Skip to content

[fix][sec] Update dependencies to use snakeyaml 2.0 against 3.0 #20223

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: branch-3.0
Choose a base branch
from
Open

[fix][sec] Update dependencies to use snakeyaml 2.0 against 3.0 #20223

wants to merge 3 commits into from

Conversation

eugene-cheverda
Copy link

@eugene-cheverda eugene-cheverda commented May 4, 2023
edited
Loading

Fixes #20224

Motivation

Fixes https://avd.aquasec.com/nvd/cve-2022-1471 caused by snakeyaml by updating all dependencies bringing it into the project

Modifications

Updated jackson, snakeyaml and prometheus dependencies, updated code to use non-deprecated EnumResolver functions

Verifying this change

  • Make sure that the change passes the CI checks.

This change is already covered by existing tests, such as FieldParserTest.

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

  • Dependencies (add or upgrade a dependency)
  • The public API
  • The schema
  • The default values of configurations
  • The threading model
  • The binary protocol
  • The REST endpoints
  • The admin CLI options
  • The metrics
  • Anything that affects deployment

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

Matching PR in forked repository

PR in forked repository: eugene-cheverda#2

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label May 4, 2023
@eugene-cheverda eugene-cheverda marked this pull request as ready for review May 4, 2023 18:09
@eugene-cheverda eugene-cheverda changed the title [improve][security] Update dependencies to use snakeyaml 2.0 against 3.0 [improve][client] Update dependencies to use snakeyaml 2.0 against 3.0 May 4, 2023
@eugene-cheverda eugene-cheverda force-pushed the snakeyaml_security_fix_3.0 branch 2 times, most recently from ac42864 to 6719ec5 Compare May 4, 2023 19:06
@eugene-cheverda eugene-cheverda marked this pull request as draft May 4, 2023 19:28
@eugene-cheverda eugene-cheverda force-pushed the snakeyaml_security_fix_3.0 branch from 6719ec5 to 82ebabd Compare May 4, 2023 20:43
@eugene-cheverda eugene-cheverda changed the title [improve][client] Update dependencies to use snakeyaml 2.0 against 3.0 [fix][sec] Update dependencies to use snakeyaml 2.0 against 3.0 May 4, 2023
@eugene-cheverda eugene-cheverda force-pushed the snakeyaml_security_fix_3.0 branch from 82ebabd to 1d6036a Compare May 4, 2023 23:57
@eugene-cheverda eugene-cheverda marked this pull request as ready for review May 4, 2023 23:58
mattisonchao
mattisonchao requested changes May 5, 2023
View reviewed changes
Copy link
Member

@mattisonchao mattisonchao left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a corner regression by Jackson 2.15. It will affect our json schema. We will need to talk about it this in the dev mail list.
FasterXML/jackson-databind#3874

@mattisonchao
Copy link
Member

@codelipenghui @Technoboy- @lhotari @michaeljmarshall @tisonkun would you mind taking a look?

@eugene-cheverda eugene-cheverda force-pushed the snakeyaml_security_fix_3.0 branch 3 times, most recently from 251b089 to 3fde2e3 Compare May 11, 2023 13:56
@eugene-cheverda eugene-cheverda force-pushed the snakeyaml_security_fix_3.0 branch from 3fde2e3 to 271228d Compare May 11, 2023 13:57
@dave2wave
Copy link
Member

dave2wave commented May 12, 2023
edited
Loading

I don't know if we would have the same concern in Pulsar, but jclouds attempted this upgrade and had to revert it.
apache/jclouds@cf4a926

@eugene-cheverda
Copy link
Author

eugene-cheverda commented May 12, 2023
edited
Loading

Hi @dave2wave

In my PR on master eugene-cheverda#1 I had successful runs of CI with this change, also the discussion on update to jackson 2.15.0 is held here.

@github-actions
Copy link

The pr had no activity for 30 days, mark with Stale label.

@github-actions github-actions bot added the Stale label Jun 12, 2023
@tisonkun
Copy link
Member

Covered by #20085.

@tisonkun tisonkun closed this Jul 27, 2023
@tisonkun
Copy link
Member

Covered by #20085.

No. They are different issue.

@tisonkun tisonkun reopened this Jul 27, 2023
@github-actions github-actions bot removed the Stale label Jul 28, 2023
@github-actions
Copy link

The pr had no activity for 30 days, mark with Stale label.

@github-actions github-actions bot added the Stale label Aug 28, 2023
@Technoboy- Technoboy- added this to the 3.3.0 milestone Dec 22, 2023
@coderzc coderzc modified the milestones: 3.3.0, 3.4.0 May 8, 2024
@lhotari lhotari modified the milestones: 4.0.0, 4.1.0 Oct 14, 2024
@lhotari
Copy link
Member

lhotari commented Nov 29, 2024

@eugene-cheverda does this PR still apply?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattisonchao mattisonchao mattisonchao requested changes

Assignees
No one assigned
Labels
doc-not-needed Your PR changes do not impact docs Stale
Projects
None yet
Milestone
4.1.0
Development

Successfully merging this pull request may close these issues.
7 participants
@eugene-cheverda @mattisonchao @dave2wave @tisonkun @lhotari @Technoboy- @coderzc