Dependency org.yaml:snakeyaml, leading to CVE problem

[CVEDetect]

Hi, In /junit5-testing，there is a dependency org.yaml:snakeyaml:1.23 that calls the risk method.

CVE-2022-25857

The scope of this CVE affected version is [0,1.31)

After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 7

CVE Bug Invocation Path : 
org.jsmart.zerocode.jupiter.extension.ParallelLoadExtension: beforeEach(org.junit.jupiter.api.extension.ExtensionContext)V /download/apache-maven-3.6.3/repository_mount/org/jsmart/zerocode-tdd/1.3.32-SNAPSHOT/zerocode-tdd-1.3.32-SNAPSHOT.jar
org.jsmart.zerocode.core.report.ZeroCodeReportGeneratorImpl: generateCsvReport()V /download/apache-maven-3.6.3/repository_mount/org/jsmart/zerocode-tdd/1.3.32-SNAPSHOT/zerocode-tdd-1.3.32-SNAPSHOT.jar
org.jsmart.zerocode.core.report.ZeroCodeReportGeneratorImpl: readZeroCodeReportsByPath(java.lang.String)Ljava.util.List; /download/apache-maven-3.6.3/repository_mount/org/jsmart/zerocode-tdd/1.3.32-SNAPSHOT/zerocode-tdd-1.3.32-SNAPSHOT.jar
org.yaml.snakeyaml.Yaml$1: next()Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/org/junit/jupiter/junit-jupiter-api/5.4.2/junit-jupiter-api-5.4.2.jar
org.yaml.snakeyaml.constructor.BaseConstructor: getData()Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/org/junit/jupiter/junit-jupiter-api/5.4.2/junit-jupiter-api-5.4.2.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/org/junit/jupiter/junit-jupiter-api/5.4.2/junit-jupiter-api-5.4.2.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Dependency tree--

[INFO] org.jsmart:zerocode-tdd-jupiter:jar:1.3.32-SNAPSHOT
[INFO] +- org.jsmart:zerocode-tdd:jar:1.3.32-SNAPSHOT:compile
[INFO] |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.9.8:compile
[INFO] |  |  \- org.yaml:snakeyaml:jar:1.23:compile
[INFO] |  +- com.univocity:univocity-parsers:jar:2.8.2:compile
[INFO] |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-csv:jar:2.9.8:compile
[INFO] |  +- ch.qos.logback:logback-classic:jar:1.0.7:compile
[INFO] |  |  \- org.slf4j:slf4j-api:jar:1.6.6:compile
[INFO] |  +- ch.qos.logback:logback-core:jar:1.0.7:compile
[INFO] |  +- commons-lang:commons-lang:jar:2.6:compile
[INFO] |  +- com.google.inject:guice:jar:4.0:compile
[INFO] |  |  +- javax.inject:javax.inject:jar:1:compile
[INFO] |  |  \- aopalliance:aopalliance:jar:1.0:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.10.0:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.10.0:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.10.0:compile
[INFO] |  +- com.google.protobuf:protobuf-java:jar:3.13.0:compile
[INFO] |  \- com.google.protobuf:protobuf-java-util:jar:3.13.0:compile
[INFO] |     \- com.google.errorprone:error_prone_annotations:jar:2.3.4:compile
[INFO] +- org.junit.jupiter:junit-jupiter-params:jar:5.4.2:compile
[INFO] |  +- org.apiguardian:apiguardian-api:jar:1.0.0:compile
[INFO] |  \- org.junit.jupiter:junit-jupiter-api:jar:5.4.2:compile
[INFO] |     +- org.opentest4j:opentest4j:jar:1.1.1:compile
[INFO] |     \- org.junit.platform:junit-platform-commons:jar:1.4.2:compile
[INFO] +- org.junit.jupiter:junit-jupiter-engine:jar:5.4.2:compile
[INFO] |  \- org.junit.platform:junit-platform-engine:jar:1.4.2:compile
[INFO] +- org.junit.vintage:junit-vintage-engine:jar:5.4.2:compile
[INFO] |  \- junit:junit:jar:4.12:compile
[INFO] |     \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] \- org.junit.platform:junit-platform-runner:jar:1.4.2:compile
[INFO]    +- org.junit.platform:junit-platform-launcher:jar:1.4.2:compile
[INFO]    \- org.junit.platform:junit-platform-suite-api:jar:1.4.2:compile

Suggested solutions:

Update dependency version

Thank you very much.

[authorjapps]

Thanks for the PR. ✋
looks like there are some build failures related to the changes .
Can you have a look and fix?

Job Link:
https://github.com/authorjapps/zerocode/actions/runs/4626926177/jobs/8184780358

Here is the screenshot:

[CVEDetect]

The build failures are mainly due to the large difference between the modified version of jackson-dataformat-csv and the previous version, which has caused some build failures. It may be better to directly modify the version of its indirect dependency snakeyaml, in order to resolve these issues.

[ENate]

Hi. Is this still open for contribution?

[altsun]

Hi, can I work on this?

[nirmalchandra]

It looks like the problem description and the requirement to fix(what to fix) are not clear enough in this ticket.
Better to capture more details into the ACs sections or withdraw the ticket.
@CVEDetect FYI.

[authorjapps]

It looks like the problem description and the requirement to fix(what to fix) are not clear enough in this ticket. Better to capture more details into the ACs sections or withdraw the ticket. @CVEDetect FYI.

@CVEDetect , what does this ticket intend to solve?

In other way:
What problem you're facing if this ticket is not fixed? Any YAML related issue?

[a1shadows]

@baulea I think we won't have this problem anymore after the recent changes we made. What do you think?

[baulea]

@a1shadows You are right, this issue is already solved. Now com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.15.4
includes org.yaml:snakeyaml:2.1, and there are no vulnerabilities at the moment for org.yaml:snakeyaml:2.1 -> https://mvnrepository.com/artifact/org.yaml/snakeyaml/2.1