Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow SnakeYaml 2.0 runtime compatibility #30097

Closed
strehle opened this issue Mar 9, 2023 · 4 comments
Closed

Allow SnakeYaml 2.0 runtime compatibility #30097

strehle opened this issue Mar 9, 2023 · 4 comments
Assignees
Labels
in: core Issues in core modules (aop, beans, core, context, expression) type: enhancement A general enhancement
Milestone

Comments

@strehle
Copy link

strehle commented Mar 9, 2023

Affects: 5.3.x


Please upgrade snakeyaml to 2.0 in branch 5.3.x, e.g. or take 9712bb6

This would help many projects to get free of CVE blaming regarding snakeyaml

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Mar 9, 2023
@bclozel
Copy link
Member

bclozel commented Mar 9, 2023

SnakeYaml is an optional dependency for Spring Framework. The commit you're pointing out merely raises the minimum version and changes an implementation to avoid deprecation warnings.

Is there a runtime issue with SnakeYaml 2.0 and Spring Framework 5.3.x? Can you report the stacktrace here and a minimal application reproducing the problem? Note that Spring Boot 2.7.x is already targeting SnakeYaml 2.0 compatibility (see spring-projects/spring-boot#34405) and it is based on Spring Framework 5.3.x.

@bclozel bclozel added the status: waiting-for-feedback We need additional information before we can continue label Mar 9, 2023
@strehle
Copy link
Author

strehle commented Mar 9, 2023

Stack

java.lang.NoSuchMethodError: org.yaml.snakeyaml.representer.Representer: method 'void <init>()' not found
        at org.springframework.beans.factory.config.YamlProcessor.createYaml(YamlProcessor.java:187)
        at org.springframework.beans.factory.config.YamlProcessor.process(YamlProcessor.java:164)
        at org.springframework.beans.factory.config.YamlMapFactoryBean.createMap(YamlMapFactoryBean.java:124)
        at org.springframework.beans.factory.config.YamlMapFactoryBean.getObject(YamlMapFactoryBean.java:104)
        at org.cloudfoundry.identity.uaa.impl.config.YamlServletProfileInitializer.initialize(YamlServletProfileInitializer.java:123)

See github action run for https://github.com/cloudfoundry/uaa/pull/2219/checks from cloudfoundry/uaa#2219

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Mar 9, 2023
@strehle
Copy link
Author

strehle commented Mar 9, 2023

as far as I have understood snakeyaml the change from
https://github.com/spring-projects/spring-framework/blob/main/spring-beans/src/main/java/org/springframework/beans/factory/config/YamlProcessor.java#L184-L189 should work also with 1.33 but is then also compatible with 2.0

@bclozel bclozel self-assigned this Mar 9, 2023
bclozel added a commit that referenced this issue Mar 10, 2023
This commit ensures that SnakeYaml 2.0 is compatible at runtime with
Spring Framework 5.3.x with the `YamlProcessor` support.
The baseline version for SnakeYaml remains the same.

Closes gh-30097
@bclozel bclozel changed the title Please upgrade snakeyaml for 5.3.x Allow SnakeYaml 2.0 runtime compatibility Mar 10, 2023
@bclozel bclozel added in: core Issues in core modules (aop, beans, core, context, expression) type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged or decided on status: feedback-provided Feedback has been provided labels Mar 10, 2023
@bclozel bclozel added this to the 5.3.26 milestone Mar 10, 2023
@bclozel
Copy link
Member

bclozel commented Mar 10, 2023

Closed with d00fd4c.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: core Issues in core modules (aop, beans, core, context, expression) type: enhancement A general enhancement
Projects
None yet
Development

No branches or pull requests

3 participants