Old Detekt version includes snakeYAML with high CVE score

pinchbv / android-analyzer

Android Gradle plugin for faster Sonarqube integration in Android projects. Supports Detekt and Jacoco out of the box.

http://pinch.nl

GNU General Public License v3.0

91 stars 16 forks source link

Open stephannielsen opened 4 years ago

stephannielsen commented 4 years ago

The use version of detekt (1.0.1) includes an old version of snakeYAML (1.24) which has a reported CVE of score 7.5 (high): https://nvd.nist.gov/vuln/detail/CVE-2017-18640

We are checking our app against known CVEs and this is failing the build.

An update of the plugin with updated dependencies (and also fixing #25) would be appreciated.

AresProductions commented 4 years ago

We're currently experiencing the same problem in our team. Hope we get an update soon :)