Dependency org.yaml:snakeyaml, leading to CVE problem

Hi, In /，there is a dependency org.yaml:snakeyaml:1.29 that calls the risk method.

CVE-2022-25857

The scope of this CVE affected version is [0,1.31)

After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

CVE Bug Invocation Path : 
stitching.model.Tile: update()V .m2/repository/cisd/base/18.09.0/base-18.09.0.jar
org.yaml.snakeyaml.Yaml$1: next()Ljava.lang.Object; .m2/repository/org/openmicroscopy/ome-common/6.0.13/ome-common-6.0.13.jar
org.yaml.snakeyaml.constructor.BaseConstructor: getData()Ljava.lang.Object; .m2/repository/org/openmicroscopy/ome-common/6.0.13/ome-common-6.0.13.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; .m2/repository/org/openmicroscopy/ome-common/6.0.13/ome-common-6.0.13.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Dependency tree--

[INFO] sc.fiji:Stitching_:jar:3.1.10-SNAPSHOT
[INFO] +- sc.fiji:fiji-lib:jar:2.1.3:compile
[INFO] |  \- net.imagej:ij1-patcher:jar:1.2.2:compile
[INFO] |     \- org.javassist:javassist:jar:3.28.0-GA:compile
[INFO] +- sc.fiji:Fiji_Plugins:jar:3.1.2:compile
[INFO] +- sc.fiji:legacy-imglib1:jar:1.1.9:compile
[INFO] |  +- gov.nist.math:jama:jar:1.0.3:compile
[INFO] |  +- org.jfree:jfreechart:jar:1.5.3:compile
[INFO] |  \- org.scijava:vecmath:jar:1.6.0-scijava-2:compile
[INFO] +- net.imagej:ij:jar:1.53t:compile
[INFO] +- net.imglib2:imglib2:jar:5.12.0:compile
[INFO] +- net.imglib2:imglib2-algorithm:jar:0.12.1:compile
[INFO] |  +- net.imglib2:imglib2-roi:jar:0.12.1:compile
[INFO] |  +- net.imglib2:imglib2-realtransform:jar:3.1.2:compile
[INFO] |  |  \- jitk:jitk-tps:jar:3.0.3:compile
[INFO] |  |     \- com.googlecode.efficient-java-matrix-library:ejml:jar:0.25:compile
[INFO] |  +- net.sf.trove4j:trove4j:jar:3.0.3:compile
[INFO] |  +- org.ojalgo:ojalgo:jar:45.1.1:compile
[INFO] |  \- net.imglib2:imglib2-cache:jar:1.0.0-beta-16:compile
[INFO] |     +- com.github.ben-manes.caffeine:caffeine:jar:2.4.0:compile
[INFO] |     \- org.scijava:scijava-optional:jar:1.0.1:compile
[INFO] +- net.imglib2:imglib2-ij:jar:2.0.0:compile
[INFO] |  \- net.imagej:imagej-common:jar:0.35.0:compile
[INFO] |     +- org.scijava:scijava-common:jar:2.89.0:compile
[INFO] |     |  +- org.scijava:parsington:jar:3.0.0:compile
[INFO] |     |  \- org.bushe:eventbus:jar:1.4:compile
[INFO] |     +- org.scijava:scijava-table:jar:0.7.0:compile
[INFO] |     \- edu.ucar:udunits:jar:4.3.18:compile
[INFO] +- ome:bio-formats_plugins:jar:6.10.1:compile
[INFO] |  +- ome:formats-gpl:jar:6.10.1:compile
[INFO] |  |  +- org.openmicroscopy:ome-mdbtools:jar:5.3.2:compile
[INFO] |  |  +- org.openmicroscopy:metakit:jar:5.3.4:compile
[INFO] |  |  +- org.openmicroscopy:ome-poi:jar:5.3.7:compile
[INFO] |  |  |  \- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  |  +- edu.ucar:cdm-core:jar:5.3.3:compile
[INFO] |  |  |  +- edu.ucar:httpservices:jar:5.3.3:compile
[INFO] |  |  |  |  +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] |  |  |  |  |  \- commons-codec:commons-codec:jar:1.14:compile
[INFO] |  |  |  |  \- org.apache.httpcomponents:httpmime:jar:4.5.9:compile
[INFO] |  |  |  \- com.google.re2j:re2j:jar:1.3:compile
[INFO] |  |  +- woolz:JWlz:jar:1.4.0:compile
[INFO] |  |  +- io.airlift:aircompressor:jar:0.18:compile
[INFO] |  |  +- org.json:json:jar:20090211:compile
[INFO] |  |  \- org.xerial:sqlite-jdbc:jar:3.28.0:compile
[INFO] |  +- com.jgoodies:jgoodies-forms:jar:1.7.2:compile
[INFO] |  |  \- com.jgoodies:jgoodies-common:jar:1.7.0:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.32:compile
[INFO] |  +- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] |  \- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] +- ome:formats-api:jar:6.10.1:compile
[INFO] |  \- org.openmicroscopy:ome-codecs:jar:0.3.2:compile
[INFO] |     \- org.openmicroscopy:ome-jai:jar:0.1.3:compile
[INFO] +- ome:formats-bsd:jar:6.10.1:compile
[INFO] |  +- org.openmicroscopy:specification:jar:6.3.1:compile
[INFO] |  +- ome:turbojpeg:jar:6.10.1:compile
[INFO] |  +- org.scijava:native-lib-loader:jar:2.4.0:compile
[INFO] |  +- com.esotericsoftware:kryo:jar:4.0.2:compile
[INFO] |  |  +- com.esotericsoftware:reflectasm:jar:1.11.3:compile
[INFO] |  |  |  \- org.ow2.asm:asm:jar:5.0.4:compile
[INFO] |  |  +- com.esotericsoftware:minlog:jar:1.3.0:compile
[INFO] |  |  \- org.objenesis:objenesis:jar:2.5.1:compile
[INFO] |  +- commons-lang:commons-lang:jar:2.6:compile
[INFO] |  +- org.perf4j:perf4j:jar:0.9.16:compile
[INFO] |  +- cisd:jhdf5:jar:19.04.1:compile
[INFO] |  |  +- cisd:base:jar:18.09.0:compile
[INFO] |  |  +- commons-io:commons-io:jar:2.7:compile
[INFO] |  |  \- org.apache.commons:commons-lang3:jar:3.12.0:compile
[INFO] |  +- com.drewnoakes:metadata-extractor:jar:2.18.0:compile
[INFO] |  |  \- com.adobe.xmp:xmpcore:jar:6.1.11:compile
[INFO] |  +- ome:jxrlib-all:jar:0.2.4:compile
[INFO] |  +- xerces:xercesImpl:jar:2.12.2:compile
[INFO] |  +- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] |  \- org.yaml:snakeyaml:jar:1.29:compile
[INFO] +- org.openmicroscopy:ome-common:jar:6.0.13:compile
[INFO] |  +- io.minio:minio:jar:5.0.2:compile
[INFO] |  |  +- com.google.http-client:google-http-client-xml:jar:1.40.0:compile
[INFO] |  |  |  +- com.google.http-client:google-http-client:jar:1.40.0:compile
[INFO] |  |  |  |  +- org.apache.httpcomponents:httpcore:jar:4.4.14:compile
[INFO] |  |  |  |  +- io.opencensus:opencensus-api:jar:0.28.0:compile
[INFO] |  |  |  |  |  \- io.grpc:grpc-context:jar:1.27.2:compile
[INFO] |  |  |  |  \- io.opencensus:opencensus-contrib-http-util:jar:0.28.0:compile
[INFO] |  |  |  \- xpp3:xpp3:jar:1.1.4c:compile
[INFO] |  |  +- com.squareup.okhttp3:okhttp:jar:3.7.0:compile
[INFO] |  |  \- com.squareup.okio:okio:jar:1.12.0:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.12.5:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.12.5:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.12.5:compile
[INFO] |  +- joda-time:joda-time:jar:2.10.6:compile
[INFO] |  \- com.google.guava:guava:jar:27.1-jre:compile
[INFO] |     +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |     +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |     +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |     +- org.checkerframework:checker-qual:jar:2.5.2:compile
[INFO] |     +- com.google.errorprone:error_prone_annotations:jar:2.2.0:compile
[INFO] |     +- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] |     \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.17:compile
[INFO] +- org.openmicroscopy:ome-xml:jar:6.3.1:compile
[INFO] +- edu.mines:mines-jtk:jar:20151125:compile
[INFO] +- mpicbg:mpicbg:jar:1.4.2:compile
[INFO] \- junit:junit:jar:4.13.2:test
[INFO]    \- org.hamcrest:hamcrest-core:jar:1.3:test

Suggested solutions:

Update dependency version

Thank you very much.

fiji / Stitching

Dependency org.yaml:snakeyaml, leading to CVE problem #70