You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
One of our transitive dependencies with snakeyaml is causing a new alert/security blocker for builds.
The CVE abstract states the developer of the package will not fix the issue.
The issue is related to programmatically consuming YML with "malicious" dependencies causing memory outages, which falls way beyond our limited usage of static yml resources for Spring configuration.
Therefore, the issue should be waived with a small description of how our usage does not make Vorto vulnerable.
@kolotu could you please assign to @t-gauss , as he's the only one able to waive at this time?
Note: this is a blocker for processing pull requests at this time.
The text was updated successfully, but these errors were encountered:
One of our transitive dependencies with snakeyaml is causing a new alert/security blocker for builds.
The CVE abstract states the developer of the package will not fix the issue.
The issue is related to programmatically consuming YML with "malicious" dependencies causing memory outages, which falls way beyond our limited usage of static yml resources for Spring configuration.
Therefore, the issue should be waived with a small description of how our usage does not make Vorto vulnerable.
@kolotu could you please assign to @t-gauss , as he's the only one able to waive at this time?
Note: this is a blocker for processing pull requests at this time.
The text was updated successfully, but these errors were encountered: