CASSANDRA-18875: Upgrade jackson-dataformat-yaml to 2.19.2 and snakeyaml to 2.1

[griffindvs]

CASSANDRA-18875
CASSANDRA-17907
CASSANDRA-20848

This PR back-ports 64ae866 for cassandra 5.0. The original commit was reverted in 8cd0690 and un-reverted in 7204bc4.

Jackson databind, core, and datatype were already updated to a newer 2.19.2 in af0197e.

2.15.3 of jackson-dataformat-yaml uses a matching version 2.1 of snakeyaml. This PR updates to jackson-dataformat-yaml to 2.19.2 to match the other jackson libraries and mirror the changes in trunk for CASSANDRA-20848. Because jackson-dataformat-yaml uses snakeyaml 2.4 which does not yet work with cassandra, we exclude it in the jackson dependency. There were no backwards-incompatible changes in the intervening versions of jackson-dataformat-yaml.

snakeyaml 2.0 included a few backwards-incompatible changes:

• Global tags are disabled by default
  • Standard tags are always enabled
  • I wouldn't expect non-standard global tags to be used in Cassandra configuration files
• yaml.loadAs() supports Class<? super T> type instead of Class
  • This does not affect our usage
• Removal of deprecated methods
  • Removal of deprecated methods in FlowStyle
    • This does not affect our usage
  • Removal of deprecated constructors
    • This change is covered in the PR through the usage of constructors with loader options
    • The default loader options used here include a 64 MiB limit for configuration files
    • The default limit in snakeyaml of 3 MiB was delivered in 1.32

snakeyaml 2.1 included one backwards-incompatible change:

• Removal of Trusted*Inspector classes
  • Does not affect our usage

[michaelsembwever]

Skinny CI: http://ci-cassandra.infra.datastax.com/job/cassandra-5.0/27/pipeline-overview/

[smiklosovic]

Hi @griffindvs ,

1. could you please rebase this patch against the current 5.0? I am not sure how you did it but I have merge conflcts rebasing your branch against 5.0. The resolution of conflicts is very easy. Can you then force-push, please?

2. Why are we updating to 2.15.3 only? I have updated dataformat-yaml to 2.19.2 as well, that brings snakeyaml 2.4. So I updated snakeyaml from 2.1 to 2.4 too and it just compiles fine. It seems that Java changes in this patch are perfectly OK to run with snakeyaml 2.4 so I do not see why we could not do that. That also means that we can remove "exclusions" block in dataformat-yaml since everything would be aligned. I would just comment on snakeyaml that bumping this version is a little bit more involved because it is used in dataformat-yaml so we should be cautious when doing so. (I would also copy that comment to jackson-dataformat-yaml, which is test scoped).

3. More of a cosmetic change but still .... You personally are not the author of the Java-related changes. Raymond Huffman is. Your contribution in this patch consists of the second commit only which removed dependency check suppressions. In this case, the original author should be Raymond and you would be Co-authored-by. (something for a committer to keep in mind when merging).

4. we also need .snyk updated, right, or no?

5. nit which will be resolved on merge but please, entries in CHANGES.txt are added always on top. Not at the end (I am aware you have not done it like that)

6. the entry in CHANGES.txt is not entirely accurate, we are not updating jackson to 2.15.3, we are updating jackson-dataformat-yaml

7. This is a little bit suspicious but when you do 'ant realclean && ant jar' and you look into build/test/lib/jars, you list the dir and grep it on "jackson", there are also dependencies for 2.11.3 instead of just 2.19.2. I am very curious from where these dependencies come from. in libs/ we have just 2.19.2 but in test jars it seems to bring more. I do not like this and it might have unpredictable behaviour when we mix jackson versions like that.

8. Is ant dependency-check working with these changes? (updating to 2.15.3 / 2.19.2 for dataformat-yaml which brings snakeyml 2.1/2.4). I think not updating it to something newer was caused by broken OWASP checks.

https://issues.apache.org/jira/browse/CASSANDRA-18875?focusedCommentId=17792125&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17792125

Since that comment, we have updated OWASP dependency check task significantly so there is a chance that this will work.

EDIT: I see that OWASP 12.1.0 uses Jackson 2.18.2 which uses snakeyaml 2.3. I think we could be OK here.

https://github.com/dependency-check/DependencyCheck/blob/v12.1.0/pom.xml#L175

Even better, OWASP 12.1.3 uses Jackson 2.19.0 which uses Snake 2.4

https://github.com/dependency-check/DependencyCheck/blob/v12.1.3/pom.xml#L174
https://mvnrepository.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/2.19.0

I think that if this breaks OWASP, it would be temporary and we might just update it from 12.1.0 to 12.1.3 to resolve it (in a separate ticket).

[smiklosovic]

suggestoins left in another comment

[michaelsembwever]

@smiklosovic,
maybe you're throwing too much at a first time contributor here. the desire here is only to back-port what's in trunk. anything beyond that should be changes you @smiklosovic can contribute 🙏

going through the feedback in a bit more detail…

1. you sure this isn't on your side ? this PR has cassandra-5.0 as the base branch. i see no conflicts here or when i test it locally.
2. 2.15.3 is what's in trunk. this patch is only about back-porting what's already been tested for a while in trunk. we want to minimise what we change in a back-port. so this initial action taken here by @griffindvs is correct. the problem is CASSANDRA-20848 that later introduces newer jackson version. we need to include its patch too.
3. the commits are currently correct. so this applies when squashing the commits. and that can happen later. also note we have a precedent wrt commit message of back-ported commits. (but given this is @griffindvs's first contribution let's leave this to the person merging the commit).
4. yes
5. correct. CHANGES.txt in reverse chronological
6. this exists in the original commit too. let's not put that on @griffindvs , (one of us can fix the CHANGES.txt in this PR and for the original commit in trunk)
7. this is because of not yet including CASSANDRA-20848.
   the patch should end up like trunk, with: jackson-annotations-2.13.4.jar jackson-core-2.19.2.jar jackson-databind-2.19.2.jar jackson-dataformat-yaml-2.19.2.jar
8. related to (4)

action plan:

• include CASSANDRA-20848
• test OWASP (ant dependency-check)
• update .snyk (see .build/dependency-check-suppressions.xml)

[griffindvs]

Thank you @smiklosovic and @michaelsembwever for the reviews and guidance!

1. I double-checked that the branch is up-to-date with cassandra-5.0:

$ git rebase cassandra-5.0
Current branch 5-snakeyaml-2.1 is up to date.

2. I've added the update for jackson-dataformat-yaml to 2.19.2 with the exclusion for snakeyaml retained in 8e65c82
3. Agreed -- Should I squash all commits in the branch with myself as a co-author after reviews are completed?
4. Updated in ad06ee3
5. Fixed in 8e65c82
6. I think that description would be accurate for the original commit since all jackson libraries were updated to 2.15.3. In this PR however, we are just updating jackson-dataformat-yaml since the others were updated elsewhere, so @smiklosovic makes a good point. I fixed this in 8e65c82.
7. Included the update to 2.19.2 in 8e65c82
8. I ran the dependency-check successfully, though it did catch a couple of unrelated CVEs (that would probably be addressed separately):

Dependency-Check Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '1.0':
cassandra-driver-core-3.12.1-shaded.jar/META-INF/maven/io.netty/netty-resolver/pom.xml (pkg:maven/io.netty/netty-resolver@4.1.94.Final, cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-24970, CVE-2024-47535, CVE-2025-55163, CVE-2025-58056, CVE-2025-58057
cassandra-driver-core-3.12.1-shaded.jar/META-INF/maven/io.netty/netty-transport-classes-epoll/pom.xml (pkg:maven/io.netty/netty-transport-classes-epoll@4.1.94.Final, cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-24970, CVE-2024-47535, CVE-2025-55163, CVE-2025-58056, CVE-2025-58057
cassandra-driver-core-3.12.1-shaded.jar/META-INF/maven/io.netty/netty-transport-native-unix-common/pom.xml (pkg:maven/io.netty/netty-transport-native-unix-common@4.1.94.Final, cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-24970, CVE-2024-47535, CVE-2025-55163, CVE-2025-58056, CVE-2025-58057
netty-transport-4.1.119.Final.jar (pkg:maven/io.netty/netty-transport@4.1.119.Final, cpe:2.3:a:netty:netty:4.1.119:*:*:*:*:*:*:*): CVE-2025-55163, CVE-2025-58056, CVE-2025-58057
See the dependency-check report for more details.

[smiklosovic]

3 yes, but don't stress it. Committers would ultimately do that if you don't. It is just nice to do from your side so you save committers some time but ultimately if you don't do that, that is in no way any blocker.

8 thanks for checking it works. But we should have 0 CVEs unless these you showed are brand new we have not caught yet? I will check more closely later.

EDIT 8) yes I see the same ... interesting. I have not seen them when releasing 5.0.5. We will need to treat this separately.

[smiklosovic]

I still see 2.11.3 dependencies of jackson in build/test/lib/jars, it seems to be non-deterministic.

[griffindvs]

Hi @smiklosovic , @michaelsembwever helped me run:

ant jar
mvn dependency:tree -f build/tmp-apache-cassandra-5.0.6-SNAPSHOT-deps.pom

which led me to find:

[INFO] Artifact com.github.tomakehurst:wiremock-jre8:pom:2.35.0 is present in the local repository, but cached from a remote repository ID that is unavailable in current build context, verifying that is downloadable from [apache.snapshots (https://repository.apache.org/snapshots, default, snapshots), central (https://repo.maven.apache.org/maven2, default, releases)]
[INFO] Artifact com.github.tomakehurst:wiremock-jre8:pom:2.35.0 is present in the local repository, but cached from a remote repository ID that is unavailable in current build context, verifying that is downloadable from [apache.snapshots (https://repository.apache.org/snapshots, default, snapshots), central (https://repo.maven.apache.org/maven2, default, releases)]
Downloading from central: https://repo.maven.apache.org/maven2/com/github/tomakehurst/wiremock-jre8/2.35.0/wiremock-jre8-2.35.0.pom
Downloaded from central: https://repo.maven.apache.org/maven2/com/github/tomakehurst/wiremock-jre8/2.35.0/wiremock-jre8-2.35.0.pom (0 B at 0 B/s)
[INFO] Artifact org.eclipse.jetty:jetty-bom:pom:9.4.49.v20220914 is present in the local repository, but cached from a remote repository ID that is unavailable in current build context, verifying that is downloadabl
e from [apache.snapshots (https://repository.apache.org/snapshots, default, snapshots), central (https://repo.maven.apache.org/maven2, default, releases)]
[INFO] Artifact org.eclipse.jetty:jetty-bom:pom:9.4.49.v20220914 is present in the local repository, but cached from a remote repository ID that is unavailable in current build context, verifying that is downloadabl
e from [apache.snapshots (https://repository.apache.org/snapshots, default, snapshots), central (https://repo.maven.apache.org/maven2, default, releases)]
Downloading from central: https://repo.maven.apache.org/maven2/org/eclipse/jetty/jetty-bom/9.4.49.v20220914/jetty-bom-9.4.49.v20220914.pom
Downloaded from central: https://repo.maven.apache.org/maven2/org/eclipse/jetty/jetty-bom/9.4.49.v20220914/jetty-bom-9.4.49.v20220914.pom (0 B at 0 B/s)
[INFO] Artifact com.fasterxml.jackson:jackson-bom:pom:2.13.4.20221013 is present in the local repository, but cached from a remote repository ID that is unavailable in current build context, verifying that is downlo
adable from [apache.snapshots (https://repository.apache.org/snapshots, default, snapshots), central (https://repo.maven.apache.org/maven2, default, releases)]
[INFO] Artifact com.fasterxml.jackson:jackson-bom:pom:2.13.4.20221013 is present in the local repository, but cached from a remote repository ID that is unavailable in current build context, verifying that is downlo
adable from [apache.snapshots (https://repository.apache.org/snapshots, default, snapshots), central (https://repo.maven.apache.org/maven2, default, releases)]
Downloading from central: https://repo.maven.apache.org/maven2/com/fasterxml/jackson/jackson-bom/2.13.4.20221013/jackson-bom-2.13.4.20221013.pom
Downloaded from central: https://repo.maven.apache.org/maven2/com/fasterxml/jackson/jackson-bom/2.13.4.20221013/jackson-bom-2.13.4.20221013.pom (0 B at 0 B/s)

This is the only reference to an older version of jackson that I see (I don't see 2.11 anywhere in here).

This log output led me to look at wiremock 2.35.0 which uses jackson 2.13.4: https://github.com/wiremock/wiremock/blob/2.35.0/build.gradle#L31

I'm not sure if this helps identify where build/test/lib/jars/jackson-databind-2.11.3.jar is coming from though.

[griffindvs]

@smiklosovic I did some more digging, and it looks like cassandra harry is pulling in Jackson 2.11.3: https://github.com/apache/cassandra-harry/blob/0.0.1/pom.xml#L56
https://github.com/apache/cassandra/blob/cassandra-5.0/.build/parent-pom-template.xml#L512-L517

[smiklosovic]

@griffindvs great find! I was looking at this with AI and I could not find the culprit. I am not sure what to do with it though. Would not be helpful if we tried to move declared dependencies "lower" in the pom? I think how it works is that dependencies declared later would "shadow" earlier ones. But at the same time it does not make a lot of sense to me because 2.11.3 is the dependency of harry while we are declaring these dependencies as "top level" and in that case the top level ones should win. Anyway, worth of trying maybe?

[griffindvs]

@smiklosovic I tried moving our declared jackson dependencies lower in the POM (below wiremock and harry), but the older jars were still present.

If we add an exclusion for jackson from harry and wiremock then the jars are removed:

<dependency>
  <groupId>org.apache.cassandra</groupId>
  <artifactId>harry-core</artifactId>
  <version>0.0.1</version>
  <scope>test</scope>
  <exclusions>
    <exclusion>
      <artifactId>jackson-databind</artifactId>
      <groupId>com.fasterxml.jackson.core</groupId>
    </exclusion>
    <exclusion>
      <artifactId>jackson-annotations</artifactId>
      <groupId>com.fasterxml.jackson.core</groupId>
    </exclusion>
  </exclusions>
</dependency>
<dependency>
  <groupId>com.github.tomakehurst</groupId>
  <artifactId>wiremock-jre8</artifactId>
  <version>2.35.0</version>
  <scope>test</scope>
  <exclusions>
    <exclusion>
      <artifactId>jackson-annotations</artifactId>
      <groupId>com.fasterxml.jackson.core</groupId>
    </exclusion>
  </exclusions>
</dependency>

$ ls build/test/lib/jars | grep jackson
jackson-annotations-2.19.2.jar
jackson-core-2.19.2.jar
jackson-databind-2.19.2.jar
jackson-dataformat-yaml-2.19.2.jar

I'm not sure though if there would be side effects from doing this (eg. if wiremock or harry are incompatible with the newer jackson version).

[smiklosovic]

We can test it. Give me some time please. I will kick off a build and will return back to you.

[smiklosovic]

https://pre-ci.cassandra.apache.org/job/cassandra-5.0/22/pipeline-overview/

I have run tests where wiremock is used locally and they passed.

[griffindvs]

3d509f4 includes the exclusions for jackson in wiremock and harry

[michaelsembwever]

I think how it works is that dependencies declared later would "shadow" earlier ones.

This isn't the correct approach to take. The correct approach is exclusions.

patch for cassandra-harry: apache/cassandra-harry@trunk...thelastpickle:cassandra-harry:mck/CASSANDRA-18875

But… why arn't these exclusion problems a problem in trunk ?

[smiklosovic]

@michaelsembwever because Harry was taken into the tree in trunk while in 5.0 it was as a dependency. But there is still 2.13.4 of Jackson annotations in build/test/lib/jars. So we need to exclude that from wiremock in trunk.

https://github.com/apache/cassandra/compare/trunk...smiklosovic:cassandra:CASSANDRA-18875-trunk?expand=1

I have build 5.0 patch and works (see above link) so not going to build it once again. Trunk patch is subset of that, just updates annotations of 2.13.4 to 2.19.2.

Are we prepared to merge?

[smiklosovic]

@griffindvs thank you!