Skip to content

Snakeyaml 2.0 is not compatible with Spring boot 3.0.5 #35064

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
cnareshjavadev opened this issue Apr 18, 2023 · 3 comments
Closed

Snakeyaml 2.0 is not compatible with Spring boot 3.0.5 #35064

cnareshjavadev opened this issue Apr 18, 2023 · 3 comments
Labels
for: external-project For an external project and not something we can fix status: invalid An issue that we don't feel is valid

Comments

@cnareshjavadev
Copy link

As per the Prisma scan, snakeyaml-1.33 is having vulnerabilities and trying to upgrade snakeyaml version 2.0, but the spring boot - 3.0.5 is referring only snakeyaml-1.33, even tried to exclude the 1.33 and adding the 2.0 externally, still it's not working..

Please suggest me for the resolution. ( Spring boot 3.0.5 + snakeyaml-2.0)
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 18, 2023
@wilkinsona
Copy link
Member

wilkinsona commented Apr 18, 2023
edited
Loading

Spring Boot 3.0.5 should be compatible with SnakeYAML 2.0 for loading of application.yaml due to these changes that are in 2.7.10, 3.0.5, and 3.1.0-M2. If it's not working for you, you'll need to tell us in what way it's not working for us to be able to help you. If you would like us to spend some more time investigating, please spend some time providing a complete yet minimal sample that reproduces the problem. You can share it with us by pushing it to a separate repository on GitHub or by zipping it up and attaching it to this issue.

@wilkinsona wilkinsona added the status: waiting-for-feedback We need additional information before we can continue label Apr 18, 2023
@cnareshjavadev
Copy link
Author

Hi @wilkinsona, Thank you for your suggestion.

We have updated accordingly in pom.xml with snakeyaml 2.0 , But still Prisma cloud scan report referring the older version of snakeyaml - 1.33 somehow. We are unable to find from where prisma scan is detecting the older version.

Below is the git repo details of our service pom.xmls. Please verify and help us how to resolve the issue.
https://github.com/cnareshjavadev/snakeyamlNJsonsmatIssues

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Apr 20, 2023
@wilkinsona
Copy link
Member

As with #35065, I'm afraid this isn't the right place to get help with Prisma. As far as I can tell, it's mistaken as SnakeYaml 2.0 is being used:

[INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ utilityService1 ---
[INFO] com.test.utilityService1:utilityService1:jar:4.2.3-SNAPSHOT
[INFO] +- net.sourceforge.htmlunit:neko-htmlunit:jar:2.61.0:compile
[INFO] |  \- xerces:xercesImpl:jar:2.12.2:compile
[INFO] +- org.springframework.boot:spring-boot-starter-validation:jar:3.0.5:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:3.0.5:compile
[INFO] |  |  +- org.springframework.boot:spring-boot:jar:3.0.5:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-autoconfigure:jar:3.0.5:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:3.0.5:compile
[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.4.6:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.4.6:compile
[INFO] |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.1:compile
[INFO] |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.17.1:compile
[INFO] |  |  |  \- org.slf4j:jul-to-slf4j:jar:2.0.7:compile
[INFO] |  |  +- jakarta.annotation:jakarta.annotation-api:jar:2.1.1:compile
[INFO] |  |  \- org.springframework:spring-core:jar:6.0.7:compile
[INFO] |  |     \- org.springframework:spring-jcl:jar:6.0.7:compile
[INFO] |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.58:compile
[INFO] |  \- org.hibernate.validator:hibernate-validator:jar:8.0.0.Final:compile
[INFO] |     +- jakarta.validation:jakarta.validation-api:jar:3.0.2:compile
[INFO] |     +- org.jboss.logging:jboss-logging:jar:3.5.0.Final:compile
[INFO] |     \- com.fasterxml:classmate:jar:1.5.1:compile
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:3.0.5:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-json:jar:3.0.5:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.14.2:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.14.2:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.14.2:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-tomcat:jar:3.0.5:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.58:compile
[INFO] |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.58:compile
[INFO] |  +- org.springframework:spring-web:jar:6.0.7:compile
[INFO] |  |  +- org.springframework:spring-beans:jar:6.0.7:compile
[INFO] |  |  \- io.micrometer:micrometer-observation:jar:1.10.5:compile
[INFO] |  |     \- io.micrometer:micrometer-commons:jar:1.10.5:compile
[INFO] |  \- org.springframework:spring-webmvc:jar:6.0.7:compile
[INFO] |     +- org.springframework:spring-context:jar:6.0.7:compile
[INFO] |     \- org.springframework:spring-expression:jar:6.0.7:compile
[INFO] +- org.springframework.boot:spring-boot-starter-security:jar:3.0.5:compile
[INFO] |  +- org.springframework:spring-aop:jar:6.0.7:compile
[INFO] |  +- org.springframework.security:spring-security-config:jar:6.0.2:compile
[INFO] |  |  \- org.springframework.security:spring-security-core:jar:6.0.2:compile
[INFO] |  |     \- org.springframework.security:spring-security-crypto:jar:6.0.2:compile
[INFO] |  \- org.springframework.security:spring-security-web:jar:6.0.2:compile
[INFO] +- commons-fileupload:commons-fileupload:jar:1.5:compile
[INFO] +- commons-io:commons-io:jar:2.7:compile
[INFO] +- org.owasp.esapi:esapi:jar:2.3.0.0:compile
[INFO] |  +- com.io7m.xom:xom:jar:1.2.10:compile
[INFO] |  +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] |  |  +- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  |  \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] |  +- commons-configuration:commons-configuration:jar:1.10:compile
[INFO] |  +- commons-lang:commons-lang:jar:2.6:compile
[INFO] |  +- org.apache.commons:commons-collections4:jar:4.2:compile
[INFO] |  +- org.owasp.antisamy:antisamy:jar:1.6.7:compile
[INFO] |  |  +- org.apache.httpcomponents.client5:httpclient5:jar:5.1.4:compile
[INFO] |  |  |  \- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.1.5:compile
[INFO] |  |  +- org.apache.httpcomponents.core5:httpcore5:jar:5.1.5:compile
[INFO] |  |  +- org.apache.xmlgraphics:batik-css:jar:1.14:compile
[INFO] |  |  |  +- org.apache.xmlgraphics:batik-shared-resources:jar:1.14:compile
[INFO] |  |  |  +- org.apache.xmlgraphics:batik-util:jar:1.14:compile
[INFO] |  |  |  |  +- org.apache.xmlgraphics:batik-constants:jar:1.14:compile
[INFO] |  |  |  |  \- org.apache.xmlgraphics:batik-i18n:jar:1.14:compile
[INFO] |  |  |  \- org.apache.xmlgraphics:xmlgraphics-commons:jar:2.6:compile
[INFO] |  |  \- xml-apis:xml-apis-ext:jar:1.3.04:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:2.0.7:compile
[INFO] |  \- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] +- redis.clients:jedis:jar:4.4.0-m1:compile
[INFO] |  +- org.apache.commons:commons-pool2:jar:2.11.1:compile
[INFO] |  \- com.google.code.gson:gson:jar:2.9.1:compile
[INFO] +- org.springframework.data:spring-data-redis:jar:3.0.4:compile
[INFO] |  +- org.springframework.data:spring-data-keyvalue:jar:3.0.4:compile
[INFO] |  |  \- org.springframework.data:spring-data-commons:jar:3.0.4:compile
[INFO] |  +- org.springframework:spring-tx:jar:6.0.7:compile
[INFO] |  +- org.springframework:spring-oxm:jar:6.0.7:compile
[INFO] |  \- org.springframework:spring-context-support:jar:6.0.7:compile
[INFO] +- org.springframework.boot:spring-boot-starter-data-jpa:jar:3.0.5:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-aop:jar:3.0.5:compile
[INFO] |  |  \- org.aspectj:aspectjweaver:jar:1.9.19:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-jdbc:jar:3.0.5:compile
[INFO] |  |  +- com.zaxxer:HikariCP:jar:5.0.1:compile
[INFO] |  |  \- org.springframework:spring-jdbc:jar:6.0.7:compile
[INFO] |  +- org.hibernate.orm:hibernate-core:jar:6.1.7.Final:compile
[INFO] |  |  +- jakarta.persistence:jakarta.persistence-api:jar:3.1.0:compile
[INFO] |  |  +- jakarta.transaction:jakarta.transaction-api:jar:2.0.1:compile
[INFO] |  |  +- org.hibernate.common:hibernate-commons-annotations:jar:6.0.6.Final:runtime
[INFO] |  |  +- org.jboss:jandex:jar:2.4.2.Final:runtime
[INFO] |  |  +- net.bytebuddy:byte-buddy:jar:1.12.23:runtime
[INFO] |  |  +- jakarta.xml.bind:jakarta.xml.bind-api:jar:4.0.0:runtime
[INFO] |  |  |  \- jakarta.activation:jakarta.activation-api:jar:2.1.1:runtime
[INFO] |  |  +- org.glassfish.jaxb:jaxb-runtime:jar:4.0.2:runtime
[INFO] |  |  |  \- org.glassfish.jaxb:jaxb-core:jar:4.0.2:runtime
[INFO] |  |  |     +- org.eclipse.angus:angus-activation:jar:2.0.0:runtime
[INFO] |  |  |     +- org.glassfish.jaxb:txw2:jar:4.0.2:runtime
[INFO] |  |  |     \- com.sun.istack:istack-commons-runtime:jar:4.1.1:runtime
[INFO] |  |  +- jakarta.inject:jakarta.inject-api:jar:2.0.0:runtime
[INFO] |  |  \- org.antlr:antlr4-runtime:jar:4.10.1:runtime
[INFO] |  +- org.springframework.data:spring-data-jpa:jar:3.0.4:compile
[INFO] |  |  \- org.springframework:spring-orm:jar:6.0.7:compile
[INFO] |  \- org.springframework:spring-aspects:jar:6.0.7:compile
[INFO] +- junit:junit:jar:4.13.2:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:2.2:test
[INFO] |     \- org.hamcrest:hamcrest:jar:2.2:test
[INFO] +- org.json:json:jar:20080701:compile
[INFO] +- org.postgresql:postgresql:jar:42.5.4:runtime
[INFO] |  \- org.checkerframework:checker-qual:jar:3.5.0:runtime
[INFO] +- com.auth0:java-jwt:jar:3.18.3:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-databind:jar:2.14.2:compile
[INFO] +- com.auth0:jwks-rsa:jar:0.20.1:compile
[INFO] |  \- com.google.guava:guava:jar:30.0-jre:runtime
[INFO] |     +- com.google.guava:failureaccess:jar:1.0.1:runtime
[INFO] |     +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:runtime
[INFO] |     +- com.google.code.findbugs:jsr305:jar:3.0.2:runtime
[INFO] |     +- com.google.errorprone:error_prone_annotations:jar:2.3.4:runtime
[INFO] |     \- com.google.j2objc:j2objc-annotations:jar:1.3:runtime
[INFO] +- com.azure.spring:azure-spring-boot-starter-storage:jar:3.12.0:compile
[INFO] |  +- com.azure.spring:azure-spring-boot:jar:3.12.0:compile
[INFO] |  |  +- javax.validation:validation-api:jar:2.0.1.Final:compile
[INFO] |  |  \- javax.annotation:javax.annotation-api:jar:1.3.2:compile
[INFO] |  \- com.azure:azure-storage-file-share:jar:12.11.3:compile
[INFO] +- com.azure.spring:azure-spring-boot-starter-keyvault-secrets:jar:3.12.0:compile
[INFO] |  \- com.azure:azure-security-keyvault-secrets:jar:4.3.6:compile
[INFO] +- com.azure:azure-identity:jar:1.4.3:compile
[INFO] |  +- com.azure:azure-core:jar:1.24.1:compile
[INFO] |  |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-xml:jar:2.14.2:compile
[INFO] |  |  |  +- org.codehaus.woodstox:stax2-api:jar:4.2.1:compile
[INFO] |  |  |  \- com.fasterxml.woodstox:woodstox-core:jar:6.5.0:compile
[INFO] |  |  +- io.projectreactor:reactor-core:jar:3.5.4:compile
[INFO] |  |  |  \- org.reactivestreams:reactive-streams:jar:1.0.4:compile
[INFO] |  |  \- io.netty:netty-tcnative-boringssl-static:jar:2.0.54.Final:compile
[INFO] |  |     +- io.netty:netty-tcnative-classes:jar:2.0.54.Final:compile
[INFO] |  |     +- io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64:2.0.54.Final:compile
[INFO] |  |     +- io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64:2.0.54.Final:compile
[INFO] |  |     +- io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64:2.0.54.Final:compile
[INFO] |  |     +- io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64:2.0.54.Final:compile
[INFO] |  |     \- io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64:2.0.54.Final:compile
[INFO] |  +- com.azure:azure-core-http-netty:jar:1.11.6:compile
[INFO] |  |  +- io.netty:netty-handler:jar:4.1.86.Final:compile
[INFO] |  |  |  +- io.netty:netty-common:jar:4.1.86.Final:compile
[INFO] |  |  |  +- io.netty:netty-resolver:jar:4.1.86.Final:compile
[INFO] |  |  |  +- io.netty:netty-transport:jar:4.1.86.Final:compile
[INFO] |  |  |  \- io.netty:netty-codec:jar:4.1.86.Final:compile
[INFO] |  |  +- io.netty:netty-handler-proxy:jar:4.1.86.Final:compile
[INFO] |  |  |  \- io.netty:netty-codec-socks:jar:4.1.86.Final:compile
[INFO] |  |  +- io.netty:netty-buffer:jar:4.1.86.Final:compile
[INFO] |  |  +- io.netty:netty-codec-http:jar:4.1.86.Final:compile
[INFO] |  |  +- io.netty:netty-codec-http2:jar:4.1.86.Final:compile
[INFO] |  |  +- io.netty:netty-transport-native-unix-common:jar:4.1.86.Final:compile
[INFO] |  |  +- io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.86.Final:compile
[INFO] |  |  |  \- io.netty:netty-transport-classes-epoll:jar:4.1.86.Final:compile
[INFO] |  |  +- io.netty:netty-transport-native-kqueue:jar:osx-x86_64:4.1.86.Final:compile
[INFO] |  |  |  \- io.netty:netty-transport-classes-kqueue:jar:4.1.86.Final:compile
[INFO] |  |  \- io.projectreactor.netty:reactor-netty-http:jar:1.1.5:compile
[INFO] |  |     +- io.netty:netty-resolver-dns:jar:4.1.86.Final:compile
[INFO] |  |     |  \- io.netty:netty-codec-dns:jar:4.1.86.Final:compile
[INFO] |  |     +- io.netty:netty-resolver-dns-native-macos:jar:osx-x86_64:4.1.86.Final:compile
[INFO] |  |     |  \- io.netty:netty-resolver-dns-classes-macos:jar:4.1.86.Final:compile
[INFO] |  |     \- io.projectreactor.netty:reactor-netty-core:jar:1.1.5:compile
[INFO] |  +- com.microsoft.azure:msal4j:jar:1.11.0:compile
[INFO] |  |  \- com.nimbusds:oauth2-oidc-sdk:jar:9.7:compile
[INFO] |  |     +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile
[INFO] |  |     +- com.nimbusds:content-type:jar:2.1:compile
[INFO] |  |     +- com.nimbusds:lang-tag:jar:1.5:compile
[INFO] |  |     \- com.nimbusds:nimbus-jose-jwt:jar:9.9.3:compile
[INFO] |  +- com.microsoft.azure:msal4j-persistence-extension:jar:1.1.0:compile
[INFO] |  |  \- net.java.dev.jna:jna:jar:5.5.0:compile
[INFO] |  \- net.java.dev.jna:jna-platform:jar:5.6.0:compile
[INFO] +- net.minidev:json-smart:jar:2.4.10:compile
[INFO] |  \- net.minidev:accessors-smart:jar:2.4.9:compile
[INFO] |     \- org.ow2.asm:asm:jar:9.3:compile
[INFO] +- com.azure:azure-storage-blob:jar:12.14.3:compile
[INFO] |  +- com.azure:azure-storage-common:jar:12.14.2:compile
[INFO] |  \- com.azure:azure-storage-internal-avro:jar:12.1.3:compile
[INFO] +- com.sendgrid:sendgrid-java:jar:4.9.3:compile
[INFO] |  +- com.sendgrid:java-http-client:jar:4.5.0:compile
[INFO] |  |  +- org.apache.httpcomponents:httpcore:jar:4.4.16:compile
[INFO] |  |  \- org.apache.httpcomponents:httpclient:jar:4.5.14:compile
[INFO] |  |     \- commons-codec:commons-codec:jar:1.15:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.14.2:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.14.2:compile
[INFO] |  \- org.bouncycastle:bcprov-jdk15on:jar:1.70:compile
[INFO] +- org.projectlombok:lombok:jar:1.18.26:provided
[INFO] +- jakarta.servlet:jakarta.servlet-api:jar:6.0.0:provided
[INFO] \- org.yaml:snakeyaml:jar:2.0:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  10.250 s
[INFO] Finished at: 2023-04-20T08:30:41+01:00
[INFO] ------------------------------------------------------------------------

@wilkinsona wilkinsona closed this as not planned Won't fix, can't repro, duplicate, stale Apr 20, 2023
@wilkinsona wilkinsona added status: invalid An issue that we don't feel is valid for: external-project For an external project and not something we can fix and removed status: waiting-for-triage An issue we've not yet triaged status: feedback-provided Feedback has been provided labels Apr 20, 2023
@rivancic rivancic mentioned this issue May 4, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
for: external-project For an external project and not something we can fix status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wilkinsona @spring-projects-issues @cnareshjavadev