Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to Snakeyaml 2.2 #662

Merged
merged 4 commits into from
Sep 29, 2023
Merged

Update to Snakeyaml 2.2 #662

merged 4 commits into from
Sep 29, 2023

Conversation

kwin
Copy link
Member

@kwin kwin commented Mar 2, 2023

This closes #660

@sonarcloud
Copy link

sonarcloud bot commented Mar 2, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

100.0% 100.0% Coverage
0.0% 0.0% Duplication

@kwin kwin requested a review from ghenzler March 10, 2023 17:27
@kwin kwin marked this pull request as ready for review March 10, 2023 17:27
kwin
kwin commented Mar 14, 2023
View reviewed changes
...z/netcentric/cq/tools/actool/configreader/YamlConfigurationAdminPluginScalarConstructor.java
@@ -23,7 +24,7 @@
* Usually this is called with
* <a href="https://github.com/apache/felix-dev/tree/master/configadmin-plugins/interpolation">Felix Configadmin Interpolation Plugin</a>.
*
* @see <a href="https://bitbucket.org/asomov/snakeyaml/wiki/Variable%20substitution">Variable substitution</a>
* @see <a href="https://bitbucket.org/snakeyaml/snakeyaml/wiki/Variable%20substitution">Variable substitution</a>
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should extend SafeConstructor

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I read https://snyk.io/blog/snakeyaml-unsafe-deserialization-vulnerability/ correctly, we should really be safe by just using snakeyaml-2.0 because by default the class deserialization is not active anymore and we are not using this features anywhere.

@kwin kwin marked this pull request as draft March 17, 2023 16:22
@kwin kwin mentioned this pull request Apr 28, 2023
Closed
@kwin kwin marked this pull request as ready for review September 27, 2023 11:11
@ghenzler ghenzler changed the title Update to Snakeyaml 2.0 Update to Snakeyaml 2.2 Sep 27, 2023
@sonarcloud
Copy link

sonarcloud bot commented Sep 27, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

100.0% 100.0% Coverage
0.0% 0.0% Duplication

warning The version of Java (11.0.20.1) you have used to run this analysis is deprecated and we will stop accepting it soon. Please update to at least Java 17.
Read more here

ghenzler
ghenzler approved these changes Sep 27, 2023
View reviewed changes
Copy link
Member

@ghenzler ghenzler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have tested with the updated snakeyaml version 2.2 and it seems there is really no problem. Class deserialisation we didn't use, and that is the only thing that is by default different in v2.x IIUC.

@kwin kwin merged commit 919e28a into develop Sep 29, 2023
20 checks passed
@kwin kwin deleted the feature/snakeyaml-2 branch September 29, 2023 15:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ghenzler ghenzler ghenzler approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update to snakeyaml 2.2
2 participants
@kwin @ghenzler