mirror of
https://github.com/corda/corda.git
synced 2024-12-20 05:28:21 +00:00
NOTICK: Remaining snyk waivers updated for Corda OS 4.10
This commit is contained in:
parent
14ab3f38c2
commit
a98f17922c
29
.snyk
29
.snyk
@ -196,4 +196,33 @@ ignore:
|
||||
they are not susceptible.
|
||||
expires: 2023-03-28T11:40:29.871Z
|
||||
created: 2022-12-29T11:40:29.896Z
|
||||
SNYK-JAVA-ORGYAML-3152153:
|
||||
- '*':
|
||||
reason: >-
|
||||
There is a transitive dependency on snakeyaml from the third party
|
||||
components jackson-dataformat-yaml and liquidbase-core. The
|
||||
jackson-dataformat-yaml component does not use the snakeyaml
|
||||
databinding layer. For liquidbase we use xml in the changelog files
|
||||
not yaml. So given this Corda is not susceptible to this
|
||||
vulnerability.Cordapp authors should exercise their own judgment if
|
||||
using this library directly in their cordapp.
|
||||
expires: 2023-02-03T11:35:04.385Z
|
||||
created: 2023-01-04T11:35:04.414Z
|
||||
SNYK-JAVA-IONETTY-3167773:
|
||||
- '*':
|
||||
reason: >-
|
||||
Corda does not use Netty HTTP (and does not use HTTP in the P2P
|
||||
protocol) . This is a transitive dependency of Netty comms library,
|
||||
but it is not used in Corda, which uses a custom binary protocol
|
||||
secured by mutually authenticated TLS. The vulnerability relating to
|
||||
HTTP Response splitting is not exposed.
|
||||
expires: 2023-02-03T11:40:51.456Z
|
||||
created: 2023-01-04T11:40:51.467Z
|
||||
SNYK-JAVA-COMH2DATABASE-3146851:
|
||||
- '*':
|
||||
reason: >-
|
||||
Corda does not make use of the H2 web admin console, so it not
|
||||
susceptible to this reported vulnerability
|
||||
expires: 2023-02-03T11:45:11.295Z
|
||||
created: 2023-01-04T11:45:11.322Z
|
||||
patch: {}
|
||||
|
Loading…
Reference in New Issue
Block a user