eddumelendez
commented
1 month ago Hi, I am pretty sure you also read my comment https://github.com/testcontainers/testcontainers-java/issues/9289#issuecomment-2394035178
Open ZachChuba opened 1 month ago
eddumelendez
commented
1 month ago Hi, I am pretty sure you also read my comment https://github.com/testcontainers/testcontainers-java/issues/9289#issuecomment-2394035178
eddumelendez
commented
6 days ago Reopening because snakeyaml is a shaded dependency.
eddumelendez
commented
6 days ago This snakeyaml version is not compatible with current jackson version
ZachChuba
commented
5 days ago I would recommend upgrading the jackson version as both this and the current jackson version have critical level security vulnerabilities should be updated... will look into the specific version to bump.
ZachChuba
commented
5 days ago Upgrading the whole jackson suite to version 2.15.4 would alleviate these vulnerabilities and be compatible with snakeyaml 2.x. However, it appears this shouldn't be changed for backwards compatibility. These severe vulnerabilities will essentially forbid the use of test containers in enterprises with sonatype lifecycle scanning or other security guards.
// https://youtu.be/otCpCn0l4Wo
// The core module depends on jackson-databind 2.8.x for backward compatibility.
// Any >2.8 version here is not compatible with jackson-databind 2.8.x.
Bumping the version of the shaded snakeyaml jar in core from 1.33 to 2.2, as 1.33 is flagged with CVE-2022-1471.
I have read the PR note on raising them just for dependency upgrades, but there have been two new releases since the 30 days ago this issue was raised and the version has not changed, making me suspect dependabot is missing this.
This addresses issue https://github.com/testcontainers/testcontainers-java/issues/9289