Solve the Provides transitive vulnerable dependency maven:org.yaml:snakeyaml:1.33 warning in pom.xml

Language 2023-09-18 20:40:11 views: null

warning appears

When building the springboot3 project, the spring-boot-starter-web dependency part of the pom file is highlighted as a whole.

显示Provides transitive vulnerable dependency maven:org.yaml:snakeyaml:1.33

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

Warning reason

This warning indicates that our Maven project uses a dependency that is considered to be vulnerable, and that this dependency is also passed by other dependencies.

Specifically, this warning refers to:

In our pom file, the library org.yaml:snakeyaml:1.33 is vulnerable.

Resolve warnings

1. Upgrade dependencies

Try upgrading the dependency version, if a newer version is available, the vulnerability may have been fixed,

Go to the central warehouse to search for this dependency and you will see that the latest version is 2.0, and it does not have a red-letter vulnerability warning, indicating that version 2.0 has solved this vulnerability. (The current date is 2023.03.31)

Now that the vulnerability has been resolved in this dependency in the new version, we can upgrade the dependency version

In Maven projects, dependencies can be managed using the dependencyManagement tag.

In this tag, you can specify a specific version so that all dependencies will use this version

For example, add the following to your pom file

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.yaml</groupId>
                <artifactId>snakeyaml</artifactId>
                <version>2.0</version>
            </dependency>
        </dependencies>
    </dependencyManagement>

This will ensure that all dependencies using the snakeyaml library use the specified 2.0 version and not other versions. If a later version is available, you can choose to update the version number to the latest version.

2. Remove dependencies

If this library is not required, you may consider removing it from your project.

For example, try to remove the snakeyaml dependency in spring-boot-starter-web dependency

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter</artifactId>
            <exclusions>
                <exclusion>
                    <groupId>org.yaml</groupId>
                    <artifactId>snakeyaml</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

3. Ignore warnings

If you are sure that your code and application environment can handle this vulnerability safely, you can choose to ignore the warning, but this is not a recommended practice.

Guess you like

Origin blog.csdn.net/m0_54250110/article/details/129889512
Recommended
Ranking
PAT Level B 1094 Google's Recruitment (20 points) Python
Old Wei wins the offer to take you to learn --- brush (integer number 31. 1 appears) title series
Bilibili: Barrage Screening: Baijiaxing: Import XML directly
개체 배열 중복 제거
matplotlib—patches.Circle
[Observation] It is also a cordless vacuum cleaner, why does Dyson V10 dare to sell 4990 yuan?
0410
Apache Kafka message delivery reliability analysis
How hotel occupancy records inquiry etj
Essential knowledge for getting started with speculating in spot silver
Daily
More
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)

Code World

© 2018 codetd.com