We have a report from GitHub - odpi/egeria: Egeria core at Sonatype Lift -- Console
This shows that some of our components, for example, lineage-integrator-client, are dependent on openlineage-java 0.21.1 . This is correct
openlineage-java depends on snakeyaml 1.33.
Further, that particular component is reported as being vulnarable, including a CVSS 9.9 due to CVE 2022-1471 due to an issue with snakeyaml.
Still all correct.
HOWEVER, in our environment we opted to define dependency constraints in gradle with revise this transitive dependency to snakeyaml 2.0 – which is not vulnerable - and snakeyaml isn’t directly showing in the report, presumably this is why
Running a full dependency tree with gradle, shows that in ALL cases, our dependency constraint has been effective, ie ‘org.yaml:snakeyaml:1.33 → 2.0’
SO… given all of this, why does our report show us as vulnerable. Does this mean other users of sonatype will see our component as having a 9.9 issue?