Release v0.3.1 · creek-service/creek-json-schema

What's Changed

Exciting New Features 🎉

Install FindSecBugs by @big-andy-coates in #108

Dependency Updates

Bump junitVersion from 5.9.1 to 5.9.2 by @dependabot in #99
Bump github/codeql-action from 2.1.37 to 2.1.38 by @dependabot in #100
Bump org.jetbrains.kotlin.jvm from 1.7.22 to 1.8.0 by @dependabot in #88
Bump schema-lib from 2.13.1 to 2.13.10 by @big-andy-coates in #102
Bump mockito-junit-jupiter from 4.11.0 to 5.0.0 by @dependabot in #106
Bump github/codeql-action from 2.1.38 to 2.2.0 by @dependabot in #103
Bump spotless-plugin-gradle from 6.12.1 to 6.13.0 by @dependabot in #104
Bump Kotlin libraries to 1.7.22 by @big-andy-coates in #109
Bump picocli from 4.7.0 to 4.7.1 by @dependabot in #111
Bump spotless-plugin-gradle from 6.13.0 to 6.14.0 by @dependabot in #110
Bump jacksonVersion from 2.14.1 to 2.14.2 by @dependabot in #112
Bump creekVersion from 0.3.1-SNAPSHOT to 0.3.1 by @dependabot in #114
Bump org.mockito:mockito-junit-jupiter from 5.0.0 to 5.1.0 by @dependabot in #115
Bump com.github.spotbugs:spotbugs-annotations from 4.6.0 to 4.7.3 by @dependabot in #116

Known security vulnerabilities in dependencies

At the time of release the following known security vulnerabilities existing in dependencies of the released Creek jars:

Snake YAML's Deserialization of Untrusted Data

See CVE-2022-1471 & GHSA-mjmj-j48q-9wg2.

At the time of writing, this was marked with High / Critical priority. However, if you read up on the
vulnerability,
you'll see the vulnerability is that the deserializer allows instantiation or arbitrary types, and this
can lead to remote code execution if you're parsing YAML from an untrustworthy source, e.g. text submitted
from a form on a website.

This is not an issue for Creek, as all YAML being deserialized is from a trusted source, i.e. you, the
user, running Creek system tests written in YAML.

SnakeYaml isn't used directly by Creek. Creek makes use of it via Jackson. Fixing this (none) issue in Creek is not currently possible.

Jackson core's Uncontrolled Resource Consumption

See sonatype-2022-6438.

At the time of writing, this is marked with High priority. However, if you
read up on this vulnerability, this is also about parsing
data from untrustworthy source.

This is not an issue for Creek, as all data being deserialized is from a trusted source, i.e. you, the
user, running Creek system tests written in YAML.

There is already a fix in Jackson. Creek will update to 2.15.0
of Jackson when it is released.

Full Changelog: v0.3.0...v0.3.1

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v0.3.1