Upgrade snakeyaml to 2.0

[zhfeng]

Fixes CVE-2022-1471

Changes proposed in this pull request:

• upgrade snakeyaml to 2.0

---

Before committing this PR, I'm sure that I have checked the following options:

• My code follows the code of conduct of this project.
• I have self-reviewed the commit code.
• I have (or in comment I request) added corresponding labels for the pull request.
• I have passed maven check locally : ./mvnw clean install -B -T1C -Dmaven.javadoc.skip -Dmaven.jacoco.skip -e.
• I have made corresponding changes to the documentation.
• I have added corresponding unit tests for my changes.

[zhfeng]

The more information could be found here: https://www.veracode.com/blog/research/resolving-cve-2022-1471-snakeyaml-20-release-0

I'm not sure shardingsphere allows global tags? I run some related tests with Yaml and they all work.

[zhfeng]

The test fails

Error:  org.apache.shardingsphere.test.it.data.pipeline.scenario.consistencycheck.api.impl.ConsistencyCheckJobAPITest.assertDropByParentJobId  Time elapsed: 0.374 s  <<< ERROR!
java.lang.NoSuchMethodError: org.yaml.snakeyaml.representer.Representer: method 'void <init>()' not found
	at org.apache.shardingsphere.elasticjob.infra.yaml.representer.ElasticJobYamlRepresenter.<init>(ElasticJobYamlRepresenter.java:28)
	at org.apache.shardingsphere.elasticjob.infra.yaml.YamlEngine.marshal(YamlEngine.java:38)
	at org.apache.shardingsphere.elasticjob.lite.lifecycle.internal.settings.JobConfigurationAPIImpl.updateJobConfiguration(JobConfigurationAPIImpl.java:51)
	at org.apache.shardingsphere.data.pipeline.core.api.impl.AbstractPipelineJobAPIImpl.stop(AbstractPipelineJobAPIImpl.java:151)
	at org.apache.shardingsphere.data.pipeline.scenario.consistencycheck.api.impl.ConsistencyCheckJobAPI.dropByParentJobId(ConsistencyCheckJobAPI.java:207)
	at org.apache.shardingsphere.test.it.data.pipeline.scenario.consistencycheck.api.impl.ConsistencyCheckJobAPITest.assertDropByParentJobId(ConsistencyCheckJobAPITest.java:108)

It seems that we need to fix in shardingsphere-elasticjob as well.

[zhfeng]

Well, shardingsphere-elasticjob::elasticjob-lite-spring-boot-starter depends on spring-boot:2.3.x which has not been fixed. According to https://spring.io/projects/spring-boot#support, 2.3.x is EOL so I think we should consider to upgrade to 2.7.x at least.

[terrymanu]

I am considering shading all dependencies of ShardingSphere at a later time so that I won't need to worry about compatibility issues with Spring or other third-party libraries.
However, this is a long-term job that may take several months to complete.

[zhfeng]

Thanks @terrymanu for taking care of the upgarding.

I did some works on shardingsphere-elasticjob to test with spring-boot 2.7.10-SNAPSHOT and snakeyaml 2.0. See zhfeng/shardingsphere-elasticjob@0c2d7b3

We need to be very careful about these CVE issues. Anyway, if I understand correctly, we only use snakeyaml for parsing the configuration files. So it could be low risk in this case.

[zhfeng]

Also do we consider to enable Vulnerability alerts in github which could notify us when our dependency libraies have some security issues which need to be fixed. Something like https://github.com/apache/camel/security/dependabot

Maybe we need to open a ticket for Apache Infra team?

[TeslaCN]

Also do we consider to enable Vulnerability alerts in github which could notify us when our dependency libraies have some security issues which need to be fixed. Something like https://github.com/apache/camel/security/dependabot

Maybe we need to open a ticket for Apache Infra team?

Thanks for your suggestion. Vulnerability alerts was enabled in ShardingSphere repo.

[zhfeng]

Hmm, I can not see it because I'm not a committor?

[TeslaCN]

Hmm, I can not see it because I'm not a committor?

I cannot see camel's security tab either.

[zhfeng]

Yeah, that makes sense. Anyway, CVE-2022-1471 is marked as High due to allow remote code execution. But in shardingshpere, I think we only use it to parse the yaml configuration files, so it might be low risk in this case?

[TeslaCN]

Yeah, that makes sense. Anyway, CVE-2022-1471 is marked as High due to allow remote code execution. But in shardingshpere, I think we only use it to parse the yaml configuration files, so it might be low risk in this case?

Yes.

[linghengqian]

• As an additional topic, consider that the Spring team doesn't expect to make big changes in SnakeYAML, they expect to handle it in Spring Framework 6.1, refer to Switch to Yaml 1.2 with snakeyaml-engine spring-projects/spring-framework#28349 and Upgrade to SnakeYAML 2.0 spring-projects/spring-framework#30048 , should I close Markup SpringBoot users need to specify SnakeYAML version in Github Wiki #21476 to wait for our shade operation on SnakeYAML?

[lizongbo]

yes need upgrade to support snakeyml 1.33 to 2.1

[linghengqian]

yes need upgrade to support snakeyml 1.33 to 2.1

• @lizongbo Obviously we have two ways of thinking about dealing with downstream usage. One is to wait for the Release of ShardingSphere ElasticJob 3.0.4, and the other is to shade the SnakeYAML package, so that the downstream can use a higher version of the SnakeYAML API.

• I assume you are interested in the first option, but I am not sure about the release plan of ShardingSphere ElasticJob 3.0.4. Would you like to start a discussion on the mailing list?

[lizongbo]

yes need upgrade to support snakeyml 1.33 to 2.1

• @lizongbo Obviously we have two ways of thinking about dealing with downstream usage. One is to wait for the Release of ShardingSphere ElasticJob 3.0.4, and the other is to shade the SnakeYAML package, so that the downstream can use a higher version of the SnakeYAML API.
• I assume you are interested in the first option, but I am not sure about the release plan of ShardingSphere ElasticJob 3.0.4. Would you like to start a discussion on the mailing list?

This changed code is fully compatible with snakeyml 1.33, 2.0, 2.1.

because The Representer class's old constructor Representer() was marked as Deprecated in 1.33 and then removed in version 2.0

"public Representer(DumperOptions options) " is exists in 1.33 ,2.0 and 2.1 .

[linghengqian]

yes need upgrade to support snakeyml 1.33 to 2.1

• @lizongbo Obviously we have two ways of thinking about dealing with downstream usage. One is to wait for the Release of ShardingSphere ElasticJob 3.0.4, and the other is to shade the SnakeYAML package, so that the downstream can use a higher version of the SnakeYAML API.
• I assume you are interested in the first option, but I am not sure about the release plan of ShardingSphere ElasticJob 3.0.4. Would you like to start a discussion on the mailing list?

This changed code is fully compatible with snakeyml 1.33, 2.0, 2.1.

because The Representer class's old constructor Representer() was marked as Deprecated in 1.33 and then removed in version 2.0

"public Representer(DumperOptions options) " is exists in 1.33 ,2.0 and 2.1 .

• @lizongbo It looks like the deprecated method on SnakeYAML 1.33 is used because new method of SnakeYAML 1.33 caused CI execution to fail. fix ci #21480 reintroduced methods that were deprecated on SnakeYAML 1.33.
• @totalo I wonder if fix ci #21480 has any background information? Add transaction IT test demo #19293 doesn't mention SnakeYAML.

[zhfeng]

So is there any update on a new release of ElasticJob? I think it has been upgrade.

[linghengqian]

So is there any update on a new release of ElasticJob? I think it has been upgrade.

• @zhfeng Apparently ShardingSphere 5.4.1 will close the milestone on September 30 of this year, see https://github.com/apache/shardingsphere/milestone/27 . But ShardingSphere ElasticJob 3.0.4 doesn't have a specific release plan, see https://github.com/apache/shardingsphere-elasticjob/milestone/9 .
• I assume there is a lack of a PMC responsible for the Release program?

[zhfeng]

Thanks @linghengqian - Please raise this concern on the dev mailing list. It should be important to fix the security issue and hope it can be included in 5.4.1.

[linghengqian]

Thanks @linghengqian - Please raise this concern on the dev mailing list. It should be important to fix the security issue and hope it can be included in 5.4.1.

• @zhfeng I found that I wasn't quite sure how to rewrite the sender from outlook.com to my personal apache.org mailbox, outlook's PC client got a big update in August of this year.

• I'm assuming you have time to send mail to the dev mailing list first?

[zhfeng]

@linghengqian NP - I will take care of it.

[TeslaCN]

Hi @linghengqian Are you willing to release ElasticJob 3.0.4?

[linghengqian]

Hi @linghengqian Are you willing to release ElasticJob 3.0.4?

• @TeslaCN I have no experience working on releases at ASF, and my work has been scattered in recent months. I hope other committers can help with this process.

[linghengqian]

• @zhfeng ShardingSphere ElasticJob 3.0.4 with SnakeYAML 2.x is now available in https://repo1.maven.org/maven2/org/apache/shardingsphere/elasticjob/elasticjob-lite-core/3.0.4/ .

• Do you feel like this needs to be a separate PR, or is it handled in the current PR?

[zhfeng]

@linghengqian feel free to rasie a new PR!

[linghengqian]

@linghengqian feel free to rasie a new PR!

• I have opened the Updates ElasticJob to 3.0.4 to block CVEs for SnakeYAML delivery #28805 .

[zhfeng]

Thanks @linghengqian and I close this PR.