Update snakeyaml to 2.0

eclipse / reddeer

RedDeer Project

Eclipse Public License 2.0

40 stars 43 forks source link

Update snakeyaml to 2.0 #2198

Closed akurtakov closed 1 year ago

akurtakov commented 1 year ago

This release fixes CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471 according to https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes

jukzi commented 1 year ago

Currently reddeer requires org.yaml.snakeyaml;bundle-version="1.14.0": https://github.com/search?q=repo%3Aeclipse%2Freddeer+snakeyaml&type=code

Currrent Eclipse IDE ships 1.27 from orbit. All those versions are reported to have multiple vulnerabilities.: https://mvnrepository.com/artifact/org.yaml/snakeyaml

Would you please require snakeyaml 2.0?

akurtakov commented 1 year ago

@merks Could you please help this project with setting up proper usage of maven central artifacts?

merks commented 1 year ago

I will look into it now.

merks commented 1 year ago

I'm kind of confused where the dependencies come from. I can't find a *.target file. Searching all the files doesn't even clue me in to where the dependency might be specified...

merks@CORE MINGW64 /d/Users/merks/temp/reddeer
$grep snake $(find . -type f )
./NOTICE.md:snakeyaml (1.27.0)
./plugins/org.eclipse.reddeer.junit/META-INF/MANIFEST.MF: org.yaml.snakeyaml;bundle-version="1.14.0"
./plugins/org.eclipse.reddeer.junit/src/org/eclipse/reddeer/junit/internal/configuration/reader/JSONConfigurationReader.java:import org.yaml.snakeyaml.Yaml;
./plugins/org.eclipse.reddeer.junit/src/org/eclipse/reddeer/junit/internal/configuration/reader/JSONConfigurationReader.java:import org.yaml.snakeyaml.constructor.SafeConstructor;
./tests/org.eclipse.reddeer.integration.test/MANIFEST.MF: org.yaml.snakeyaml;bundle-version="1.14.0"

akurtakov commented 1 year ago

Instead of target file the project defines p2 sites in the pom.xml e.g. https://github.com/eclipse/reddeer/blob/master/pom.xml#L208 . Switching the project to target file is probably better as it's kind of standard.

merks commented 1 year ago

Reddeer could use https://download.eclipse.org/oomph/simrel-orbit/2023-09 which aggregates Orbit's IBuild (currently with all the direct-from-Maven dependencies of all the SimRel projects, already PGP signed. It contains the following versions:

I assume, given there is no upper bound on the dependency in the MANIFEST.MF, the build would just pick up the 2.0.0 version automatically. Of course this update site will update to minor versions "automatically", and at some point soon, this will be provided/hosted by Orbit's downloads.

Okay?

odockal commented 1 year ago

@merks @akurtakov I have prepared PR to tackle this issue. https://github.com/eclipse/reddeer/pull/2206. although I like the site Ed proposed. I will work that in.

akurtakov commented 1 year ago

Do you plan new release soon? It would be nice to have one so this old snakeyaml disappears through the transitive deps updates for 2023-09.

olkornii commented 1 year ago

@akurtakov we are working on new release (4.7.0): https://github.com/eclipse/reddeer/issues/2216 :)