Skip to content

[fix][sec] Update dependencies to use snakeyaml 2.0 against 3.0#20223

Open
eugene-cheverda wants to merge 3 commits into
apache:branch-3.0from
eugene-cheverda:snakeyaml_security_fix_3.0
Open

[fix][sec] Update dependencies to use snakeyaml 2.0 against 3.0#20223
eugene-cheverda wants to merge 3 commits into
apache:branch-3.0from
eugene-cheverda:snakeyaml_security_fix_3.0

Conversation

@eugene-cheverda

@eugene-cheverda eugene-cheverda commented May 4, 2023
edited
Loading

Copy link
Copy Markdown

Fixes #20224

Motivation

Fixes https://avd.aquasec.com/nvd/cve-2022-1471 caused by snakeyaml by updating all dependencies bringing it into the project

Modifications

Updated jackson, snakeyaml and prometheus dependencies, updated code to use non-deprecated EnumResolver functions

Verifying this change

  • Make sure that the change passes the CI checks.

This change is already covered by existing tests, such as FieldParserTest.

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

  • Dependencies (add or upgrade a dependency)
  • The public API
  • The schema
  • The default values of configurations
  • The threading model
  • The binary protocol
  • The REST endpoints
  • The admin CLI options
  • The metrics
  • Anything that affects deployment

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

Matching PR in forked repository

PR in forked repository: eugene-cheverda#2

@github-actions github-actions Bot added the doc-not-needed Your PR changes do not impact docs label May 4, 2023
@eugene-cheverda eugene-cheverda marked this pull request as ready for review May 4, 2023 18:09
@eugene-cheverda eugene-cheverda changed the title [improve][security] Update dependencies to use snakeyaml 2.0 against 3.0 [improve][client] Update dependencies to use snakeyaml 2.0 against 3.0 May 4, 2023
@eugene-cheverda eugene-cheverda force-pushed the snakeyaml_security_fix_3.0 branch 2 times, most recently from ac42864 to 6719ec5 Compare May 4, 2023 19:06
@eugene-cheverda eugene-cheverda marked this pull request as draft May 4, 2023 19:28
@eugene-cheverda eugene-cheverda force-pushed the snakeyaml_security_fix_3.0 branch from 6719ec5 to 82ebabd Compare May 4, 2023 20:43
@eugene-cheverda eugene-cheverda changed the title [improve][client] Update dependencies to use snakeyaml 2.0 against 3.0 [fix][sec] Update dependencies to use snakeyaml 2.0 against 3.0 May 4, 2023
@eugene-cheverda eugene-cheverda force-pushed the snakeyaml_security_fix_3.0 branch from 82ebabd to 1d6036a Compare May 4, 2023 23:57
@eugene-cheverda eugene-cheverda marked this pull request as ready for review May 4, 2023 23:58
mattisonchao
mattisonchao requested changes May 5, 2023
View reviewed changes

@mattisonchao mattisonchao left a comment
edited
Loading

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a corner regression by Jackson 2.15. It will affect our json schema. We will need to talk about it this in the dev mail list.
FasterXML/jackson-databind#3874

@mattisonchao

mattisonchao commented May 5, 2023

Copy link
Copy Markdown
Member

@codelipenghui @Technoboy- @lhotari @michaeljmarshall @tisonkun would you mind taking a look?

@eugene-cheverda eugene-cheverda force-pushed the snakeyaml_security_fix_3.0 branch 3 times, most recently from 251b089 to 3fde2e3 Compare May 11, 2023 13:56
@eugene-cheverda eugene-cheverda force-pushed the snakeyaml_security_fix_3.0 branch from 3fde2e3 to 271228d Compare May 11, 2023 13:57
@dave2wave

dave2wave commented May 12, 2023
edited
Loading

Copy link
Copy Markdown
Member

I don't know if we would have the same concern in Pulsar, but jclouds attempted this upgrade and had to revert it.
apache/jclouds@cf4a926

@eugene-cheverda

eugene-cheverda commented May 12, 2023
edited
Loading

Copy link
Copy Markdown
Author

Hi @dave2wave

In my PR on master eugene-cheverda#1 I had successful runs of CI with this change, also the discussion on update to jackson 2.15.0 is held here.

@github-actions

github-actions Bot commented Jun 12, 2023

Copy link
Copy Markdown

The pr had no activity for 30 days, mark with Stale label.

@github-actions github-actions Bot added the Stale label Jun 12, 2023
@tisonkun

tisonkun commented Jul 27, 2023

Copy link
Copy Markdown
Member

Covered by #20085.

@tisonkun tisonkun closed this Jul 27, 2023
@tisonkun

tisonkun commented Jul 27, 2023

Copy link
Copy Markdown
Member

Covered by #20085.

No. They are different issue.

@tisonkun tisonkun reopened this Jul 27, 2023
@github-actions github-actions Bot removed the Stale label Jul 28, 2023
@github-actions

github-actions Bot commented Aug 28, 2023

Copy link
Copy Markdown

The pr had no activity for 30 days, mark with Stale label.

@github-actions github-actions Bot added the Stale label Aug 28, 2023
@Technoboy- Technoboy- added this to the 3.3.0 milestone Dec 22, 2023
@coderzc coderzc modified the milestones: 3.3.0, 3.4.0 May 8, 2024
@lhotari lhotari modified the milestones: 4.0.0, 4.1.0 Oct 14, 2024
@lhotari

lhotari commented Nov 29, 2024

Copy link
Copy Markdown
Member

@eugene-cheverda does this PR still apply?

@coderzc coderzc modified the milestones: 4.1.0, 4.2.0 Sep 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattisonchao mattisonchao mattisonchao requested changes

Assignees

No one assigned

Labels

doc-not-needed Your PR changes do not impact docs Stale

Projects

None yet

Milestone

4.2.0

Development

Successfully merging this pull request may close these issues.

7 participants

@eugene-cheverda @mattisonchao @dave2wave @tisonkun @lhotari @Technoboy- @coderzc