yl-yue / yue-library Goto Github PK
View Code? Open in Web Editor NEWyue-library是一个基于SpringBoot封装的增强库,提供丰富的Java工具类库、优越的ORM框架、优雅的业务封装、优化的Spring环境配置、完善的规约限制、配套的代码生成平台
Home Page: https://ylyue.cn
License: Apache License 2.0
yue-library's Issues
Dependency org.yaml:snakeyaml, leading to CVE problem
Hi, In /yue-library-data-mybatis,there is a dependency org.yaml:snakeyaml:1.29 that calls the risk method.
The scope of this CVE affected version is [0,1.31)
After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
CVE Bug Invocation Path :
ai.yue.library.data.mybatis.service.BaseService: insertBatch(java.util.Collection)Lai.yue.library.base.view.Result; /.m2/repository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar
org.yaml.snakeyaml.Yaml$2: next()Ljava.lang.Object; /.m2/repository/org/mybatis/spring/boot/mybatis-spring-boot-starter/2.2.2/mybatis-spring-boot-starter-2.2.2.jar
org.yaml.snakeyaml.Yaml$2: next()Lorg.yaml.snakeyaml.nodes.Node; /.m2/repository/org/mybatis/spring/boot/mybatis-spring-boot-starter/2.2.2/mybatis-spring-boot-starter-2.2.2.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /.m2/repository/org/mybatis/spring/boot/mybatis-spring-boot-starter/2.2.2/mybatis-spring-boot-starter-2.2.2.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Dependency tree--
[INFO] ai.ylyue:yue-library-data-mybatis:jar:j11.2.6.2-SNAPSHOT
[INFO] +- ai.ylyue:yue-library-base:jar:j11.2.6.2-SNAPSHOT:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-json:jar:2.6.11:compile
[INFO] | | +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.3:compile
[INFO] | | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.3:compile
[INFO] | | | \- com.fasterxml.jackson.core:jackson-core:jar:2.13.3:compile
[INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.3:compile
[INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.3:compile
[INFO] | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.3:compile
[INFO] | +- org.hibernate.validator:hibernate-validator:jar:6.2.4.Final:compile
[INFO] | | +- jakarta.validation:jakarta.validation-api:jar:2.0.2:compile
[INFO] | | +- org.jboss.logging:jboss-logging:jar:3.4.3.Final:compile
[INFO] | | \- com.fasterxml:classmate:jar:1.5.1:compile
[INFO] | +- org.springframework:spring-web:jar:5.3.22:compile
[INFO] | | +- org.springframework:spring-beans:jar:5.3.22:compile
[INFO] | | \- org.springframework:spring-core:jar:5.3.22:compile
[INFO] | | \- org.springframework:spring-jcl:jar:5.3.22:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-actuator:jar:2.6.11:compile
[INFO] | | +- org.springframework.boot:spring-boot-actuator-autoconfigure:jar:2.6.11:compile
[INFO] | | | \- org.springframework.boot:spring-boot-actuator:jar:2.6.11:compile
[INFO] | | \- io.micrometer:micrometer-core:jar:1.8.9:compile
[INFO] | | +- org.hdrhistogram:HdrHistogram:jar:2.1.12:compile
[INFO] | | \- org.latencyutils:LatencyUtils:jar:2.0.3:runtime
[INFO] | +- org.springframework.boot:spring-boot-configuration-processor:jar:2.6.11:compile
[INFO] | +- com.alibaba:fastjson:jar:1.2.83:compile
[INFO] | +- org.projectlombok:lombok:jar:1.18.24:compile
[INFO] | +- cn.hutool:hutool-core:jar:5.8.11:compile
[INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] +- com.baomidou:mybatis-plus-boot-starter:jar:3.5.2:compile
[INFO] | +- com.baomidou:mybatis-plus:jar:3.5.2:compile
[INFO] | | +- com.baomidou:mybatis-plus-extension:jar:3.5.2:compile
[INFO] | | | \- com.baomidou:mybatis-plus-core:jar:3.5.2:compile
[INFO] | | | \- com.baomidou:mybatis-plus-annotation:jar:3.5.2:compile
[INFO] | | \- org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.6.21:compile
[INFO] | | +- org.jetbrains.kotlin:kotlin-stdlib:jar:1.6.21:compile
[INFO] | | | +- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.6.21:compile
[INFO] | | | \- org.jetbrains:annotations:jar:13.0:compile
[INFO] | | \- org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.6.21:compile
[INFO] | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.6.11:compile
[INFO] | | \- org.springframework.boot:spring-boot:jar:2.6.11:compile
[INFO] | | \- org.springframework:spring-context:jar:5.3.22:compile
[INFO] | | +- org.springframework:spring-aop:jar:5.3.22:compile
[INFO] | | \- org.springframework:spring-expression:jar:5.3.22:compile
[INFO] | \- org.springframework.boot:spring-boot-starter-jdbc:jar:2.6.11:compile
[INFO] | +- com.zaxxer:HikariCP:jar:4.0.3:compile
[INFO] | \- org.springframework:spring-jdbc:jar:5.3.22:compile
[INFO] | \- org.springframework:spring-tx:jar:5.3.22:compile
[INFO] +- com.github.pagehelper:pagehelper-spring-boot-starter:jar:1.4.6:compile
[INFO] | +- org.springframework.boot:spring-boot-starter:jar:2.6.11:compile
[INFO] | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.6.11:compile
[INFO] | | | +- ch.qos.logback:logback-classic:jar:1.2.11:compile
[INFO] | | | | \- ch.qos.logback:logback-core:jar:1.2.11:compile
[INFO] | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.2:compile
[INFO] | | | | \- org.apache.logging.log4j:log4j-api:jar:2.17.2:compile
[INFO] | | | \- org.slf4j:jul-to-slf4j:jar:1.7.36:compile
[INFO] | | +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] | | \- org.yaml:snakeyaml:jar:1.29:compile
[INFO] | +- org.mybatis.spring.boot:mybatis-spring-boot-starter:jar:2.2.2:compile
[INFO] | | +- org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:jar:2.2.2:compile
[INFO] | | +- org.mybatis:mybatis:jar:3.5.9:compile
[INFO] | | \- org.mybatis:mybatis-spring:jar:2.0.7:compile
[INFO] | +- com.github.pagehelper:pagehelper-spring-boot-autoconfigure:jar:1.4.6:compile
[INFO] | \- com.github.pagehelper:pagehelper:jar:5.3.2:compile
[INFO] | \- com.github.jsqlparser:jsqlparser:jar:4.5:compile
[INFO] +- com.alibaba:druid-spring-boot-starter:jar:1.2.15:compile
[INFO] | +- com.alibaba:druid:jar:1.2.15:compile
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] \- mysql:mysql-connector-java:jar:8.0.30:compile
Suggested solutions:
Update dependency version
Thank you very much.
关于密钥加密交换的疑问
请问密钥加密交换的流程,用后端公钥加密客户端公钥这步有些不明白它的用意,客户端生成公钥私钥后,直接将公钥发送给后端,后端用客户端公钥加密交换密钥返回,然后客户端用私钥解密,这样走是不是更容易一些
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.