Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to SnakeYaml 2.0 #31594

Merged
merged 1 commit into from
Mar 14, 2023
Merged

Upgrade to SnakeYaml 2.0 #31594

merged 1 commit into from
Mar 14, 2023

Conversation

gsmet
Copy link
Member

@gsmet gsmet commented Mar 3, 2023

I'm not entirely sure this is safe as it's a major version and we have several other dependencies depending on it.

I tested the Quarkus GitHub Bot which uses the Jackson YAML mapper and it seems to work so let's see how CI goes.

Note: even if we are not affected by the CVE, it's the first version fixing the high severity CVE that was ongoing with SnakeYaml so could be good for security analysis tools.

Creating as draft for now to get a full CI run.

@quarkus-bot quarkus-bot bot added area/dependencies Pull requests that update a dependency file area/documentation area/vertx labels Mar 3, 2023
@quarkus-bot quarkus-bot bot added this to To do in Quarkus Documentation Mar 3, 2023
@gsmet
Copy link
Member Author

gsmet commented Mar 4, 2023

We will have to wait for Liquibase to adapt to SnakeYaml 2.0:

2023-03-03T20:14:36.9508286Z Caused by: java.lang.NoSuchMethodError: org.yaml.snakeyaml.constructor.SafeConstructor: method 'void <init>()' not found
2023-03-03T20:14:36.9508820Z 	at liquibase.parser.core.yaml.YamlChangeLogParser.parse(YamlChangeLogParser.java:24)
2023-03-03T20:14:36.9509248Z 	at liquibase.Liquibase.getDatabaseChangeLog(Liquibase.java:408)
2023-03-03T20:14:36.9509609Z 	at liquibase.Liquibase.validate(Liquibase.java:2307)
2023-03-03T20:14:36.9510053Z 	at io.quarkus.liquibase.runtime.LiquibaseRecorder.doStartActions(LiquibaseRecorder.java:80)
2023-03-03T20:14:36.9510582Z 	at io.quarkus.deployment.steps.LiquibaseProcessor$startLiquibase1744275855.deploy_0(Unknown Source)
2023-03-03T20:14:36.9511068Z 	at io.quarkus.deployment.steps.LiquibaseProcessor$startLiquibase1744275855.deploy(Unknown Source)

And also the Kubernetes Client:

Caused by: org.graalvm.compiler.java.BytecodeParser$BytecodeParserError: com.oracle.graal.pointsto.constraints.UnresolvedElementException: Discovered unresolved method during parsing: org.yaml.snakeyaml.constructor.SafeConstructor.<init>(). This error is reported at image build time because class io.fabric8.kubernetes.client.utils.Serialization is registered for linking at image build time by command line
	at parsing io.fabric8.kubernetes.client.utils.Serialization.unmarshal(Serialization.java:256)
	at jdk.internal.vm.compiler/org.graalvm.compiler.java.BytecodeParser.throwParserError(BytecodeParser.java:2518)

/cc @manusa

@gsmet gsmet added the triage/on-ice Frozen until external concerns are resolved label Mar 4, 2023
@manusa
Copy link
Contributor

manusa commented Mar 6, 2023

The Kubernetes Client already moved to SnakeYAML 2.5 (it's also now using SnakeYAML engine instead) thanks to @asomov

The version bump will be included in v6.5.0 planned for the end of this week.

gsmet added a commit to gsmet/quarkus that referenced this pull request Mar 6, 2023
@gsmet
Upgrade to Liquibase 4.19.1
1153b25 
This is necessary for quarkusio#31594 (but not entirely sure it will be
sufficient).
@gsmet gsmet mentioned this pull request Mar 6, 2023
Merged
gsmet added a commit to gsmet/quarkus that referenced this pull request Mar 6, 2023
@gsmet
Upgrade to Liquibase 4.19.1
0c11bb8 
This is necessary for quarkusio#31594 (but not entirely sure it will be
sufficient).
gsmet added a commit to gsmet/quarkus that referenced this pull request Mar 6, 2023
@gsmet
Upgrade to Liquibase 4.19.1
9928482 
This is necessary for quarkusio#31594 (but not entirely sure it will be
sufficient).
@gsmet gsmet marked this pull request as ready for review March 14, 2023 09:45
@quarkus-bot
Copy link

quarkus-bot bot commented Mar 14, 2023

Failing Jobs - Building 8edf2c4

Status Name Step Failures Logs Raw logs
✔️ Gradle Tests - JDK 11
Gradle Tests - JDK 11 Windows Build Failures Logs Raw logs
✔️ JVM Tests - JDK 11
✔️ JVM Tests - JDK 17
JVM Tests - JDK 17 Windows Build Failures Logs Raw logs
✔️ JVM Tests - JDK 19
✔️ Maven Tests - JDK 11
Maven Tests - JDK 11 Windows Build Failures Logs Raw logs
MicroProfile TCKs Tests Verify ⚠️ Check → Logs Raw logs

Full information is available in the Build summary check run.

Failures

⚙️ Gradle Tests - JDK 11 Windows #

📦 integration-tests/gradle

io.quarkus.gradle.devmode.AnnotationProcessorSimpleModuleDevModeTest.main line 13 - More details - Source on GitHub

org.awaitility.core.ConditionTimeoutException: Condition with lambda expression in io.quarkus.test.devmode.util.DevModeTestUtils that uses java.util.function.Supplier, java.util.function.Supplierjava.util.concurrent.atomic.AtomicReference, java.util.concurrent.atomic.AtomicReferencejava.lang.String, java.lang.Stringboolean was not fulfilled within 1 minutes.
	at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:167)
	at org.awaitility.core.CallableCondition.await(CallableCondition.java:78)

io.quarkus.gradle.devmode.BasicKotlinApplicationModuleDevModeTest.main line 19 - More details - Source on GitHub

org.awaitility.core.ConditionTimeoutException: Condition with lambda expression in io.quarkus.test.devmode.util.DevModeTestUtils that uses java.util.function.Supplier, java.util.function.Supplierjava.util.concurrent.atomic.AtomicReference, java.util.concurrent.atomic.AtomicReferencejava.lang.String, java.lang.Stringboolean was not fulfilled within 1 minutes.
	at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:167)
	at org.awaitility.core.CallableCondition.await(CallableCondition.java:78)

io.quarkus.gradle.devmode.ModuleWithParentDependencyDevModeTest.main line 14 - More details - Source on GitHub

org.awaitility.core.ConditionTimeoutException: Condition with lambda expression in io.quarkus.test.devmode.util.DevModeTestUtils that uses java.util.function.Supplier, java.util.function.Supplierjava.util.concurrent.atomic.AtomicReference, java.util.concurrent.atomic.AtomicReferencejava.lang.String, java.lang.Stringboolean was not fulfilled within 1 minutes.
	at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:167)
	at org.awaitility.core.CallableCondition.await(CallableCondition.java:78)

io.quarkus.gradle.devmode.MultiModuleNamedInjectionDevModeTest.main line 21 - More details - Source on GitHub

org.awaitility.core.ConditionTimeoutException: Condition with lambda expression in io.quarkus.test.devmode.util.DevModeTestUtils that uses java.util.function.Supplier, java.util.function.Supplierjava.util.concurrent.atomic.AtomicReference, java.util.concurrent.atomic.AtomicReferencejava.lang.String, java.lang.Stringboolean was not fulfilled within 1 minutes.
	at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:167)
	at org.awaitility.core.CallableCondition.await(CallableCondition.java:78)

io.quarkus.gradle.devmode.MultiSourceProjectDevModeTest.main line 22 - More details - Source on GitHub

org.awaitility.core.ConditionTimeoutException: Condition with lambda expression in io.quarkus.test.devmode.util.DevModeTestUtils that uses java.util.function.Supplier, java.util.function.Supplierjava.util.concurrent.atomic.AtomicReference, java.util.concurrent.atomic.AtomicReferencejava.lang.String, java.lang.Stringboolean was not fulfilled within 1 minutes.
	at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:167)
	at org.awaitility.core.CallableCondition.await(CallableCondition.java:78)

io.quarkus.gradle.devmode.QuarkusDevDependencyDevModeTest.main line 14 - More details - Source on GitHub

org.awaitility.core.ConditionTimeoutException: Condition with lambda expression in io.quarkus.test.devmode.util.DevModeTestUtils that uses java.util.function.Supplier, java.util.function.Supplierjava.util.concurrent.atomic.AtomicReference, java.util.concurrent.atomic.AtomicReferencejava.lang.String, java.lang.Stringboolean was not fulfilled within 1 minutes.
	at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:167)
	at org.awaitility.core.CallableCondition.await(CallableCondition.java:78)

⚙️ JVM Tests - JDK 17 Windows #

- Failing: extensions/resteasy-classic/rest-client/runtime 
! Skipped: extensions/amazon-lambda-http/deployment extensions/amazon-lambda-http/http-event-server extensions/amazon-lambda-rest/deployment and 104 more

📦 extensions/resteasy-classic/rest-client/runtime

io.quarkus.restclient.runtime.RestClientBaseTest. - More details - Source on GitHub

java.io.IOException: Failed to delete temp directory D:\a\quarkus\quarkus\extensions\resteasy-classic\rest-client\runtime\target\junit1678967130148240335. The following paths could not be deleted (see suppressed exceptions for details): 
	at org.junit.jupiter.engine.extension.TempDirectory$CloseablePath.createIOExceptionWithAttachedFailures(TempDirectory.java:350)
	at org.junit.jupiter.engine.extension.TempDirectory$CloseablePath.close(TempDirectory.java:251)

⚙️ Maven Tests - JDK 11 Windows #

- Failing: integration-tests/maven

📦 integration-tests/maven

io.quarkus.maven.it.JarRunnerIT.testPlatformPropertiesOverridenInApplicationProperties line 133 - More details - Source on GitHub

org.awaitility.core.ConditionTimeoutException: Condition with lambda expression in io.quarkus.maven.it.JarRunnerIT that uses io.quarkus.maven.it.verifier.MavenProcessInvocationResult was not fulfilled within 1 minutes.
	at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:167)
	at org.awaitility.core.CallableCondition.await(CallableCondition.java:78)

io.quarkus.maven.it.JarRunnerIT.testPlatformPropertiesOverridenInApplicationProperties line 133 - More details - Source on GitHub

org.awaitility.core.ConditionTimeoutException: Condition with lambda expression in io.quarkus.maven.it.JarRunnerIT that uses io.quarkus.maven.it.verifier.MavenProcessInvocationResult was not fulfilled within 1 minutes.
	at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:167)
	at org.awaitility.core.CallableCondition.await(CallableCondition.java:78)

@gsmet gsmet requested review from gastaldi and famod March 14, 2023 15:26
@gsmet
Copy link
Member Author

gsmet commented Mar 14, 2023

I think the CI failures are not related to this change (but the CI situation is becoming worse and worse :/).

Quarkus Documentation automation moved this from To do to Reviewer approved Mar 14, 2023
@gsmet gsmet merged commit d3f527c into quarkusio:main Mar 14, 2023
Quarkus Documentation automation moved this from Reviewer approved to Done Mar 14, 2023
@quarkus-bot quarkus-bot bot added this to the 3.0 - main milestone Mar 14, 2023
@hbelmiro
Copy link
Contributor

@gsmet this change breaks quarkus-openapi-generator, or any other project that uses openapitools:openapi-generator, which still uses SnakeYaml 1.33.

cc @ricardozanini

@hbelmiro hbelmiro mentioned this pull request Mar 16, 2023
Closed
@gsmet
Copy link
Member Author

gsmet commented Mar 17, 2023

@hbelmiro any chance it could be fixed upstream? From my experience, you just need to use the constructor with the options parameter and it makes it work with both versions.

@hbelmiro
Copy link
Contributor

hbelmiro commented Mar 17, 2023
edited

@gsmet Actually what needs to update SnakeYaml is swagger-parser instead of openapi-generator. I believe this issue will affect more people due to that.

Fortunately, there's a PR open to update SnakeYaml in swagger-parser. Let's wait for the release of swagger-parser and then try to update openapi-generator.

Edit: one more PR that fixes the issue: swagger-api/swagger-parser#1900

@hbelmiro hbelmiro mentioned this pull request Mar 17, 2023
Closed
@hbelmiro
Copy link
Contributor

@gsmet the issue with SnakeYaml was fixed in swagger-parser.

swagger-parser v2.1.13 has the fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gastaldi gastaldi gastaldi approved these changes

@famod famod Awaiting requested review from famod

Assignees
No one assigned
Labels
area/dependencies Pull requests that update a dependency file area/documentation area/vertx triage/on-ice Frozen until external concerns are resolved
Projects
Quarkus Documentation
Done
Milestone
3.0.0.Alpha6
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@gsmet @manusa @hbelmiro @gastaldi