Exclude (unused) snakeyaml dependency (#120553)

* Exclude (unused) snakeyaml dependency * Explanatory comment and CVE link
elastic · Jan 22, 2025 · ff9a1eb · ff9a1eb
1 parent 393e998
commit ff9a1eb
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/x-pack/snapshot-tool/build.gradle b/x-pack/snapshot-tool/build.gradle
@@ -70,6 +70,10 @@ dependencies {
   api 'javax.xml.bind:jaxb-api:2.2.2'
 }
 
+configurations.configureEach {
+  exclude group: 'org.yaml', module: 'snakeyaml' // Avoid CVE: https://nvd.nist.gov/vuln/detail/cve-2022-1471
+}
+
 tasks.named("dependencyLicenses").configure {
   mapping from: /aws-java-sdk-.*/, to: 'aws-java-sdk'
   mapping from: /jmespath-java.*/, to: 'aws-java-sdk'