warning appears
When building the springboot3 project, the spring-boot-starter-web dependency part of the pom file is highlighted as a whole.
显示Provides transitive vulnerable dependency maven:org.yaml:snakeyaml:1.33
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
Warning reason
This warning indicates that our Maven project uses a dependency that is considered to be vulnerable, and that this dependency is also passed by other dependencies.
Specifically, this warning refers to:
In our pom file, the library org.yaml:snakeyaml:1.33 is vulnerable.
Resolve warnings
1. Upgrade dependencies
Try upgrading the dependency version, if a newer version is available, the vulnerability may have been fixed,
Go to the central warehouse to search for this dependency and you will see that the latest version is 2.0, and it does not have a red-letter vulnerability warning, indicating that version 2.0 has solved this vulnerability. (The current date is 2023.03.31)
Now that the vulnerability has been resolved in this dependency in the new version, we can upgrade the dependency version
In Maven projects, dependencies can be managed using the dependencyManagement tag.
In this tag, you can specify a specific version so that all dependencies will use this version
For example, add the following to your pom file
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>2.0</version>
</dependency>
</dependencies>
</dependencyManagement>
This will ensure that all dependencies using the snakeyaml library use the specified 2.0 version and not other versions. If a later version is available, you can choose to update the version number to the latest version.
2. Remove dependencies
If this library is not required, you may consider removing it from your project.
For example, try to remove the snakeyaml dependency in spring-boot-starter-web dependency
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
<exclusions>
<exclusion>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
</exclusion>
</exclusions>
</dependency>
3. Ignore warnings
If you are sure that your code and application environment can handle this vulnerability safely, you can choose to ignore the warning, but this is not a recommended practice.