Use of software with known vulnerabilities in environments
Need
Remediation of dependencies with known vulnerabilities in Gradle
Context
• Usage of Gradle for build automation in Kotlin and Java projects
• Usage of Maven Central or other repositories for dependency resolution
Description
1. Non compliant code
// build.gradle.kts
plugins {
kotlin("jvm") version "1.9.0"
id("org.springframework.boot") version "3.1.0"
}
dependencies {
implementation("com.fasterxml.jackson.core:jackson-databind:2.13.0")...The build.gradle.kts file below declares a dependency on jackson-databind 2.13.0, which contains a known deserialization vulnerability allowing remote code execution (CVE-2022-42003). Additionally, the project pulls in snakeyaml 1.33 transitively through spring-boot-starter-web, which is vulnerable to denial of service via crafted YAML input (CVE-2022-1471). Direct dependencies appear explicitly in the build script, while transitive dependencies are resolved by Gradle and may not be immediately visible. Run gradle dependencies to inspect the full dependency tree.
2. Steps
• Run gradle dependencies or use a dependency scanning plugin to identify packages with known vulnerabilities
• Update vulnerable direct dependencies in build.gradle.kts or build.gradle
• For transitive dependencies, update the parent package that pulls them in
• If updating the parent does not resolve the issue, add a dependency constraint to force a safe version of the transitive dependency
• Alternatively, use a resolution strategy to substitute the vulnerable version globally
• Run gradle build and the test suite to verify the fix
• If no safe version exists upstream, monitor the repository for a patch
3. Secure code example
// build.gradle.kts
plugins {
kotlin("jvm") version "1.9.0"
id("org.springframework.boot") version "3.2.0"
}
dependencies {
implementation("com.fasterxml.jackson.core:jackson-databind:2.15.3")...The fixed build.gradle.kts updates jackson-databind to a patched version, upgrades the Spring Boot plugin, and adds a dependency constraint to force a safe version of snakeyaml. The constraints block overrides the transitive version without requiring changes to the parent dependency declaration. After applying the changes, run gradle build and the test suite to verify compatibility. Use gradle dependencies to confirm the resolved versions match expectations.