:stardog-reasoning-api:jar:8.2.2:compile [INFO] | | | \- com.complexible.stardog.reasoning:stardog-reasoning-shared:jar:8.2.2:compile [INFO] | | +- com.complexible.stardog.search.http:stardog-search-protocols-http-client:jar:8.2.2:compile [INFO] | | | \- com.complexible.stardog.search:stardog-search-api:jar:8.2.2:compile [INFO] | | +- com.complexible.stardog.bites.http:stardog-bites-protocols-http-client:jar:8.2.2:compile [INFO] | | | +- com.complexible.stardog.utils:stardog-utils-common:jar:8.2.2:compile [INFO] | | | | +- com.google.inject:guice:jar:4.2.3:compile [INFO] | | | | \- com.google.inject.extensions:guice-multibindings:jar:4.2.3:compile [INFO] | | | +- com.complexible.stardog.bites:stardog-bites-shared:jar:8.2.2:compile [INFO] | | | +- com.complexible.stardog.bites:stardog-bites-api:jar:8.2.2:compile [INFO] | | | \- com.complexible.stardog.bites.http:stardog-bites-protocols-http-shared:jar:8.2.2:compile [INFO] | | +- com.complexible.stardog.virtual.http:stardog-virtual-protocols-http-client:jar:8.2.2:compile [INFO] | | | \- com.complexible.stardog.virtual.http:stardog-virtual-protocols-http-shared:jar:8.2.2:compile [INFO] | | \- com.complexible.stardog.graphql.http:stardog-graphql-protocols-http-client:jar:8.2.2:compile [INFO] | | \- com.complexible.stardog.graphql.http:stardog-graphql-protocols-http-shared:jar:8.2.2:compile [INFO] | | \- com.complexible.stardog.graphql:stardog-graphql-api:jar:8.2.2:compile [INFO] | +- com.complexible.stardog.jena:stardog-jena:jar:8.2.2:compile (version selected from constraint [8.0.0,9.0.0)) [INFO] | | \- com.complexible.stardog:stardog-api:jar:8.2.2:compile [INFO] | | \- commons-pool:commons-pool:jar:1.6:compile [INFO] | +- com.openlinksw:virt_jena_v3_10:jar:1.42:compile [INFO] | +- com.openlinksw:virtjdbc4_3:jar:3.122:compile [INFO] | +- com.google.code.gson:gson:jar:2.8.9:compile [INFO] | +- org.glassfish.jaxb:jaxb-runtime:jar:2.3.6:compile [INFO] | | +- org.glassfish.jaxb:txw2:jar:2.3.6:compile [INFO] | | +- com.sun.istack:istack-commons-runtime:jar:3.0.12:compile [INFO] | | \- com.sun.activation:jakarta.activation:jar:1.2.2:runtime [INFO] | \- javax.xml.bind:jaxb-api:jar:2.3.1:compile [INFO] | \- javax.activation:javax.activation-api:jar:1.2.0:compile [INFO] \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.20.0:compile
Suggested solutions:
Update dependency version
Thank you very much.
Done
anbo-de
commented
1 year ago
Hi, In /qanary_component-template,there is a dependency org.yaml:snakeyaml:1.29 that calls the risk method.
CVE-2022-25857
The scope of this CVE affected version is [0,1.31)
After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.