upgrade to SnakeYaml 1.31 in spring-boot-starter-parent 2.7.3

Question

Have springboot project in which wanted to either exclude snakeyaml 1.30 or upgrade it 1.31 inorder to avoid fortify issue reporting

with snakeyaml 1.30 version there is security vulnerability

<parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.7.3</version>
</parent>

Below is seen on the effective pom.xml of the project

  <dependency>
          <groupId>org.yaml</groupId>
          <artifactId>snakeyaml</artifactId>
          <version>1.30</version>
          <scope>compile</scope>
        </dependency>

Is there any possibility to upgrade as the remediation says to upgrade the version to snakeyaml 1.31 ?

Ref : https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360

Answer 1

SnakeYAML is a managed dependency in Spring Boot, so you can simply add the following to the properties section of pom.xml to have Spring Boot 2.3.7 use SnakeYAML 1.31 instead of 1.30:

<snakeyaml.version>1.31</snakeyaml.version>

Answer 2

You can always change the version number through the <dependencyManagement> block in your pom.xml:

<dependencyManagement>
    <dependencies>

      <dependency>
        <groupId>org.yaml</groupId>
        <artifactId>snakeyaml</artifactId>
        <version>1.31</version>
      </dependency>

   </dependencies>
</dependencyManagement>

This will automatically change the version your project will use. You can test this by running mvn dependency:tree afterwards. It should only show version 1.31 of snakeyaml.

Important remark: Make sure that you remove this block as soon as you integrate the next version of Spring Boot as it will very likely contain the increased version. Otherwise you may downgrade the version unintentionally after future updates.

Please also note that there may be incompatibilities between certain lib versions and Spring Boot, hence it may not always be possible to update the version this way.