Gradle has snakeyaml dependency, which reported to have a CVE with critical base score #24883
Assignees
Labels
closed:duplicate
Duplicated or superseeded by another issue
Comments
|
Fixed in #25011 |
|
Thank you for your interest in Gradle! This issue will be closed as a duplicate of I forgot this issue had been filed when upgrading the library. Thanks for the report, but please in the future prefer security@gradle.com for such reports, just in case the vulnerability is exploitable. |
ljacomet
added
closed:duplicate
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behavior
Expected no critical vulnerability findings.
Current Behavior
A critical vulnerability was detected regarding the snakeyaml dependency in the latest version of Gradle, https://nvd.nist.gov/vuln/detail/CVE-2022-1471#range-9042833
Due to vulnerability finding, the docker image we are building, which contains gradle, is deem to be a vulnerable image.
May we expect a patch or rc soon to fix this vulnerability?
Context (optional)
No response
Steps to Reproduce
I executed the Trivy container scanner to scan a docker image built with the latest Gradle. The vulnerability was reported in its security report.
Gradle version
8.1.1
Build scan URL (optional)
No response
Your Environment (optional)
No response
The text was updated successfully, but these errors were encountered: