v0.3.1
What's Changed
Exciting New Features 🎉
- Install FindSecBugs by @big-andy-coates in #108
Dependency Updates
- Bump junitVersion from 5.9.1 to 5.9.2 by @dependabot in #99
- Bump github/codeql-action from 2.1.37 to 2.1.38 by @dependabot in #100
- Bump org.jetbrains.kotlin.jvm from 1.7.22 to 1.8.0 by @dependabot in #88
- Bump schema-lib from 2.13.1 to 2.13.10 by @big-andy-coates in #102
- Bump mockito-junit-jupiter from 4.11.0 to 5.0.0 by @dependabot in #106
- Bump github/codeql-action from 2.1.38 to 2.2.0 by @dependabot in #103
- Bump spotless-plugin-gradle from 6.12.1 to 6.13.0 by @dependabot in #104
- Bump Kotlin libraries to
1.7.22
by @big-andy-coates in #109 - Bump picocli from 4.7.0 to 4.7.1 by @dependabot in #111
- Bump spotless-plugin-gradle from 6.13.0 to 6.14.0 by @dependabot in #110
- Bump jacksonVersion from 2.14.1 to 2.14.2 by @dependabot in #112
- Bump creekVersion from 0.3.1-SNAPSHOT to 0.3.1 by @dependabot in #114
- Bump org.mockito:mockito-junit-jupiter from 5.0.0 to 5.1.0 by @dependabot in #115
- Bump com.github.spotbugs:spotbugs-annotations from 4.6.0 to 4.7.3 by @dependabot in #116
Known security vulnerabilities in dependencies
At the time of release the following known security vulnerabilities existing in dependencies of the released Creek jars:
Snake YAML's Deserialization of Untrusted Data
See CVE-2022-1471 & GHSA-mjmj-j48q-9wg2.
At the time of writing, this was marked with High
/ Critical
priority. However, if you read up on the
vulnerability,
you'll see the vulnerability is that the deserializer allows instantiation or arbitrary types, and this
can lead to remote code execution if you're parsing YAML from an untrustworthy source, e.g. text submitted
from a form on a website.
This is not an issue for Creek, as all YAML being deserialized is from a trusted source, i.e. you, the
user, running Creek system tests written in YAML.
SnakeYaml isn't used directly by Creek. Creek makes use of it via Jackson. Fixing this (none) issue in Creek is not currently possible.
Jackson core's Uncontrolled Resource Consumption
See sonatype-2022-6438.
At the time of writing, this is marked with High
priority. However, if you
read up on this vulnerability, this is also about parsing
data from untrustworthy source.
This is not an issue for Creek, as all data being deserialized is from a trusted source, i.e. you, the
user, running Creek system tests written in YAML.
There is already a fix in Jackson. Creek will update to 2.15.0
of Jackson when it is released.
Full Changelog: v0.3.0...v0.3.1