cortinico
commented
1 year ago That's because of our dependency on SnakeYaml. @chao2zhang is it something you can take a look at?
Closed rschattauer closed 1 year ago
cortinico
commented
1 year ago That's because of our dependency on SnakeYaml. @chao2zhang is it something you can take a look at?
chao2zhang
commented
1 year ago Ack. I will take a look by end of this week
chao2zhang
commented
1 year ago This issue should have been addressed by https://github.com/detekt/detekt/pull/5751
@rschattauer Would you mind attaching the full errors? According to SnakeYaml's official response, there might be false positives from DependencyCheck https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md
rschattauer
commented
1 year ago @chao2zhang , you are right, dependencyCheck is already regressing this issue https://github.com/jeremylong/DependencyCheck/issues/4435#issuecomment-1564485173
Closing this here, sorry
https://nvd.nist.gov/vuln/detail/CVE-2022-1471
io.gitlab.arturbosch.detekt:detekt-report-sarif:1.23.0 | | | +--- io.github.detekt.sarif4k:sarif4k:0.4.0
This is since some days marked as critical. Please update.