Comments (2)
eli-darkly
commented on June 12, 2024
I understand the problem you're describing, and we have been considering dropping snakeyaml for that reasonโ but, I'm not sure I understand the particular solution you're proposing.
What would be the mechanism for declaring dependencies for the thin jar? As I understand it (and I apologize if I'm missing something obvious; we haven't used multi-jar publications for any purpose other than this SDK, not counting the standard inclusion of source/javadoc jars), Maven does not have a concept of dependencies for a secondary artifact, i.e. one that has a classifier as opposed to being the default jar. The dependencies declared in pom.xml are, by definition, for the primary artifact (the default jar).
from java-server-sdk.
alok1111
commented on June 12, 2024
Hi @eli-darkly. Looks like we faced a similar issue.
The project uses Snyk to check dependencies for security vulnerabilities. Currently, we use com.launchdarkly:launchdarkly-java-server-sdk:6.0.5 which depends on the vulnerable snakeyaml:1.32. Nor Snyk nor sbt doesn't see the launchdakly's dependencies. That's why Snyk can't notify us about the vulnerabilities of launchdarkly's dependencies.
Special thanks to the AWS Inspector who somehow found the vulnerable snakeyaml:1.32 in the Docker image.
I've compared launchdarkly's pom.xml in the local cache with the org.liquibase:liquibase-core:4.16.1 one which also depends on snakeyaml. Probably, the issue appears because your package lacks the dependencies section:
<dependencies>
...
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>1.31</version>
<scope>compile</scope>
</dependency>
...
</dependencies>
from java-server-sdk.
Related Issues (20)
- Launch Darkly Metrics conflating Version numbers. HOT 3
- Getting numerous Error posting diagnostic event (giving up permanently): HTTP error 401 (invalid SDK key) HOT 2
- Synk reports the low version of okHttp3 dependency HOT 3
- Vulnerability in snakeyaml HOT 3
- LaunchDarkly Client initialing failed even add LaunchDarkly Certificate to java key store. HOT 9
- `isInitialized` & `dataStore.isInitialized()` HOT 3
- Please provide ability to `LDClient` in non-blocking manner HOT 4
- fat jar brings in duplicate copy of `launchdarkly-logging` HOT 3
- Allow lazily computed defaultValues in LDClient to improve code readability HOT 6
- java-server-sdk is vulnerable to CVE-2022-1471 RCE HOT 3
- Builder object is not exist in V6 but is taken as an example in the docs HOT 6
- Evaluation can throw when the same segment is used in multiple rules within a single flag HOT 6
- StreamClosedByServerException: Stream closed by server HOT 13
- Vulnerability CVE-2022-1471 is introduced via SnakeYaml 1.32. Upgrading to 2.0 should fix it. HOT 3
- Have a robust in memory datastore fallback when the persistent data store connection is not working HOT 2
- update to guava 32.0.0 to resolve CVE-2023-2976 HOT 6
- ApiException.getMessage throws NullPointerException when IOException occurs HOT 1
- Stream continuously reset HOT 2
- Support for use of java-server-sdk library in GraalVM native image applications HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from java-server-sdk.