You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/12/14 07:47:08 UTC
[GitHub] [pulsar] lhotari opened a new pull request, #18922: [improve][sec] Remove snakeyaml dependency to suppress CVE-2022-1471
lhotari opened a new pull request, #18922:
URL: https://github.com/apache/pulsar/pull/18922
### Motivation
- snakeyaml dependency seems to be completely unnecessary in Pulsar.
- Jackson's YAML support is used for parsing YAML
- snakeyaml won'y fix CVE-2022-1471
- See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in and https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md
### Modifications
Remove snakeyaml dependency.
### Documentation
<!-- DO NOT REMOVE THIS SECTION. CHECK THE PROPER BOX ONLY. -->
- [ ] `doc` <!-- Your PR contains doc changes. Please attach the local preview screenshots (run `sh start.sh` at `pulsar/site2/website`) to your PR description, or else your PR might not get merged. -->
- [ ] `doc-required` <!-- Your PR changes impact docs and you will update later -->
- [x] `doc-not-needed` <!-- Your PR changes do not impact docs -->
- [ ] `doc-complete` <!-- Docs have been already added -->
### Matching PR in forked repository
PR in forked repository: <!-- ENTER URL HERE -->
<!--
After opening this PR, the build in apache/pulsar will fail and instructions will
be provided for opening a PR in the PR author's forked repository.
apache/pulsar pull requests should be first tested in your own fork since the
apache/pulsar CI based on GitHub Actions has constrained resources and quota.
GitHub Actions provides separate quota for pull requests that are executed in
a forked repository.
The tests will be run in the forked repository until all PR review comments have
been handled, the tests pass and the PR is approved by a reviewer.
-->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] lhotari commented on pull request #18922: [improve][sec] Remove snakeyaml dependency to suppress CVE-2022-1471
Posted by GitBox <gi...@apache.org>.
lhotari commented on PR #18922:
URL: https://github.com/apache/pulsar/pull/18922#issuecomment-1350630909
It seems that Pulsar uses snakeyaml via jackson-dataformat-yaml. I'm closing this PR. We will have to just suppress CVE-2022-1471 since it won't be fixed in snakeyaml (references in the PR description).
```
[pulsar-common] [INFO] +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.13.4:compile
[pulsar-common] [INFO] | \- org.yaml:snakeyaml:jar:1.31:compile
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] lhotari closed pull request #18922: [improve][sec] Remove snakeyaml dependency to suppress CVE-2022-1471
Posted by GitBox <gi...@apache.org>.
lhotari closed pull request #18922: [improve][sec] Remove snakeyaml dependency to suppress CVE-2022-1471
URL: https://github.com/apache/pulsar/pull/18922
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org