liquibase-core 4.23.0 still refer to snakeyaml:1.33

[faris-git]

Search first

• I searched and no similar issues were found

Description

We use liquibase-core:4.23.0 version in our project. And my dependency:tree shows that snakeyaml:1.33. But liquibase-core:4.23.0 manifest shows 2.0.3.

Downloaded from maven central: Downloaded from central: https://repo.maven.apache.org/maven2/org/liquibase/liquibase-core/4.23.0/liquibase-core-4.23.0.jar

Please see the dependency:tree map of my maven project.

[INFO] |  +- com.opencsv:opencsv:jar:5.7.1:compile
[INFO] |  +- org.apache.commons:commons-text:jar:1.10.0:compile
[INFO] |  +- org.apache.commons:commons-collections4:jar:4.4:compile
[INFO] |  +- org.yaml:snakeyaml:jar:1.33:compile
[INFO] |  +- javax.xml.bind:jaxb-api:jar:2.3.1:compile
[INFO] |  \- javax.activation:javax.activation-api:jar:1.2.0:compile

Important: snakeyaml 1.33 is subjected to security vulnerability. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471

Steps To Reproduce

in pom.xml -> add liquibase-core as your dependency:

            <groupId>org.liquibase</groupId>
            <artifactId>liquibase-core</artifactId>
            <version>4.23.0</version>
        </dependency>

And run `mvn dependency:tree``

Expected/Desired Behavior

org.yaml:snakeyaml:2.0

Liquibase Version

4.23.0

Database Vendor & Version

No response

Liquibase Integration

No response

Liquibase Extensions

No response

OS and/or Infrastructure Type/Provider

No response

Additional Context

Spring-boot: 3.1.2

Are you willing to submit a PR?

• I'm willing to submit a PR (Thank you!)

[molivasdat]

Hi @faris-git
Not sure if there is a configuration issue in your pom file.
https://central.sonatype.com/artifact/org.liquibase/liquibase-core/4.23.0/dependencies
Shows snakeyaml 2.0
When I ran mvn dependency:tree on the master branch I see this

mvn dependency:tree |grep snakeyaml
[INFO] +- org.yaml:snakeyaml:jar:2.0:compile

And the pom file in master points to 2.0

liquibase/liquibase-standard/pom.xml

Line 145 in 286a188

<artifactId>snakeyaml</artifactId>

And here's the PR that bumped it.

#3893

Can you provide more details?

[MarkGabb-Alcumus]

Hi,

We are having the same issue

In the pom we've included this

    <dependency>
        <groupId>org.liquibase</groupId>
        <artifactId>liquibase-core</artifactId>
        <version>4.23.0</version>     
    </dependency>

Is there any other information that might help?

[mfernandes-alcumus]

I am having the same issue as above, is there a solution for this issue. It was causing a lot of security related concerns with the use of this package.

[filipelautert]

Hi

I'm not able to reproduce this issue. I tried with java 8,11,17,20 using maven 3.8.7, 3.9.1, 3.9.2 and 3.9.3. Output is always as

[INFO] ------------------------< org.example:untitled >------------------------
[INFO] Building untitled 1.0-SNAPSHOT
[INFO]   from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- dependency:2.8:tree (default-cli) @ untitled ---
[INFO] org.example:untitled:jar:1.0-SNAPSHOT
[INFO] \- org.liquibase:liquibase-core:jar:4.23.0:compile
[INFO]    +- com.opencsv:opencsv:jar:5.7.1:compile
[INFO]    +- org.apache.commons:commons-lang3:jar:3.12.0:compile
[INFO]    +- org.apache.commons:commons-text:jar:1.10.0:compile
[INFO]    +- org.apache.commons:commons-collections4:jar:4.4:compile
[INFO]    +- org.yaml:snakeyaml:jar:2.0:compile
[INFO]    +- javax.xml.bind:jaxb-api:jar:2.3.1:compile
[INFO]    \- javax.activation:javax.activation-api:jar:1.2.0:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  0.955 s
[INFO] Finished at: 2023-07-27T13:28:49-03:00
[INFO] ------------------------------------------------------------------------

My pom.xml:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.example</groupId>
    <artifactId>untitled</artifactId>
    <version>1.0-SNAPSHOT</version>

    <dependencies>
        <dependency>
            <groupId>org.liquibase</groupId>
            <artifactId>liquibase-core</artifactId>
            <version>4.23.0</version>
        </dependency>
    </dependencies>

</project>

Maybe I am missing something?

[faris-git]

I still have the same problem and I found the sample to reproduce:
I see that the snakeyaml version bumps to 1.33 when the project has spring boot dependency 🤷‍♂️

Here is the pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.example</groupId>
    <artifactId>liquibase-core-dependency</artifactId>
    <version>1.0-SNAPSHOT</version>

    <properties>
        <maven.compiler.source>20</maven.compiler.source>
        <maven.compiler.target>20</maven.compiler.target>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    </properties>

    <dependencyManagement>
        <?SORTPOM IGNORE?>
        <dependencies>
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-parent</artifactId>
                <version>3.1.2</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
        <?SORTPOM RESUME?>
    </dependencyManagement>

    <dependencies>
        <dependency>
            <groupId>org.liquibase</groupId>
            <artifactId>liquibase-core</artifactId>
            <version>4.23.0</version>
        </dependency>
    </dependencies>

</project>

Run mvn dependency:tree
The result is with snakeyaml -> 1.33

org.example:liquibase-core-dependency:jar:1.0-SNAPSHOT
[INFO] \- org.liquibase:liquibase-core:jar:4.23.0:compile
[INFO]    +- com.opencsv:opencsv:jar:5.7.1:compile
[INFO]    +- org.apache.commons:commons-lang3:jar:3.12.0:compile
[INFO]    +- org.apache.commons:commons-text:jar:1.10.0:compile
[INFO]    +- org.apache.commons:commons-collections4:jar:4.4:compile
[INFO]    +- org.yaml:snakeyaml:jar:1.33:compile
[INFO]    +- javax.xml.bind:jaxb-api:jar:2.3.1:compile
[INFO]    \- javax.activation:javax.activation-api:jar:1.2.0:compile

Hope this helps

[faris-git]

The workaround is by adding explicitly new snakeyaml version in pom.xml

       <dependency>
            <groupId>org.liquibase</groupId>
            <artifactId>liquibase-core</artifactId>
            <version>4.23.0</version>
        </dependency>
      <dependency>
            <groupId>org.yaml</groupId>
            <artifactId>snakeyaml</artifactId>
            <version>2.0</version>
        </dependency>

I won't recommend this solution. But just to get rid of security issue. I need to do this.

[filipelautert]

@faris-git thanks for the feedback! So the problem may be happening because Springboot latest release still depending on Liquibase 4.20.0 that depends on Snakeyaml 1.33 .
Springboot already upgraded to Liquibase 4.23.0 on their main branch in the following commit, so I would expect the next version to solve this issue -> spring-projects/spring-boot@b8c4fb6 .

Meanwhile forcing Snakeyaml v2 as you did would be the best workaround.

[faris-git]

The issue still there. I've checked with new spring-boot 3.1.3 and liquibase-core: 4.23.1

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.example</groupId>
    <artifactId>liquibase-core-dependency</artifactId>
    <version>1.0-SNAPSHOT</version>

    <properties>
        <maven.compiler.source>20</maven.compiler.source>
        <maven.compiler.target>20</maven.compiler.target>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    </properties>

    <dependencyManagement>
        <?SORTPOM IGNORE?>
        <dependencies>
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-parent</artifactId>
                <version>3.1.3</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
        <?SORTPOM RESUME?>
    </dependencyManagement>

    <dependencies>
        <dependency>
            <groupId>org.liquibase</groupId>
            <artifactId>liquibase-core</artifactId>
            <version>4.23.1</version>
        </dependency>
    </dependencies>

</project>

And mvn dependency:tree

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ liquibase-core-dependency ---
[INFO] org.example:liquibase-core-dependency:jar:1.0-SNAPSHOT
[INFO] \- org.liquibase:liquibase-core:jar:4.23.1:compile
[INFO]    +- com.opencsv:opencsv:jar:5.7.1:compile
[INFO]    +- org.apache.commons:commons-lang3:jar:3.12.0:compile
[INFO]    +- org.apache.commons:commons-text:jar:1.10.0:compile
[INFO]    +- org.apache.commons:commons-collections4:jar:4.4:compile
[INFO]    +- org.yaml:snakeyaml:jar:1.33:compile
[INFO]    +- javax.xml.bind:jaxb-api:jar:2.3.1:compile
[INFO]    \- javax.activation:javax.activation-api:jar:1.2.0:compile
[INFO] ------------------------------------------------------------------------

Still I see referring to snakeyaml:1.33