clj-yaml

lread 2023-01-12T15:48:27.363409Z

Great article! Makes me wonder about the design goals of YAML. I'm guessing unambiguous was not on the list.

lread 2023-01-12T22:42:48.656479Z

Just noticed that our nvd scan on clj-yaml was failing due to a bug in the scanner. Bumped and it is running again.

lread 2023-01-12T22:44:01.046809Z

And... it is reporting CVE-2022-3064, CVE-2021-4235 against snakeyaml.

lread 2023-01-12T22:44:57.305299Z

https://nvd.nist.gov/vuln/detail/CVE-2021-4235 seems like a false positive, I don't see snakeyaml listed.

lread 2023-01-12T22:46:13.248339Z

https://nvd.nist.gov/vuln/detail/CVE-2022-3064 ditto.

lread 2023-01-12T22:46:49.689759Z

Can someone else double-check the above to make sure I'm not missing something? If not I can add these to the ignore list.

vemv 2023-01-13T01:27:32.601409Z

I can second they're FPs. happy the bump worked!

lread 2023-01-13T04:55:25.299519Z

Thanks @vemv, and thank you also for the nvd-clojure fix!

slipset 2023-01-13T07:25:26.870839Z

We’re also having false positives at work ATM.