[fix][sec] Update dependencies to use snakeyaml 2.0 against 3.0

Author: eugene-cheverda

distribution/server/src/assemble/LICENSE.bin.txt

@@ -246,17 +246,17 @@ The Apache Software License, Version 2.0
  * JCommander -- com.beust-jcommander-1.82.jar
  * High Performance Primitive Collections for Java -- com.carrotsearch-hppc-0.9.1.jar
  * Jackson
-     - com.fasterxml.jackson.core-jackson-annotations-2.13.4.jar
-     - com.fasterxml.jackson.core-jackson-core-2.13.4.jar
-     - com.fasterxml.jackson.core-jackson-databind-2.13.4.2.jar
-     - com.fasterxml.jackson.dataformat-jackson-dataformat-yaml-2.13.4.jar
-     - com.fasterxml.jackson.jaxrs-jackson-jaxrs-base-2.13.4.jar
-     - com.fasterxml.jackson.jaxrs-jackson-jaxrs-json-provider-2.13.4.jar
-     - com.fasterxml.jackson.module-jackson-module-jaxb-annotations-2.13.4.jar
-     - com.fasterxml.jackson.module-jackson-module-jsonSchema-2.13.4.jar
-     - com.fasterxml.jackson.datatype-jackson-datatype-jdk8-2.13.4.jar
-     - com.fasterxml.jackson.datatype-jackson-datatype-jsr310-2.13.4.jar
-     - com.fasterxml.jackson.module-jackson-module-parameter-names-2.13.4.jar
+     - com.fasterxml.jackson.core-jackson-annotations-2.15.0.jar
+     - com.fasterxml.jackson.core-jackson-core-2.15.0.jar
+     - com.fasterxml.jackson.core-jackson-databind-2.15.0.2.jar
+     - com.fasterxml.jackson.dataformat-jackson-dataformat-yaml-2.15.0.jar
+     - com.fasterxml.jackson.jaxrs-jackson-jaxrs-base-2.15.0.jar
+     - com.fasterxml.jackson.jaxrs-jackson-jaxrs-json-provider-2.15.0.jar
+     - com.fasterxml.jackson.module-jackson-module-jaxb-annotations-2.15.0.jar
+     - com.fasterxml.jackson.module-jackson-module-jsonSchema-2.15.0.jar
+     - com.fasterxml.jackson.datatype-jackson-datatype-jdk8-2.15.0.jar
+     - com.fasterxml.jackson.datatype-jackson-datatype-jsr310-2.15.0.jar
+     - com.fasterxml.jackson.module-jackson-module-parameter-names-2.15.0.jar
  * Caffeine -- com.github.ben-manes.caffeine-caffeine-2.9.1.jar
  * Conscrypt -- org.conscrypt-conscrypt-openjdk-uber-2.5.2.jar
  * Proto Google Common Protos -- com.google.api.grpc-proto-google-common-protos-2.0.1.jar
@@ -321,7 +321,7 @@ The Apache Software License, Version 2.0
     - io.netty.incubator-netty-incubator-transport-native-io_uring-0.0.18.Final-linux-x86_64.jar
     - io.netty.incubator-netty-incubator-transport-native-io_uring-0.0.18.Final-linux-aarch_64.jar
  * Prometheus client
-    - io.prometheus.jmx-collector-0.16.1.jar
+    - io.prometheus.jmx-collector-0.18.0.jar
     - io.prometheus-simpleclient-0.16.0.jar
     - io.prometheus-simpleclient_caffeine-0.16.0.jar
     - io.prometheus-simpleclient_common-0.16.0.jar
@@ -402,7 +402,7 @@ The Apache Software License, Version 2.0
     - org.eclipse.jetty.websocket-websocket-servlet-9.4.48.v20220622.jar
     - org.eclipse.jetty-jetty-alpn-conscrypt-server-9.4.48.v20220622.jar
     - org.eclipse.jetty-jetty-alpn-server-9.4.48.v20220622.jar
- * SnakeYaml -- org.yaml-snakeyaml-1.32.jar
+ * SnakeYaml -- org.yaml-snakeyaml-2.0.jar
  * RocksDB - org.rocksdb-rocksdbjni-7.9.2.jar
  * Google Error Prone Annotations - com.google.errorprone-error_prone_annotations-2.5.1.jar
  * Apache Thrift - org.apache.thrift-libthrift-0.14.2.jar

distribution/shell/src/assemble/LICENSE.bin.txt

@@ -311,17 +311,17 @@ This projects includes binary packages with the following licenses:
 The Apache Software License, Version 2.0
  * JCommander -- jcommander-1.82.jar
  * Jackson
-     - jackson-annotations-2.13.4.jar
-     - jackson-core-2.13.4.jar
-     - jackson-databind-2.13.4.2.jar
-     - jackson-dataformat-yaml-2.13.4.jar
-     - jackson-jaxrs-base-2.13.4.jar
-     - jackson-jaxrs-json-provider-2.13.4.jar
-     - jackson-module-jaxb-annotations-2.13.4.jar
-     - jackson-module-jsonSchema-2.13.4.jar
-     - jackson-datatype-jdk8-2.13.4.jar
-     - jackson-datatype-jsr310-2.13.4.jar
-     - jackson-module-parameter-names-2.13.4.jar
+     - jackson-annotations-2.15.0.jar
+     - jackson-core-2.15.0.jar
+     - jackson-databind-2.15.0.2.jar
+     - jackson-dataformat-yaml-2.15.0.jar
+     - jackson-jaxrs-base-2.15.0.jar
+     - jackson-jaxrs-json-provider-2.15.0.jar
+     - jackson-module-jaxb-annotations-2.15.0.jar
+     - jackson-module-jsonSchema-2.15.0.jar
+     - jackson-datatype-jdk8-2.15.0.jar
+     - jackson-datatype-jsr310-2.15.0.jar
+     - jackson-module-parameter-names-2.15.0.jar
  * Conscrypt -- conscrypt-openjdk-uber-2.5.2.jar
  * Gson
     - gson-2.8.9.jar
@@ -407,7 +407,7 @@ The Apache Software License, Version 2.0
     - websocket-api-9.4.48.v20220622.jar
     - websocket-client-9.4.48.v20220622.jar
     - websocket-common-9.4.48.v20220622.jar
- * SnakeYaml -- snakeyaml-1.32.jar
+ * SnakeYaml -- snakeyaml-2.0.jar
  * Google Error Prone Annotations - error_prone_annotations-2.5.1.jar
  * Javassist -- javassist-3.25.0-GA.jar
   * Apache Avro

pom.xml

@@ -154,7 +154,7 @@ flexible messaging model and an intuitive client API.</description>
     <bouncycastle.version>1.69</bouncycastle.version>
     <bouncycastle.bcpkix-fips.version>1.0.6</bouncycastle.bcpkix-fips.version>
     <bouncycastle.bc-fips.version>1.0.2.3</bouncycastle.bc-fips.version>
-    <jackson.version>2.13.4.20221013</jackson.version>
+    <jackson.version>2.15.0</jackson.version>
     <reflections.version>0.10.2</reflections.version>
     <swagger.version>1.6.2</swagger.version>
     <puppycrawl.checkstyle.version>8.37</puppycrawl.checkstyle.version>
@@ -203,7 +203,7 @@ flexible messaging model and an intuitive client API.</description>
     <hbase.version>2.4.15</hbase.version>
     <guava.version>31.0.1-jre</guava.version>
     <jcip.version>1.0</jcip.version>
-    <prometheus-jmx.version>0.16.1</prometheus-jmx.version>
+    <prometheus-jmx.version>0.18.0</prometheus-jmx.version>
     <confluent.version>6.2.8</confluent.version>
     <aircompressor.version>0.20</aircompressor.version>
     <asynchttpclient.version>2.12.1</asynchttpclient.version>
@@ -242,7 +242,7 @@ flexible messaging model and an intuitive client API.</description>
     <apache-http-client.version>4.5.13</apache-http-client.version>
     <apache-httpcomponents.version>4.4.15</apache-httpcomponents.version>
     <jetcd.version>0.5.11</jetcd.version>
-    <snakeyaml.version>1.32</snakeyaml.version>
+    <snakeyaml.version>2.0</snakeyaml.version>
     <ant.version>1.10.12</ant.version>
     <seancfoley.ipaddress.version>5.3.3</seancfoley.ipaddress.version>
     <disruptor.version>3.4.3</disruptor.version>

pulsar-common/src/main/java/org/apache/pulsar/common/util/FieldParser.java

@@ -21,8 +21,8 @@
 import static com.google.common.base.Preconditions.checkArgument;
 import static java.lang.String.format;
 import static java.util.Objects.requireNonNull;
-import com.fasterxml.jackson.databind.AnnotationIntrospector;
-import com.fasterxml.jackson.databind.introspect.JacksonAnnotationIntrospector;
+import com.fasterxml.jackson.databind.DeserializationConfig;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.util.EnumResolver;
 import java.lang.reflect.Field;
 import java.lang.reflect.Method;
@@ -58,7 +58,8 @@ public final class FieldParser {
     private static final Map<String, Method> CONVERTERS = new HashMap<>();
     private static final Map<Class<?>, Class<?>> WRAPPER_TYPES = new HashMap<>();
 
-    private static final AnnotationIntrospector ANNOTATION_INTROSPECTOR = new JacksonAnnotationIntrospector();
+    private static final ObjectMapper MAPPER = new ObjectMapper();
+    private static final DeserializationConfig DESERIALIZATION_CONFIG = MAPPER.getDeserializationConfig();
 
     static {
         // Preload converters and wrapperTypes.
@@ -100,7 +101,7 @@ public static <T> T convert(Object from, Class<T> to) {
 
         if (to.isEnum()) {
             // Converting string to enum
-            EnumResolver r = EnumResolver.constructUsingToString((Class<Enum<?>>) to, ANNOTATION_INTROSPECTOR);
+            EnumResolver r = EnumResolver.constructUsingToString(DESERIALIZATION_CONFIG, (Class<Enum<?>>) to);
             T value = (T) r.findEnum((String) from);
             if (value == null) {
                 throw new RuntimeException("Invalid value '" + from + "' for enum " + to);

pulsar-sql/presto-distribution/LICENSE

@@ -207,19 +207,19 @@ This projects includes binary packages with the following licenses:
 The Apache Software License, Version 2.0
 
   * Jackson
-    - jackson-annotations-2.13.4.jar
-    - jackson-core-2.13.4.jar
-    - jackson-databind-2.13.4.2.jar
-    - jackson-dataformat-smile-2.13.4.jar
-    - jackson-datatype-guava-2.13.4.jar
-    - jackson-datatype-jdk8-2.13.4.jar
-    - jackson-datatype-joda-2.13.4.jar
-    - jackson-datatype-jsr310-2.13.4.jar
-    - jackson-dataformat-yaml-2.13.4.jar
-    - jackson-jaxrs-base-2.13.4.jar
-    - jackson-jaxrs-json-provider-2.13.4.jar
-    - jackson-module-jaxb-annotations-2.13.4.jar
-    - jackson-module-jsonSchema-2.13.4.jar
+    - jackson-annotations-2.15.0.jar
+    - jackson-core-2.15.0.jar
+    - jackson-databind-2.15.0.2.jar
+    - jackson-dataformat-smile-2.15.0.jar
+    - jackson-datatype-guava-2.15.0.jar
+    - jackson-datatype-jdk8-2.15.0.jar
+    - jackson-datatype-joda-2.15.0.jar
+    - jackson-datatype-jsr310-2.15.0.jar
+    - jackson-dataformat-yaml-2.15.0.jar
+    - jackson-jaxrs-base-2.15.0.jar
+    - jackson-jaxrs-json-provider-2.15.0.jar
+    - jackson-module-jaxb-annotations-2.15.0.jar
+    - jackson-module-jsonSchema-2.15.0.jar
  * Guava
     - guava-31.0.1-jre.jar
     - listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
@@ -401,7 +401,7 @@ The Apache Software License, Version 2.0
   * RocksDB JNI
     - rocksdbjni-7.9.2.jar
   * SnakeYAML
-    - snakeyaml-1.32.jar
+    - snakeyaml-2.0.jar
   * Bean Validation API
     - validation-api-2.0.1.Final.jar
   * Objectsize
@@ -456,7 +456,7 @@ The Apache Software License, Version 2.0
   * Snappy
     - snappy-java-1.1.8.4.jar
   * Jackson
-    - jackson-module-parameter-names-2.13.4.jar
+    - jackson-module-parameter-names-2.15.0.jar
   * Java Assist
     - javassist-3.25.0-GA.jar
   * Java Native Access