It's worth mentioning that neither of the libraries (jackson-dataformat-yaml + snakeyaml) have a newer version without the CVE. -P.
On Mon, Feb 6, 2023 at 9:19 AM Pablo Estrada <pabl...@google.com> wrote: > Hi all, > I am proposing that we make the jackson-dataformat-yaml dependency > optional in our expansion service module[1]. This is because it depends on > SnakeYAML, and there is a known CVE for it[2]. > > It seems that given the way we use SnakeYAML, the CVE is not feasible to > exploit[2], but this will not stop tooling/user policies from being > alerted, so it may be convenient to simply make the dependency optional. > > I looked around for documentation on this code path (loading an allow list > for the expansion service's classpath), but it's not very widely > documented, so this feature may only be used by Beam devs, and not much by > Beam users. > > Thoughts on making the dependency optional? > Thanks! > -P. > > [1] https://github.com/apache/beam/pull/25350 > [2] https://github.com/snakeyaml/snakeyaml#cve >
