Resolve CVE-2022-1471: Securing the Vulnerability with SnakeYAML 2.0 …

…and Spring Boot 2.7.10 (#3538) * Update pom.xml Bump snakeyml to 2.0 to resolve CVE-2022-1471 * Resolve CVE-2022-1471: Bump Jackson and Spring Boot in pom.xml Ref: - spring-projects/spring-boot#34405 (comment) - https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.7/html/migrating_applications_to_spring_boot_2.7/migrating-spring-boot-2-5-applications-to-the-spring-boot-version-spring-boot_spring-boot * Update pom.xml to Spring Boot 2.7.10 Reference: http://github.com/spring-projects/spring-boot/issues/34405 2.7.10 supports SnakeYML 2.0 * Fix prometheus integration check Prometheus integration check was matching on prometheus in the application name. Since the test included prometheus in the package it was failing. This change matches on the URI prefix instead of just the name. --------- Co-authored-by: Lance Linder <[email protected]>
openzipkin · May 30, 2023 · d0dc3d6 · d0dc3d6
1 parent 9dee607
commit d0dc3d6
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/pom.xml b/pom.xml
@@ -57,7 +57,7 @@
     <netty.version>4.1.78.Final</netty.version>
 
     <!-- It's easy for Jackson dependencies to get misaligned, so we manage it ourselves. -->
-    <jackson.version>2.14.0</jackson.version>
+    <jackson.version>2.15.0</jackson.version>
 
     <java-driver.version>4.11.3</java-driver.version>
     <micrometer.version>1.9.3</micrometer.version>
@@ -66,10 +66,10 @@
     <javax-annotation-api.version>1.3.1</javax-annotation-api.version>
 
     <!-- update together -->
-    <spring-boot.version>2.5.14</spring-boot.version>
+    <spring-boot.version>2.7.10</spring-boot.version>
     <spring.version>5.3.27</spring.version>
-    <!-- override spring dependency version, CVE-2022-25857 -->
-    <snakeyaml.version>1.33</snakeyaml.version>
+    <!-- override spring dependency version, CVE-2022-25857, CVE-2022-1471 -->
+    <snakeyaml.version>2.0</snakeyaml.version>
 
     <!-- MySQL connector is GPL, even if it has an OSS exception.
          https://www.mysql.com/about/legal/licensing/foss-exception/

diff --git a/zipkin-server/src/test/java/zipkin2/server/internal/prometheus/ITZipkinMetrics.java b/zipkin-server/src/test/java/zipkin2/server/internal/prometheus/ITZipkinMetrics.java
@@ -78,7 +78,7 @@ public class ITZipkinMetrics {
 
     // ensure we don't track prometheus, UI requests in prometheus
     assertThat(scrape())
-      .doesNotContain("prometheus")
+      .doesNotContain("uri=\"/prometheus")
       .doesNotContain("uri=\"/zipkin")
       .doesNotContain("uri=\"/\"");
   }