fix(cve): Upgrade snakeyaml from 1.29 to 1.31

Spring boot 2.6.15 brings snakeyaml 1.29, which fails to parse yaml (including some k8s manifest) due to issue mentioned [here](spring-projects/spring-boot#30159 (comment)). It's safe to upgrade beyond 1.29. However, snakeyaml 1.32 has been introduced with [feature](https://bitbucket.org/snakeyaml/snakeyaml/issues/547/restrict-the-size-of-incoming-data) of restricting the size of incoming data i.e file size to 3 MB by default, and spring boot versions <= 3.0.7 are not equipped to modify this limit. So attempting to use 1.31 in order to avoid file size limitation till upgrade >= 3.0.7 and to resolve CVE-2022-25857 and CVE-2022-38749. spring-projects/spring-boot#32228 (comment).
j-sandy · Mar 21, 2024 · 4afb107 · 4afb107
1 parent e823562
commit 4afb107
Showing 1 changed file with 10 additions and 16 deletions.
diff --git a/spinnaker-dependencies/spinnaker-dependencies.gradle b/spinnaker-dependencies/spinnaker-dependencies.gradle
@@ -188,22 +188,16 @@ dependencies {
       }
     }
     api("org.pf4j:pf4j-update:2.3.0")
-
-    // snakeyaml 1.29 fails to parse yaml (including some k8s manifests), so
-    // stick with 1.27 since that's what spring boot 2.4.13 uses.
-    // https://github.com/spring-projects/spring-boot/issues/30159#issuecomment-1125969155
-    // has details, including that snakeyaml 1.28 doesn't suffer from this bug.
-    // We could remove this specification altogether, and move to 1.28 along
-    // with spring boot 2.5, but I'd rather pin it here to avoid hitting the bug
-    // when we upgrade to spring boot 2.6.x.  It's safe to upgrade beyond 1.29
-    // with spring boot >= 2.6.12.  See
-    // https://github.com/spring-projects/spring-boot/issues/32228#issue-136185850.0.
-    // making it strict as some of the modules have it resolved to higher versions (ex: kork-secrets-gcp to 1.30)
-    api("org.yaml:snakeyaml") {
-      version {
-        strictly "1.27"
-      }
-    }
+    //Spring boot 2.6.15 brings snakeyaml 1.29, which fails to parse yaml (including some k8s manifest).
+    //See https://github.com/spring-projects/spring-boot/issues/30159#issuecomment-1125969155
+    //It's safe to upgrade beyond 1.29. However, snakeyaml 1.32 has been introduced with feature of
+    //restricting the size of incoming data i.e file size to 3 MB by default, and spring boot versions < 3.0.7
+    //are not equipped to modify this limit.
+    //so attempting to use 1.31 in order to avoid file size limitation till upgrade >= 3.0.7
+    //and to resolve CVE-2022-25857 and CVE-2022-38749.
+    //See https://bitbucket.org/snakeyaml/snakeyaml/issues/547/restrict-the-size-of-incoming-data
+    //See https://github.com/spring-projects/spring-boot/issues/32228#issue-136185850.0.
+    api("org.yaml:snakeyaml:1.31")
     api("org.springdoc:springdoc-openapi-webmvc-core:${versions.openapi}")
     api("org.springdoc:springdoc-openapi-kotlin:${versions.openapi}")
     api("org.springframework.boot:spring-boot-configuration-processor:${versions.springBoot}")