-
Notifications
You must be signed in to change notification settings - Fork 40.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Loading application.yml fails with NoSuchMethodError when using SnakeYAML 2.0 #34405
Comments
As far as we know, the problem above should only occur with Spring Boot 2.7. While not officially supported, the failure above should not occur with SnakeYAML 2.0 and Spring Boot 3.0. Can you please provide a minimal sample that shows a failure with Spring Boot 3.0.3 and SnakeYAML 2.0? |
@wilkinsona would you consider supporting a backport of this change to the 2.7.X line? bf5bd4f#diff-07741e308f54bc7fc66aabb0a1594c1ff8a9785103fb8cdf4c930ad3b44ed2c6 I would submit a PR? It appears to be both compatible with snakeyaml 1.30 and 2.0 I cannot chime in for reproducing this with spring boot 3.0, we also have this issue with some services that are stuck on 2.7.X (tested with 2.7.9), but would like to upgrade to snakeyaml 2.0 due to the safe defaults it is bringing (not related to spring, but just usage within the app). |
It seems I made a mistake while test with SnakeYAML 2.0 and Spring Boot 3.0. It actually works with Spring Boot 3.0. |
@DRoppelt Yes, that's a change that we're considering: wilkinsona@6aa1ce7. It will require further testing and we'll also have to decide how much support we want to add for SnakeYAML 2.0 in maintenance releases. |
@wilkinsona Hi ! Since there is a Secuurity-Alert for snakeyaml (and we'd like to upgrade to snakeyaml 2.0 by including it top-level dependencies to fix the alert), could you elaborate a bit, what Spring's recommendation is in this regard ? |
I assume it's CVE-2022-1471 that's triggering the alert. It's very likely to be a false positive as Spring Boot itself is not vulnerable due to the way it uses SnakeYAML. Unless you're using SnakeYAML in an unsafe manner and passing untrusted input into it, your application is not vulnerable. There's some more background in #33457. You have a few options right now:
The situation with 2 may improve in time, depending on the outcome of the further testing that we want to do as well as possible changes in Spring Framework being tracked by spring-projects/spring-framework#30048. |
@wilkinsona Thanks for providing the options. May I ask the estimated timeline for Spring Boot 2 to pick up SnakeYAML 2.0 ? Thanks. |
@zhudaxi We won't be upgrading to SnakeYAML 2.0 in Spring Boot 2.7.x (which is the last planned 2.x release) since it's a major version bump. We will try to make it possible to users to upgrade themselves, but we don't have an estimate for when that will happen. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as resolved.
This comment was marked as resolved.
Upgrade snakeyaml from 1.33 to 2.0 fixing Arbitrary Code Execution: https://nvd.nist.gov/vuln/detail/CVE-2022-1471 Spring Boot >= 3.0.3 is compatible with snakeyaml 2.x: spring-projects/spring-boot#34405
Hello All, From the above discussion, it is still unclear if SnakeYaml Thanks |
@wilkinsona, can you elaborate option 1 provided here bit more? |
@flashvayne has tried it and it worked for them:
You are encouraged to do the same experiment:
However, you should note that SnakeYAML 2.0 is not yet officially supported with any version of Spring Boot but this may change in the future, as already stated above:
We have not yet done all of that testing. This issue will be used to communicate its outcome. |
@sportymsk, Spring Boot doesn't require Snake YAML. It's only used if you choose to configure your application using YAML files rather than properties files. It's a dependency of |
@wilkinsona feel free to ping me if you need any help with SnakeYAML for Spring Boot 3 |
We recently also ran into Springboot 2.7.7 and 2.7.8 issue with snakeyaml 1.33:
|
@sheetalj2205 feel free to report a bug in JFrog Xray. They create a false positive. |
Unfortunately, security scans cannot be taken at face value and they often report many false positives. For each vulnerability that a scan identifies, you will have to identify whether or not your application is actually affected. If it isn't, you may want to configure the scanner so that the false positive is ignored in the future. If your application is affected, you will then have to determine how to address the problem. That could be changing a configuration setting or updating a dependency for example. |
I am facing
|
@kpavan3697 That doesn't look to be related to loading |
@wilkinsona Please find the stack trace below for the error
|
@kpavan3697 The error says |
there you go, From what it looks like, their repo is here https://github.com/FasterXML/jackson-dataformats-text Maybe they would accept a backport to 2.13, from my understanding that should be compatible in their 2.13 line e: judging by the context within the PR, if you can adjust the caller to inject a non-null |
Upgrading Jackson to v 2.15.0 seems to fix this error when using SB 2.7.11 and snakeYAML 2.0. |
…and Spring Boot 2.7.10 (#3538) * Update pom.xml Bump snakeyml to 2.0 to resolve CVE-2022-1471 * Resolve CVE-2022-1471: Bump Jackson and Spring Boot in pom.xml Ref: - spring-projects/spring-boot#34405 (comment) - https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.7/html/migrating_applications_to_spring_boot_2.7/migrating-spring-boot-2-5-applications-to-the-spring-boot-version-spring-boot_spring-boot * Update pom.xml to Spring Boot 2.7.10 Reference: http://github.com/spring-projects/spring-boot/issues/34405 2.7.10 supports SnakeYML 2.0 * Fix prometheus integration check Prometheus integration check was matching on prometheus in the application name. Since the test included prometheus in the package it was failing. This change matches on the URI prefix instead of just the name. --------- Co-authored-by: Lance Linder <lance@tetrate.io>
## Description Upgrades SnakeYaml dependency version forcefully to 2.0 to overcome [this issue](spring-projects/spring-boot#33457), as advised [here](spring-projects/spring-boot#34405 (comment)). This version tag can be reverted when we upgrade to Spring 6.1, which is when the library [aims](spring-projects/spring-framework#30048 (comment)) to upgrade the version themselves. Fixes appsmithorg/appsmith-ee#1233 #### Type of change - Chore (housekeeping or task changes that don't impact user perception) ## Testing This PR will be tested during regression. --------- Co-authored-by: Arpit Mohan <mohanarpit@users.noreply.github.com> Co-authored-by: Shrikant Sharat Kandula <shrikant@appsmith.com>
@wilkinsona sorry for bothering again with this infinite issue, but I also have the same problem with the following dependencies. May be you have seen it already and know the reason? 🙏 +--- org.springframework.boot:spring-boot-dependencies:2.7.12
Do you have any ideas on the reason? My be you have faced it already? 🙏 Very small spring boot service: https://github.com/saveourtool/save-cloud/tree/master/api-gateway :
problem comes from spring-cloud which uses old io.kubernetes:client-java, that is in conflict with latest snakeyaml:
|
It looks like If you have any further questions, please follow up on Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements. |
downgrade your jackson implementation for parsing YAML and this should solve this issue. I had the same one. |
When I upgrade snakeyaml from 1.33 to 2.0 version, Springboot Application run failed as below.
I have tried springboot 2.7.4 and 3.0.0, neither works.
Also I have tried JDK 8,11 and 17, none works.
The text was updated successfully, but these errors were encountered: