[Snyk] Fix for 5 vulnerabilities

h1alexbel commented 5 months ago

Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.

:sparkles: Snyk has automatically assigned this pull request, set who gets assigned.

As this is a private repository, Snyk-bot does not have access. Therefore, this PR has been created automatically, but appears to have been created by a real user.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- pom.xml

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Upgrade	Breaking Change	Exploit Maturity
569/1000 Why? Has a fix available, CVSS 7.1	Denial of Service (DoS) SNYK-JAVA-CHQOSLOGBACK-6094942	`ch.qos.logback:logback-classic:` `1.4.8 -> 1.4.14`	No	No Known Exploit
569/1000 Why? Has a fix available, CVSS 7.1	Denial of Service (DoS) SNYK-JAVA-CHQOSLOGBACK-6094943	`ch.qos.logback:logback-classic:` `1.4.8 -> 1.4.14`	No	No Known Exploit
569/1000 Why? Has a fix available, CVSS 7.1	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JAVA-CHQOSLOGBACK-6097492	`ch.qos.logback:logback-classic:` `1.4.8 -> 1.4.14`	No	No Known Exploit
569/1000 Why? Has a fix available, CVSS 7.1	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JAVA-CHQOSLOGBACK-6097493	`ch.qos.logback:logback-classic:` `1.4.8 -> 1.4.14`	No	No Known Exploit
379/1000 Why? Has a fix available, CVSS 3.3	Creation of Temporary File in Directory with Insecure Permissions SNYK-JAVA-COMGOOGLEGUAVA-5710356		No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Vulnerabilities that could not be fixed

Upgrade:
- Could not upgrade com.jcabi:jcabi-github@1.3.2 to com.jcabi:jcabi-github@1.7.0; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/com/jcabi/parent/0.65.0/parent-0.65.0.pom

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

👩‍💻 Set who automatically gets assigned

🛠 Adjust project settings

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS) 🦉 Creation of Temporary File in Directory with Insecure Permissions

PR-Codex overview

This PR focuses on updating the versions of various dependencies in the pom.xml file.

Detailed summary

Updated logback-classic version from 1.4.8 to 1.4.14
Updated jackson-dataformat-yaml version from 2.16.1 to 2.16.1
Updated Saxon-HE version from 12.4 to 12.4

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

codecov[bot] commented 5 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Comparison is base (15ff8e9) 67.18% compared to head (ccf4e15) 67.18%.

Additional details and impacted files

```diff @@ Coverage Diff @@ ## master #90 +/- ## ========================================= Coverage 67.18% 67.18% Complexity 81 81 ========================================= Files 29 29 Lines 323 323 Branches 19 19 ========================================= Hits 217 217 Misses 99 99 Partials 7 7 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

h1alexbel commented 5 months ago

@rultor merge

rultor commented 5 months ago

@rultor merge

@h1alexbel OK, I'll try to merge now. You can check the progress of the merge here

rultor commented 5 months ago

@rultor merge

@h1alexbel Done! FYI, the full log is here (took me 5min)

tracehubpm / tracehub