Spring and CVE-2022-1471
There was yet another CVE reported recently. There is an issue in SnakeYAML
Spring developers did a nice job and long time ago they created a security airbag to be safe.
- Spring uses SafeConstructor as suggested in the CVE
- Spring uses the white list filter to only allow to create expected and configured classes
These 2 steps deliver a complete and reliable measure to feel safe.
What to do if your low quality tooling complains ?
- Go to the issue tracker of the low quality tooling and file a bug report about a false positive. You will be impressed with the amount of bugs already created and ignored (this makes the tool low quality - the bugs are created but ignored). The big amount of already reported issues should not stop you - they must be aware of the stream of false positives they produce.
- Go to your manager or security specialist and present this information. If you pay for the low quality tooling they cannot leave it unattended.
- Develop further and be happy !
all the above measures are totally redundant when you use YAML only as configuration for your Spring application because it comes from the trusted source.
Clarification: what is low quality tooling
- CVE and NIST are no low quality tooling. This is a source for the information for those who understands it (this is why the Bible was not allowed to be read by everyone, the one has to know some basics)
- CVE and NIST are the messenger (Don’t shoot the messenger)
- Low quality tooling is the one which fires a false report. It is a tool which pretends that it uses CVE to warn users. They ignore the most important part of CVE - the context. They create noise (false positives) based solely on the name and version of the library/package.
- The community should be aware that the low quality tooling is confusing on purpose. This is the way to show its importance to earn money.