← Learning

Dependabot and Scala

We are using Dependabot to notify us of insecure dependencies in our classpath. Builds should be using sbt-dependency-submission to upload dependencies to GitHub. This is integrated into banno-sbt-plugin (for apps) and [sbt-banno-library-ci-release][sbt-banno-library-ci-release] via sbt-digital (for libraries), so most Scala projects get it for free.

Dependabot alerts are visible in the Banno and Geezeo orgs. Many of them are spurious, but we want to stay on top of them so we can find the signal in the noise.

This is a reference for recurring alerts, why you might be seeing them, and what to do about them.

com.fasterxml.jackson.core:jackson-databind

This is a dependency of the Scala 3 documentation tool and appears frequently in libraries cross-built for Scala 3. Adding scala-doc-tool to configs-ignore should safely clean up most of these. This is done by default in actions managed by sbt-digital >= 0.1.3.

- name: Submit Dependencies
  if: github.event_name != 'pull_request'
  uses: scalacenter/sbt-dependency-submission@v2
  with:
	configs-ignore: scala-doc-tool

CVE-2022-42003, CVE-2022-42004

For these, you must upgrade embedded dependency jackson-databind >= 2.12.7.1. To fix, upgrade logback-classic >= 1.4.11 and logstash-logback-encoder >= 7.4.

com.google.protobuf:protobuf-java

This is a dependency of the Scala 3 incremental compiler and appears frequently in libraries cross-built for Scala 3. Adding scala-doc-tool and scala-tool to configs-ignore should safely clean up most of these. This is done by default in actions managed by sbt-digital >= 0.1.3.

- name: Submit Dependencies
  if: github.event_name != 'pull_request'
  uses: scalacenter/sbt-dependency-submission@v2
  with:
	configs-ignore: scala-doc-tool scala-tool

io.undertow:undertow-core

This is a dependency of mdoc, and most commonly seen in open source. Mdoc uses it for live refreshing over a local, non-TLS HTTP server. These are safe to close if this applies to you. There is an upstream PR.

org.apache.pdfbox:pdfbox

This is a transitive dependency of mdoc. This is most commonly seen in our open source. We are not too worried about dependencies in modules that don’t publish to Artifactory, like docs. Add to modules-ignore. Actions managed by sbt-typelevel, which is the norm, should do it in code.

- name: Submit Dependencies
  if: github.event_name != 'pull_request'
  uses: scalacenter/sbt-dependency-submission@v2
  with:
	modules-ignore: docs_2.12 docs_2.13 docs_3

org.apache.tomcat.embed:tomcat-embed-core

This is usually transitive through the deprecated natchez-jaeger. Get thee hence to OpenTelemetry.

org.jsoup:jsoup

This is a dependency of the Scala 3 documentation tool and appears frequently in libraries cross-built for Scala 3. Adding scala-doc-tool to configs-ignore should safely clean up most of these. This is done by default in actions managed by sbt-digital >= 0.1.3.

- name: Submit Dependencies
  if: github.event_name != 'pull_request'
  uses: scalacenter/sbt-dependency-submission@v2
  with:
	configs-ignore: scala-doc-tool

org.postgresql:postgresql

This usually comes to us via Doobie or flyway4s.

CVE-2022-31197

This should go away in doobie-1.0.0-RC3 or flyway4s-5.1.0. Doobie doesn’t directly call refreshRow(), and as of June 9, 2023, Banno doesn’t.

CVE-2022-21724

This should go away in doobie-1.0.0-RC3. It would require a malicious injection of a JDBC URL.

org.scala-lang:scala-library

CVE-2022-36944

This probably doesn’t affect you, but it’s terrible if it does. This one is easy: just upgrade your Scala 2.13 version.

org.yaml:snakeyaml

This is a dependency of the Scala 3 documentation tool and appears frequently in libraries cross-built for Scala 3. Adding scala-doc-tool to configs-ignore should safely clean up most of these. This is done by default in actions managed by sbt-digital >= 0.1.3.

- name: Submit Dependencies
  if: github.event_name != 'pull_request'
  uses: scalacenter/sbt-dependency-submission@v2
  with:
	configs-ignore: scala-doc-tool

CVE-2022-1471

The vulnerability, “SnakeYaml Constructor Deserialization Remote Code Execution” requires snakeyaml-2.0 to fix. This is binary incompatible with the snakeyaml-1.x used by sbt-typelevel-0.4.x. There is a rant about low quality tooling in the SnakeYAML docs, but a better read is the Github advisory, which links to a fun read on the bug thread.

  • If you are using SnakeYAML for GitHub Actions via sbt-typelevel, and not to parse untrusted YAML, it is safe to mark this as unused.
  • If you are inheriting SnakeYAML from swagger-core, it is safe to mark it as the risk is acceptable to the project (unless for some reason your swagger docs are editable by outside users).
  • If you are inheriting SnakeYAML from io.confluent:kafka-schema-registry-client, it should be safe to dismiss as unused. The following versions have been checked and confirmed that snakeyaml may be a dependency but it is unused:
    • v6.2.10
    • v6.2.11
    • v7.0.10
    • v7.1.8
    • v7.2.6
    • v7.3.3
    • See source code if your version isn’t listed.