Allow runtime compatibility for snakeyaml 2.0

[ahormazabal]

Expected Behavior

Due to CVE-2022-1471, we need to upgrade to snakeyaml 2.0, however it's not yet supported by Grails 5.3.2 This has already been addressed by spring and spring-boot, however we're still blocked by grails to be able to fully upgrade.

We don't expect grails dependencies to be upgraded to snakeyaml 2.0, but at least it should support it in runtime, an approach taken by latest spring-boot 2.7.10.

Actual Behaviour

If we attempt to use snakeyaml 2.0 as dependency, gsp compiling fails with the following error:

Exception in thread "main" java.lang.NullPointerException: LoaderOptions must be provided.
    at org.yaml.snakeyaml.constructor.BaseConstructor.<init>(BaseConstructor.java:118)
    at org.yaml.snakeyaml.constructor.SafeConstructor.<init>(SafeConstructor.java:53)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
    at org.codehaus.groovy.reflection.CachedConstructor.invoke(CachedConstructor.java:72)
    at org.codehaus.groovy.reflection.CachedConstructor.doConstructorInvoke(CachedConstructor.java:59)
    at org.codehaus.groovy.runtime.callsite.ConstructorSite.callConstructor(ConstructorSite.java:45)
    at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallConstructor(CallSiteArray.java:59)
    at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:263)
    at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:268)
    at org.grails.config.CodeGenConfig.loadYml(CodeGenConfig.groovy:157)
    at org.grails.config.CodeGenConfig$_loadYml_closure1.doCall(CodeGenConfig.groovy:133)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:107)
    at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323)
    at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:274)
    at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1035)
    at groovy.lang.Closure.call(Closure.java:412)
    at groovy.lang.Closure.call(Closure.java:428)
    at org.codehaus.groovy.runtime.IOGroovyMethods.withStream(IOGroovyMethods.java:1184)
    at org.codehaus.groovy.runtime.ResourceGroovyMethods.withInputStream(ResourceGroovyMethods.java:1882)
    at org.grails.config.CodeGenConfig.loadYml(CodeGenConfig.groovy:132)
    at org.grails.gsp.compiler.GroovyPageCompiler.compile(GroovyPageCompiler.groovy:93)
    at org.grails.web.pages.GroovyPageCompilerForkTask.compile(GroovyPageCompilerForkTask.groovy:102)
    at org.grails.web.pages.GroovyPageCompilerForkTask.run(GroovyPageCompilerForkTask.groovy:155)
    at org.grails.web.pages.GroovyPageCompilerForkTask.main(GroovyPageCompilerForkTask.groovy:106)

Steps To Reproduce

This error is reproduced by attempting to compile GSP pages while snakeyaml 2.0 is a dependency of the compiling application.

Environment Information

• Operating System: Replicated on macOS and Ubuntu 20.
• JDK Version: openjdk version "11.0.18" 2023-01-17
• Grails 5.3.2
• Spring 5.3.26
• Spring boot 2.7.10
• snakeyaml 2.0

Example Application

No response

Version

5.3.2

[mitushy]

@puneetbehl it may be something already on you radar, but I think we can release Grails 5.3.3 by bumping these dependencies:

snakeyaml/2.0 spring boot/2.7.10 (patched https://github.com/spring-projects/spring-boot/issues/34405) spring/5.3.26 (patched https://github.com/spring-projects/spring-framework/issues/30097) micronaut/3.8.8 (patched in 3.8.7 https://github.com/micronaut-projects/micronaut-core/pull/8905)

From my local tests, these dependencies work well together.

This is valid for the 6.x branch as well - you can probably re-revert https://github.com/grails/grails-core/pull/12921 if the other deps are updated.

[ahormazabal]

Hi @puneetbehl We at the Rundeck team have been closely looking at this issue, which is preventing us from achieving several compliance paths. We're happy to see that snakeyaml 2.0 has been included in Grails 6.0 release path, and are looking including this upgrade into our development path, however we don't look at it as a short term solution.

Would it be possible to get a solution that would allow us to use Grails 5.3 together with snakeyaml 2.0? We don't really need grails to be upgraded to include that version, but at least need the constructor signature used to be changed so we could make the upgrade on our side, in pretty much the same strategy adopted by the spring team in the referenced links.

We really hope we could get the help from the Grails team on this, many thanks!

[guillermocalvo]

Fixed by:

• https://github.com/grails/grails-core/pull/13192/
• https://github.com/grails/grails-core/pull/13193/
• https://github.com/grails/grails-core/pull/13194
• https://github.com/grails/grails-gradle-plugin/pull/250
• https://github.com/grails/grails-gradle-plugin/pull/251
• https://github.com/grails/grails-gradle-plugin/pull/253
• https://github.com/grails/grails-core/pull/13207

[AmmarRami]

Hello,

I have the same problem with jenkins server version 2.401.3 running with java 11.0.21. When I upgraded all plugins to last version I am not capable to launch kubernetes agent. My agent is a pod created via a yaml stream. This yaml stream il maked with MargeYaml groovy script wich use snakeYaml version 1.25. When he launch agent I have this error: java.lang.NullPointerException: LoaderOptions must be provided When I see the tag 1.25 of the groovy library I constat that the constructor SafeConstructor don't have LoaderOptions instance param. So, I upgraded my grappe dependencies in my yaml file --> @Grab(group='org.yaml', module='snakeyaml', version='2.0') but my groovy bin don't understand any groovy library and I have these errors:

2024-01-11_11-21-24 Also: org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: d6252710-3d31-488c-b7c0-6839ef4acc0f 2024-01-11_11-21-24 org.jenkinsci.plugins.workflow.cps.CpsCompilationErrorsException: startup failed: 2024-01-11_11-21-24 General error during conversion: Error grabbing Grapes -- [unresolved dependency: org.yaml#snakeyaml;2.0: not found, unresolved dependency: org.apache.commons#commons-lang3;3.14.0: not found, unresolved dependency: org.postgresql#postgresql;42.3.1: not found, unresolved dependency: org.apache.commons#commons-lang3;3.6: not found] 2024-01-11_11-21-24
2024-01-11_11-21-24 java.lang.RuntimeException: Error grabbing Grapes -- [unresolved dependency: org.yaml#snakeyaml;2.0: not found, unresolved dependency: org.apache.commons#commons-lang3;3.14.0: not found, unresolved dependency: org.postgresql#postgresql;42.3.1: not found, unresolved dependency: org.apache.commons#commons-lang3;3.6: not found]

Can you help me to resolve this problem please?