Update snakeyaml to 2.0

* Resolves CVE-2022-1471 Fixes #25010
gradle · May 5, 2023 · 2b1b74e · 2b1b74e
1 parent fba6deb
commit 2b1b74e
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 7 deletions.
diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
@@ -81,6 +81,7 @@
          <trusted-key id="0a123c1ed3f13a6a0140e166c71fb765cd9de313" group="org.apache.ant"/>
          <trusted-key id="0cb5871fb7bf3b351614bbf6ca85ffe638d4407a" group="it.unimi.dsi" name="fastutil"/>
          <trusted-key id="0e18eae07b7774eac5db3f2113bb90ce8eafbe37" group="com.microsoft.playwright"/>
+         <trusted-key id="120d6f34e627ed3a772ebbfe55c7e5e701832382" group="org.yaml" name="snakeyaml"/>
          <trusted-key id="160a7a9cf46221a56b06ad64461a804f2609fd89" group="^com[.]github[.]shyiko($|([.].*))" regex="true"/>
          <trusted-key id="1616273079fe63e31c938f10f0df21d1d0a3c384" group="com.google.inject" name="guice" version="4.2.3"/>
          <trusted-key id="19beab2d799c020f17c69126b16698a4adf4d638" group="org.checkerframework" name="checker-qual"/>
@@ -1501,11 +1502,6 @@
             <sha256 value="003785669f921aafe4f137468dd20a01a36111e94fd7449f26c16e7924d82d23" origin="Verified" reason="Artifact is not signed"/>
          </artifact>
       </component>
-      <component group="org.yaml" name="snakeyaml" version="1.32">
-         <artifact name="snakeyaml-1.32.jar">
-            <pgp value="120d6f34e627ed3a772ebbfe55c7e5e701832382"/>
-         </artifact>
-      </component>
       <component group="org.ysb33r.gradle" name="grolifant" version="0.16.1">
          <artifact name="grolifant-0.16.1.jar">
             <pgp value="ea022560a81e5bd48db3d18b54ac8e2d98cfeac6"/>

diff --git a/subprojects/distributions-dependencies/build.gradle.kts b/subprojects/distributions-dependencies/build.gradle.kts
@@ -141,7 +141,7 @@ dependencies {
         api(libs.plist)                 { version { strictly("1.21") }}
         api(libs.servletApi)            { version { strictly("3.1.0") }}
         api(libs.slf4jApi)              { version { strictly(slf4jVersion) }}
-        api(libs.snakeyaml)             { version { strictly("1.32") }}
+        api(libs.snakeyaml)             { version { strictly("2.0") }}
         api(libs.testng)                { version { strictly("6.3.1"); because("later versions break test cross-version test filtering") }}
         api(libs.tomlj)                 { version { strictly(tomljVersion) }}
         api(libs.trove4j)               { version { strictly("1.0.20200330") }}

diff --git a/...ve/src/main/java/org/gradle/nativeplatform/toolchain/internal/swift/SwiftDepsHandler.java b/...ve/src/main/java/org/gradle/nativeplatform/toolchain/internal/swift/SwiftDepsHandler.java
@@ -20,6 +20,7 @@
 import org.gradle.internal.IoActions;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
 import org.yaml.snakeyaml.constructor.Constructor;
 
@@ -61,7 +62,7 @@ class SwiftDepsHandler {
 
     SwiftDeps parse(File moduleSwiftDeps) throws FileNotFoundException {
         return IoActions.withResource(new FileInputStream(moduleSwiftDeps), fileInputStream -> {
-            Yaml yaml = new Yaml(new Constructor(SwiftDeps.class));
+            Yaml yaml = new Yaml(new Constructor(SwiftDeps.class, new LoaderOptions()));
             return yaml.loadAs(fileInputStream, SwiftDeps.class);
         });
     }