Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RHPAM-4700: Upgrade Jackson to 2.15.2 to make it work with SnakeYAML … #871

Merged
merged 3 commits into from
Nov 20, 2023
Merged

RHPAM-4700: Upgrade Jackson to 2.15.2 to make it work with SnakeYAML … #871

merged 3 commits into from
Nov 20, 2023

Conversation

mareknovotny
Copy link
Member

…2.0 (#870)

https://issues.redhat.com/browse/RHPAM-4700

No org.yaml:snakeyaml:jar:1.33.0 traces on optaweb* or kogito-examples projects after related PRs

Related PRs:

@mareknovotny mareknovotny mentioned this pull request Nov 13, 2023
Closed
@yurloc yurloc mentioned this pull request Nov 13, 2023
Merged
@mareknovotny
Copy link
Member Author

jenkins retest this please

lucamolteni
lucamolteni approved these changes Nov 15, 2023
View reviewed changes
Copy link

@lucamolteni lucamolteni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm still convinced we should have been fine anyway with this quarkusio/quarkus#30440 but I'm fine with this solution

@yurloc
Copy link
Member

yurloc commented Nov 20, 2023

I'm still convinced we should have been fine anyway with this quarkusio/quarkus#30440 but I'm fine with this solution

@lucamolteni I don't think so because smallrye-config-source-yaml:2.12.3 depends on snakeyaml:1.33, see https://mvnrepository.com/artifact/io.smallrye.config/smallrye-config-source-yaml/2.12.3. Am I missing something?

@lucamolteni
Copy link

I'm still convinced we should have been fine anyway with this quarkusio/quarkus#30440 but I'm fine with this solution

@lucamolteni I don't think so because smallrye-config-source-yaml:2.12.3 depends on snakeyaml:1.33, see https://mvnrepository.com/artifact/io.smallrye.config/smallrye-config-source-yaml/2.12.3. Am I missing something?

You're correct, it uses snakeyaml 1.33. We don't need to use snakeyaml 2.0.0 necessarily, as long as we don't use that specific no args constructor

@yurloc
Copy link
Member

yurloc commented Nov 20, 2023

I'm still convinced we should have been fine anyway with this quarkusio/quarkus#30440 but I'm fine with this solution

@lucamolteni I don't think so because smallrye-config-source-yaml:2.12.3 depends on snakeyaml:1.33, see https://mvnrepository.com/artifact/io.smallrye.config/smallrye-config-source-yaml/2.12.3. Am I missing something?

You're correct, it uses snakeyaml 1.33. We don't need to use snakeyaml 2.0.0 necessarily, as long as we don't use that specific no args constructor

Yes, that is true but our ultimate goal is not only to prevent the vulnerability (which is technically not present in this project) but also to escape the reporting tools, which mark the project as vulnerable just because it depends on SnakeYAML 1.33.

@yurloc
Copy link
Member

yurloc commented Nov 20, 2023

Jenkins retest this.

I want to check if kiegroup/optaplanner#33 actually disables Sonar analysis.

@mareknovotny mareknovotny requested a review from yurloc November 20, 2023 13:46
@mareknovotny mareknovotny mentioned this pull request Nov 20, 2023
Closed
yurloc
yurloc approved these changes Nov 20, 2023
View reviewed changes
Copy link
Member

@yurloc yurloc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@mareknovotny mareknovotny merged commit 6fadeaf into 8.13.x Nov 20, 2023
4 checks passed
@mareknovotny mareknovotny deleted the RHPAM-4700 branch November 20, 2023 15:20
@lucamolteni lucamolteni mentioned this pull request Nov 20, 2023
Merged
@github-actions github-actions bot mentioned this pull request Nov 24, 2023
Open
@mareknovotny mareknovotny mentioned this pull request Jan 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yurloc yurloc yurloc approved these changes

@lucamolteni lucamolteni lucamolteni approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mareknovotny @yurloc @lucamolteni