bump snakeyaml to 2.0 and jackson to 2.14.2

[lcharlois-neotys]

Hello,

This pull request is bumping snakeyaml to 2.0 and jackson (including jackson-databind) to 2.14.2.

There are CVEs linked to this libraries:

• Vulnerabilities from dependencies #1836
• CVE-2022-1471 - a new vulnerability in SnakeYaml 1.30+ swagger-core#4323

I understand that the CVE-2022-1471 is not applicable to swagger-parser because the SafeConstructor is used.

However, I see that snakeyaml has been updated to version 2.0 on swagger-core.
I'm also facing conflict issues in projects where there are imports from snakeyaml 1.30+ and 2.0.

IMO, it will be good that swagger-parser use snakeyaml 2.0.

I've made the minimal changes: updating libraries version and use default constructor that is now safe by default with 2.0.
Locally all tests are passing.

Regards,

[AlexandrosMor]

@lcharlois-neotys Can you update your branch ? Maybe that will help to get the approvals from the maintainers

[AlexandrosMor]

Hello @gracekarina @frantuma @char0n This is a know vulnerability in snakeyaml v1.33 please review it as the swagger-parser is used from multiple applications

[hbelmiro]

Quarkus 3.0.0.Alpha6 uses SnakeYaml 2.0, which breaks compatibility with swagger-parser. So, this bump is very important for Quarkus users.

Contextualization: quarkusio/quarkus#31594 (comment)

[cmuchinsky]

Here #1900 is a slightly different take on fixing this, which doesn't break compatibility with snakeyaml 1.33

[frantuma]

closing as replaced by #1906