{
  "_class" : "io.jenkins.plugins.analysis.core.restapi.ReportApi",
  "issues" : [
    {
      "addedAt" : 0,
      "authorEmail" : "-",
      "authorName" : "-",
      "baseName" : "snakeyaml-1.33-gov4j-1.jar",
      "category" : "",
      "columnEnd" : 0,
      "columnStart" : 0,
      "commit" : "-",
      "description" : "",
      "fileName" : "/usr/local/tomcat/webapps/govway.war/WEB-INF/lib/snakeyaml-1.33-gov4j-1.jar",
      "fingerprint" : "FALLBACK-eebdca5a",
      "lineEnd" : 1,
      "lineStart" : 1,
      "message" : "CVE-2022-1471: LanguageSpecificPackageVulnerability\u000a\u000aSnakeYaml: Constructor Deserialization Remote Code Execution\u000a\u000aFor additional help see: **Vulnerability CVE-2022-1471**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.yaml:snakeyaml|2.0|[CVE-2022-1471](https://avd.aquasec.com/nvd/cve-2022-1471)|\u000a\u000aSnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.\u000a\u000aPackage: org.yaml:snakeyaml\u000aInstalled Version: 1.33\u000aVulnerability CVE-2022-1471\u000aSeverity: HIGH\u000aFixed Version: 2.0\u000aLink: [CVE-2022-1471](https://avd.aquasec.com/nvd/cve-2022-1471)",
      "moduleName" : "",
      "origin" : "trivy",
      "originName" : "Trivy Security Scanner",
      "packageName" : "-",
      "reference" : "1300",
      "severity" : "HIGH",
      "toString" : "snakeyaml-1.33-gov4j-1.jar(1,0): CVE-2022-1471: : CVE-2022-1471: LanguageSpecificPackageVulnerability\u000a\u000aSnakeYaml: Constructor Deserialization Remote Code Execution\u000a\u000aFor additional help see: **Vulnerability CVE-2022-1471**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.yaml:snakeyaml|2.0|[CVE-2022-1471](https://avd.aquasec.com/nvd/cve-2022-1471)|\u000a\u000aSnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.\u000a\u000aPackage: org.yaml:snakeyaml\u000aInstalled Version: 1.33\u000aVulnerability CVE-2022-1471\u000aSeverity: HIGH\u000aFixed Version: 2.0\u000aLink: [CVE-2022-1471](https://avd.aquasec.com/nvd/cve-2022-1471)",
      "type" : "CVE-2022-1471"
    }
  ],
  "size" : 1,
  "toString" : "1 warning (high: 1)"
}