Introduce .snyk options (#369)

bradAtTraceable · web-flow · commit 9972f3e17097 · 2022-08-30T17:57:28.000-07:00
* Introduce .snyk options

* Circumvent SNYK-JAVA-ORGYAML-2806360
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -85,7 +85,7 @@ jobs:
       - name: Setup snyk
         uses: snyk/actions/setup@0.3.0
       - name: Snyk test
-        run: snyk test -d --all-sub-projects --org=hypertrace --severity-threshold=low --configuration-matching="^runtimeClasspath$"
+        run: snyk test -d --all-sub-projects --org=hypertrace --severity-threshold=low --policy-path=.snyk --configuration-matching="^runtimeClasspath$"
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
           GRADLE_OPTS: -Dorg.gradle.workers.max=1
diff --git a/.snyk b/.snyk
@@ -0,0 +1,8 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.22.1
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744:
+    - '*':
+        reason: no available replacement
+        expires: 2022-11-30T00:00:00.000Z
diff --git a/javaagent-core/build.gradle.kts b/javaagent-core/build.gradle.kts
@@ -9,5 +9,13 @@ dependencies {
     api("io.opentelemetry:opentelemetry-api:${versions["opentelemetry"]}")
     api("io.opentelemetry.javaagent:opentelemetry-javaagent-instrumentation-api:${versions["opentelemetry_java_agent"]}")
     implementation("org.slf4j:slf4j-api:${versions["slf4j"]}")
-    implementation("com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.13.3")
+    implementation("com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.13.3") {
+        constraints {
+            implementation("org.yaml:snakeyaml:1.31") {
+                because(
+                    "SNYK error SNYK-JAVA-ORGYAML-2806360"
+                )
+            }
+        }
+    }
 }
diff --git a/otel-extensions/build.gradle.kts b/otel-extensions/build.gradle.kts
@@ -47,7 +47,15 @@ dependencies {
     api("com.google.protobuf:protobuf-java")
     api("com.google.protobuf:protobuf-java-util")
     // convert yaml to json, since java protobuf impl supports only json
-    implementation("com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.13.3")
+    implementation("com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.13.3") {
+        constraints {
+            implementation("org.yaml:snakeyaml:1.31") {
+                because(
+                    "SNYK error SNYK-JAVA-ORGYAML-2806360"
+                )
+            }
+        }
+    }
     // fix vulnerability
     constraints {
         api("com.google.code.gson:gson:2.8.9")
