Stop forcing an old version of snakeyaml and remove suppression

LabKey · Feb 3, 2024 · 59dbfcc · 59dbfcc
1 parent 327a9ce
commit 59dbfcc
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 22 deletions.
diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
@@ -112,19 +112,6 @@
         <vulnerabilityName>CVE-2018-17201</vulnerabilityName>
     </suppress>
 
-    <!--
-    This is a transitive dependency from spring-boot-starter that we're forcing to get CVE hotfixes. We're not
-    vulnerable since we're not accepting untrusted Spring Boot config files. See more details at
-    https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE-2022-1471
-    -->
-    <suppress>
-        <notes><![CDATA[
-   file name: snakeyaml-1.33.jar
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
-        <cve>CVE-2022-1471</cve>
-    </suppress>
-
     <suppress>
         <notes><![CDATA[
    file name: jackson-databind-2.15.2.jar

diff --git a/server/embedded/build.gradle b/server/embedded/build.gradle
@@ -59,15 +59,6 @@ dependencies {
         }
     }
 
-    // This is a transitive dependency from spring-boot-starter that we're forcing to pick up CVE hotfixes. We're not
-    // vulnerable since we're not accepting untrusted Spring Boot config files, but this cleans up the reporting.
-    // At some point Spring Boot should update its preferred version and we can yank this
-    implementation('org.yaml:snakeyaml') {
-        version {
-            strictly '1.33'
-        }
-    }
-
     runtimeOnly "org.apache.tomcat.embed:tomcat-embed-jasper:${springBootTomcatVersion}"
     runtimeOnly group: "com.sun.mail", name: "jakarta.mail", version: "${javaMailVersion}"
     runtimeOnly group: "org.apache.tomcat", name: "tomcat-dbcp", version: "${springBootTomcatVersion}"