Merge pull request #7377 from corda/ritu_tmp_4.9.7-waivers

ENT-9108: Corda OS 4.9.7 remaining waivers
2024-12-19 21:17:58 +00:00 · 2023-05-31 09:59:08 +01:00 · 2023-05-31 09:59:08 +01:00 · ac4255ca75
commit ac4255ca75
parent 20a155f260 c64ad75ee3
1 changed files with 97 additions and 0 deletions
--- a/.snyk
+++ b/.snyk
@ -131,4 +131,101 @@ ignore:
          this vulnerability.
        expires: 2023-09-01T11:32:38.120Z
        created: 2022-09-21T11:32:38.125Z
+SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424:
+    - '*':
+        reason: >-
+          Corda does not set the non-default UNWRAP_SINGLE_VALUE_ARRAYS required
+          for this vulnerability. In addition Corda does not use Jackson for
+          deserialization except in the optional shell which we recommend using
+          standalone. The Corda node itself is not exposed. Corda does however
+          provide mappings of Corda types to allow CorDapps to use Jackson, and
+          CorDapps using Jackson should make their own assessment. This
+          vulnerability relates to deeply nested untyped Object or Array values
+          (3000 levels deep). Only CorDapps with these types at this level of
+          nesting are potentially susceptible.
+        expires: 2023-09-01T12:04:40.180Z
+        created: 2023-02-09T12:04:40.209Z
+ SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426:
+    - '*':
+        reason: >-
+          Corda does not set the non-default UNWRAP_SINGLE_VALUE_ARRAYS required
+          for this vulnerability. In addition Corda does not use Jackson for
+          deserialization except in the optional shell which we recommend using
+          standalone. The Corda node itself is not exposed. Corda does however
+          provide mappings of Corda types to allow CorDapps to use Jackson, and
+          CorDapps using Jackson should make their own assessment. This
+          vulnerability relates to deeply nested untyped Object or Array values
+          (3000 levels deep). Only CorDapps with these types at this level of
+          nesting are potentially susceptible.
+        expires: 2023-09-01T12:05:03.931Z
+        created: 2023-02-09T12:05:03.962Z
+ SNYK-JAVA-ORGYAML-2806360:
+    - '*':
+        reason: >-
+          Snakeyaml is being used by Jackson and liquidbase. Corda does not use
+          Jackson except in the optional shell which we recommend using
+          standalone. The Corda node itself is not exposed. Corda does however
+          provide mappings of Corda types to allow CorDapps to use Jackson, and
+          CorDapps using Jackson should make their own assessment. Liquibase is
+          used to apply the database migration changes. XML files are used here
+          to define the changes not YAML and therefore the Corda node itself is
+          not exposed to this DOS vulnerability.
+        expires: 2023-09-01T13:40:55.262Z
+        created: 2022-09-21T13:40:55.279Z
+ SNYK-JAVA-ORGYAML-3016891:
+    - '*':
+        reason: >-
+          Snakeyaml is being used by Jackson and liquidbase. Corda does not use
+          Jackson for deserialization except in the optional shell which we
+          recommend using standalone. The Corda node itself is not exposed.
+          Corda does however provide mappings of Corda types to allow CorDapps
+          to use Jackson, and CorDapps using Jackson should make their own
+          assessment. Liquibase is used to apply the database migration changes.
+          XML files are used here to define the changes not YAML and therefore
+          the Corda node itself is not exposed to this deserialisation
+          vulnerability.
+        expires: 2023-09-01T16:37:28.911Z
+        created: 2023-02-06T16:37:28.933Z
+ SNYK-JAVA-ORGYAML-3016888:
+    - '*':
+        reason: >-
+          Snakeyaml is being used by Jackson and liquidbase. Corda does not use
+          Jackson for deserialization except in the optional shell which we
+          recommend using standalone. The Corda node itself is not exposed.
+          Corda does however provide mappings of Corda types to allow CorDapps
+          to use Jackson, and CorDapps using Jackson should make their own
+          assessment. Liquibase is used to apply the database migration changes.
+          XML files are used here to define the changes not YAML and therefore
+          the Corda node itself is not exposed to this deserialisation
+          vulnerability.
+        expires: 2023-09-01T13:39:49.450Z
+        created: 2022-09-21T13:39:49.470Z
+ SNYK-JAVA-ORGYAML-3016889:
+    - '*':
+        reason: >-
+          Snakeyaml is being used by Jackson and liquidbase. Corda does not use
+          Jackson for deserialization except in the optional shell which we
+          recommend using standalone. The Corda node itself is not exposed.
+          Corda does however provide mappings of Corda types to allow CorDapps
+          to use Jackson, and CorDapps using Jackson should make their own
+          assessment. Liquibase is used to apply the database migration changes.
+          XML files are used here to define the changes not YAML and therefore
+          the Corda node itself is not exposed to this deserialisation
+          vulnerability.
+        expires: 2023-09-01T16:35:13.840Z
+        created: 2023-02-06T16:35:13.875Z
+ SNYK-JAVA-ORGYAML-3113851:
+    - '*':
+        reason: >-
+          Snakeyaml is being used by Jackson and liquidbase. Corda does not use
+          Jackson for deserialization except in the optional shell which we
+          recommend using standalone. The Corda node itself is not exposed.
+          Corda does however provide mappings of Corda types to allow CorDapps
+          to use Jackson, and CorDapps using Jackson should make their own
+          assessment. Liquibase is used to apply the database migration changes.
+          XML files are used here to define the changes not YAML and therefore
+          the Corda node itself is not exposed to this deserialisation
+          vulnerability.
+        expires: 2024-04-01T00:00:00.000Z
+        created: 2022-11-29T14:55:03.623Z
 patch: {}