Bump Jackson dependency due to CVE-2022-1471

[bvolpato]

jackson-dataformat-yaml:2.14.1 included SnakeYAML 1.33, which is within CVE-2022-1471's range.

jackson-dataformat-yaml:2.15.0 updated to SnakeYAML 2.0, which has fixed vulnerabilities.

There was some discussion about the dependency on the dev mailing list (https://lists.apache.org/thread/jcwvgttjsmxyqkc01rwzhd8zjxjk99h4), but #25350 was abandoned because it's not exploitable.

Even though SnakeYAML has a statement about it (https://github.com/snakeyaml/snakeyaml#cve), it is nice to be on a version range that is considered safe.

---

To check the build health, please visit https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md

GitHub Actions Tests Status (on master branch)

See CI.md for more information about GitHub Actions CI.

[codecov]

Codecov Report

Merging #26410 (3925f94) into master (85d4276) will decrease coverage by 0.02%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master   #26410      +/-   ##
==========================================
- Coverage   81.09%   81.07%   -0.02%     
==========================================
  Files         469      469              
  Lines       67199    67199              
==========================================
- Hits        54494    54483      -11     
- Misses      12705    12716      +11     

Flag	Coverage Δ
python	81.07% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 9 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[bvolpato]

Run GoPortable PreCommit

[bvolpato]

Run Java_PVR_Flink_Batch PreCommit

[bvolpato]

Run Java_PVR_Flink_Docker PreCommit

[bvolpato]

Run Java_Pulsar_IO_Direct PreCommit

[bvolpato]

Run Java_hadoop_IO_Direct PreCommit

[bvolpato]

Run Python_PVR_Flink PreCommit

[bvolpato]

Run GoPortable PreCommit

[bvolpato]

Run Java PreCommit

[bvolpato]

Run Java_GCP_IO_Direct PreCommit

[bvolpato]

Run Java_PVR_Flink_Docker PreCommit

[bvolpato]

Run Java_hadoop_IO_Direct PreCommit

[bvolpato]

Run Python_PVR_Flink PreCommit

[Abacn]

looks like gradle picking up different transitive dependency and breaks cassandra:

java.lang.NoSuchMethodError: org.yaml.snakeyaml.constructor.Constructor.<init>(Ljava/lang/Class;)V
	at org.apache.cassandra.config.YamlConfigurationLoader$CustomConstructor.<init>(YamlConfigurationLoader.java:139)
	at org.apache.cassandra.config.YamlConfigurationLoader.loadConfig(YamlConfigurationLoader.java:120)
	at org.apache.cassandra.config.YamlConfigurationLoader.loadConfig(YamlConfigurationLoader.java:101)
	at org.apache.cassandra.config.DatabaseDescriptor.loadConfig(DatabaseDescriptor.java:276)
	at org.apache.cassandra.config.DatabaseDescriptor.daemonInitialization(DatabaseDescriptor.java:152)
	at org.apache.cassandra.config.DatabaseDescriptor.daemonInitialization(DatabaseDescriptor.java:137)
	at org.apache.cassandra.service.CassandraDaemon.applyConfig(CassandraDaemon.java:673)
	at org.apache.cassandra.service.EmbeddedCassandraService.start(EmbeddedCassandraService.java:50)
	at org.apache.beam.sdk.io.hadoop.format.HadoopFormatIOCassandraTest.beforeClass(HadoopFormatIOCassandraTest.java:189)

[bvolpato]

Yes, thanks @Abacn.

cassandra-all is using a very old version of SnakeYAML, even in their recent releases (3.11.8 uses SnakeYAML 1.11, their recent patch 3.11.14 is at SnakeYAML 1.26). There are major updates but I wouldn't go that far.

It is a testImplementation "org.apache.cassandra:cassandra-all:3.11.8" though, so I'll see what can be done. Perhaps pinning old SnakeYAML at sdks/java/io/hadoop-format?

[github-actions]

This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 1 week if no further activity occurs. If you think that’s incorrect or this pull request requires a review, please simply write any comment. If closed, you can revive the PR at any time and @mention a reviewer or discuss it on the dev@beam.apache.org list. Thank you for your contributions.

[github-actions]

This pull request has been closed due to lack of activity. If you think that is incorrect, or the pull request requires review, you can revive the PR at any time.

[hpvd]

added this to [Parent issue] Support for Apache Pulsar #31078