Change yaml parser to org.snakeyaml:snakeyaml-engine #79
Comments
|
This will also address #68 |
|
At first I was hoping the snakeyaml maintainers would address the issue in their library but I read through their issue/conversation and, apparently, it's very controversial... I'll check out snakeyaml-engine and see how complicated it is to swap over. |
|
How about simply removing the dependency to snakeyaml? The regex format file regexes.yaml is quite simple and could be parsed by a small handwritten parser that just turns the yaml into a ``Map<String,List<Map<String,String>>>` |
|
I'd prefer to avoid writing a custom yaml parser |
|
Hi! There is a new version of snakeyaml (2.0) which seems to be free of vulnerabilities. Do you plan to upgrade to that? |
|
I have opened a PR to update to version I agree with the discussion here, |
|
I think it is even better to remove the need to have any YAML parsing at runtime. So I have opened a PR for that: #83 |
|
I'm pleased to announce version 1.6.1 has been released to Maven Central and the security vulnerability has been addressed. see here for what's changed |
The existing snakeyaml library is listed as vulnerable to security vulnerabilities because it allows create of arbitrary java objects which could lead to remote code execution. org.snakeyaml:snakeyaml-engine seems to be a follow on from the existing snakeyaml library from the same developers but is able to parse YAML 1.2. Please could you consider using snakeyaml-engine to help developers working in organisations where automated security scanning for vulnerable dependencies causes friction between in house security teams and ordinary developers who happen to pull in uap-java as a dependency.
The text was updated successfully, but these errors were encountered: