clj-yaml

lread 2022-12-08T15:03:42.079849Z

This particular CVE saga carries on. I'm not sure what Andrey's position is anymore but he has re-opened the https://bitbucket.org/snakeyaml/snakeyaml/issues/561 he previously closed at wontfix. In any case, I feel for him, not a ton of fun. Since clj-yaml took the safe-by-default approach, I feel we are still unaffected by this particular CVE.

slipset 2022-12-08T18:17:23.264689Z

Then a solution for us would be to add that cve to the ignore list for nvd and relax.

slipset 2022-12-08T18:20:56.364649Z

https://github.com/clj-commons/clj-yaml/pull/83

lread 2022-12-08T18:22:38.650989Z

Ya, that seems like a plan. Ideally, I would like someone else to confirm my conclusion that we are safe. We might also add a note to the README on this CVE as tooling will pick up the CVE in clj-yaml deps. And it looks like Andrey is going to address this in some form or other, maybe even to the satisfaction of the raisers of the CVE. 🤷 We can adjust when that happens.

slipset 2022-12-08T18:23:15.594539Z

I figure it’s recorded in the commit msg.

lread 2022-12-08T18:24:40.080699Z

Yeah, that's a perspective for sure. How about we adjust the README if/when folks start asking.

lread 2022-12-08T18:25:16.843879Z

@slipset do you agree with my theory that we are not affected?

slipset 2022-12-08T18:25:38.365949Z

I do

lread 2022-12-08T18:25:46.932979Z

Coolio, thanks

lread 2022-12-08T18:29:42.810229Z

Odd thing @slipset, I did not get emails for the vulnerability scan failure. Did you?

slipset 2022-12-08T18:29:53.712889Z

Yes

lread 2022-12-08T18:31:11.124839Z

Hmmm... maybe if I unwatch and then rewatch all activity...

borkdude 2022-12-08T19:10:51.194739Z

speaking of vulnerabilities https://twitter.com/borkdude/status/1600930534523170816

lread 2022-12-08T19:43:22.842039Z

Love it! This channel does need all the mirth it can get! simple_smile