Open hrstoyanov opened 3 months ago
A bit of analysis:
Regarding CVEs reported against SnakeYAML (up to this point in time) - we have upgraded to latest version, we use safe constructor, we never use it to parse untrusted sources. As a result, we are not impacted by these "false positives" that are often triggered by tools.
So even though I understand this issue (to limit the dependency to the stuff that is really required), it would also actually increase the surface of possible attacks, as we would depend on both the full library and the engine. I am hoping that eventually the engine will be used as a base for the full version - if that happens, we would get rid of all the negative effects of applying this change.
Environment Details
OS: MacOS
Problem Description
Please stop using SnakeYml 2.0 in Helidon SE 4 - instead, switch to SnakeYml-Engine.
SnakeYml requires java.desktop internal JDK module (via java.beans package dependency, it seems), which is quite inappropriate for server apps based on Helidon, especially if you want your Helidon container images to be small. Without including java.desktop module (via the jlink utility) in your container builds, one gets a nasty runtime surprise: