From c64ad75ee37a1350f781eaf724877fa274ab9b1f Mon Sep 17 00:00:00 2001 From: nargas-ritu Date: Tue, 30 May 2023 19:08:43 +0100 Subject: [PATCH] ENT-9108: Corda OS 4.9.7 remaining waivers --- .snyk | 97 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) diff --git a/.snyk b/.snyk index 1d07fa8b7b..2b9605267a 100644 --- a/.snyk +++ b/.snyk @@ -131,4 +131,101 @@ ignore: this vulnerability. expires: 2023-09-01T11:32:38.120Z created: 2022-09-21T11:32:38.125Z +SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424: + - '*': + reason: >- + Corda does not set the non-default UNWRAP_SINGLE_VALUE_ARRAYS required + for this vulnerability. In addition Corda does not use Jackson for + deserialization except in the optional shell which we recommend using + standalone. The Corda node itself is not exposed. Corda does however + provide mappings of Corda types to allow CorDapps to use Jackson, and + CorDapps using Jackson should make their own assessment. This + vulnerability relates to deeply nested untyped Object or Array values + (3000 levels deep). Only CorDapps with these types at this level of + nesting are potentially susceptible. + expires: 2023-09-01T12:04:40.180Z + created: 2023-02-09T12:04:40.209Z + SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426: + - '*': + reason: >- + Corda does not set the non-default UNWRAP_SINGLE_VALUE_ARRAYS required + for this vulnerability. In addition Corda does not use Jackson for + deserialization except in the optional shell which we recommend using + standalone. The Corda node itself is not exposed. Corda does however + provide mappings of Corda types to allow CorDapps to use Jackson, and + CorDapps using Jackson should make their own assessment. This + vulnerability relates to deeply nested untyped Object or Array values + (3000 levels deep). Only CorDapps with these types at this level of + nesting are potentially susceptible. + expires: 2023-09-01T12:05:03.931Z + created: 2023-02-09T12:05:03.962Z + SNYK-JAVA-ORGYAML-2806360: + - '*': + reason: >- + Snakeyaml is being used by Jackson and liquidbase. Corda does not use + Jackson except in the optional shell which we recommend using + standalone. The Corda node itself is not exposed. Corda does however + provide mappings of Corda types to allow CorDapps to use Jackson, and + CorDapps using Jackson should make their own assessment. Liquibase is + used to apply the database migration changes. XML files are used here + to define the changes not YAML and therefore the Corda node itself is + not exposed to this DOS vulnerability. + expires: 2023-09-01T13:40:55.262Z + created: 2022-09-21T13:40:55.279Z + SNYK-JAVA-ORGYAML-3016891: + - '*': + reason: >- + Snakeyaml is being used by Jackson and liquidbase. Corda does not use + Jackson for deserialization except in the optional shell which we + recommend using standalone. The Corda node itself is not exposed. + Corda does however provide mappings of Corda types to allow CorDapps + to use Jackson, and CorDapps using Jackson should make their own + assessment. Liquibase is used to apply the database migration changes. + XML files are used here to define the changes not YAML and therefore + the Corda node itself is not exposed to this deserialisation + vulnerability. + expires: 2023-09-01T16:37:28.911Z + created: 2023-02-06T16:37:28.933Z + SNYK-JAVA-ORGYAML-3016888: + - '*': + reason: >- + Snakeyaml is being used by Jackson and liquidbase. Corda does not use + Jackson for deserialization except in the optional shell which we + recommend using standalone. The Corda node itself is not exposed. + Corda does however provide mappings of Corda types to allow CorDapps + to use Jackson, and CorDapps using Jackson should make their own + assessment. Liquibase is used to apply the database migration changes. + XML files are used here to define the changes not YAML and therefore + the Corda node itself is not exposed to this deserialisation + vulnerability. + expires: 2023-09-01T13:39:49.450Z + created: 2022-09-21T13:39:49.470Z + SNYK-JAVA-ORGYAML-3016889: + - '*': + reason: >- + Snakeyaml is being used by Jackson and liquidbase. Corda does not use + Jackson for deserialization except in the optional shell which we + recommend using standalone. The Corda node itself is not exposed. + Corda does however provide mappings of Corda types to allow CorDapps + to use Jackson, and CorDapps using Jackson should make their own + assessment. Liquibase is used to apply the database migration changes. + XML files are used here to define the changes not YAML and therefore + the Corda node itself is not exposed to this deserialisation + vulnerability. + expires: 2023-09-01T16:35:13.840Z + created: 2023-02-06T16:35:13.875Z + SNYK-JAVA-ORGYAML-3113851: + - '*': + reason: >- + Snakeyaml is being used by Jackson and liquidbase. Corda does not use + Jackson for deserialization except in the optional shell which we + recommend using standalone. The Corda node itself is not exposed. + Corda does however provide mappings of Corda types to allow CorDapps + to use Jackson, and CorDapps using Jackson should make their own + assessment. Liquibase is used to apply the database migration changes. + XML files are used here to define the changes not YAML and therefore + the Corda node itself is not exposed to this deserialisation + vulnerability. + expires: 2024-04-01T00:00:00.000Z + created: 2022-11-29T14:55:03.623Z patch: {}