Merge pull request #7289 from corda/ritu_tmp_SNYK_waivers_remaining

NOTICK: Remaining snyk waivers updated for Corda OS 4.10
This commit is contained in:
Ronan Browne 2023-01-05 17:09:16 +00:00 committed by GitHub
commit b8400b0e99
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

29
.snyk
View File

@ -196,4 +196,33 @@ ignore:
they are not susceptible. they are not susceptible.
expires: 2023-03-28T11:40:29.871Z expires: 2023-03-28T11:40:29.871Z
created: 2022-12-29T11:40:29.896Z created: 2022-12-29T11:40:29.896Z
SNYK-JAVA-ORGYAML-3152153:
- '*':
reason: >-
There is a transitive dependency on snakeyaml from the third party
components jackson-dataformat-yaml and liquidbase-core. The
jackson-dataformat-yaml component does not use the snakeyaml
databinding layer. For liquidbase we use xml in the changelog files
not yaml. So given this Corda is not susceptible to this
vulnerability.Cordapp authors should exercise their own judgment if
using this library directly in their cordapp.
expires: 2023-03-03T11:35:04.385Z
created: 2023-01-04T11:35:04.414Z
SNYK-JAVA-IONETTY-3167773:
- '*':
reason: >-
Corda does not use Netty HTTP (and does not use HTTP in the P2P
protocol) . This is a transitive dependency of Netty comms library,
but it is not used in Corda, which uses a custom binary protocol
secured by mutually authenticated TLS. The vulnerability relating to
HTTP Response splitting is not exposed.
expires: 2023-03-03T11:40:51.456Z
created: 2023-01-04T11:40:51.467Z
SNYK-JAVA-COMH2DATABASE-3146851:
- '*':
reason: >-
Corda does not make use of the H2 web admin console, so it not
susceptible to this reported vulnerability
expires: 2023-03-03T11:45:11.295Z
created: 2023-01-04T11:45:11.322Z
patch: {} patch: {}