CVE-2022-1471 identified on pulsar client for snakeyaml's SafeConstructor usage mandate

[sindhushreem]

Search before asking

• I searched in the issues and found nothing similar.

Version

2.10.3

Minimal reproduce step

Run the security scan

What did you expect to see?

Upgrade the snake yaml to latest version

What did you see instead?

Vulnerability identified on client modules .

Anything else?

No response

Are you willing to submit a PR?

• I'm willing to submit a PR!

[tisonkun]

@lhotari @nicoloboschi IIRC snakeyaml has several CVEs and while bumping from 1.30 to 1.32 there are still remaining ones.

What's your suggestion on handling this issue? Is there a version that fixes all the CVEs, or we just suppress the report for now and close all issues like this one as temporarily suppressed?

[lhotari]

@lhotari @nicoloboschi IIRC snakeyaml has several CVEs and while bumping from 1.30 to 1.32 there are still remaining ones.

What's your suggestion on handling this issue? Is there a version that fixes all the CVEs, or we just suppress the report for now and close all issues like this one as temporarily suppressed?

@tisonkun We use Snakyaml via Jackson. Jackson 2.15 will be using Snakeyaml 2.0, FasterXML/jackson-dataformats-text#390 , https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.15#yaml-format-module .
2.15 hasn't been released yet, it's currently 2.15.0-rc2 .
Perhaps we should consider Jackson 2.15 for Pulsar 3.0 ?

[sindhushreem]

@lhotari
We do have snake yaml direct dependency in buildtools pom.xml and parent pom.xml .

[tisonkun]

in buildtools pom.xml

Yes. It's unnormal. We should remove it or move it to the dependencyManagement group.

and parent pom.xml

No. It's only in the dependencyManagement to pin the version.

[tisonkun]

2.15 hasn't been released yet, it's currently 2.15.0-rc2 .
Perhaps we should consider Jackson 2.15 for Pulsar 3.0 ?

Yeah. I noticed that jackson 2.15 is unreleased yet. It seems bump such a feature release may introduce unknown risk as well as we don't even have an estimate when they can fire the release.

I tend not to postpone 3.0 due to this issue. cc @poorbarcode IIRC you're one of the RMs of 3.0.

[tisonkun]

It seems Jackson 2.14.2 depends to snakeyaml 2.0 now and #20085 should fix this issue.

@sindhushreem you're welcome to try out the patch.