Update snakeyaml dependency to resolve CVEs

[mamccorm]

Fixes: #479

There are a number of vulnerabilities in snakeyaml, which we inherit from our dependency on snakeyaml, namely:

• CVE-2022-38749
• CVE-2022-38750
• CVE-2022-25857
• CVE-2022-38751
• CVE-2022-38752

Most of these have been resolved in snakeyaml v1.32 or 1.31.

The changes in this PR are to upgrade to the latest snakeyaml library to avail of the fix.

Local testing:

[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for plugin-management-parent-pom 2.12.10-SNAPSHOT:
[INFO]
[INFO] plugin-management-parent-pom ....................... SUCCESS [  5.837 s]
[INFO] plugin-management-library .......................... SUCCESS [01:38 min]
[INFO] plugin-management-cli .............................. SUCCESS [ 11.598 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  01:56 min
[INFO] Finished at: 2022-09-22T13:10:49+01:00
[INFO] ------------------------------------------------------------------------

• Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
• Ensure that the pull request title represents the desired changelog entry
• Please describe what you did
• Link to relevant issues in GitHub or Jira
• Link to relevant pull requests, esp. upstream and downstream changes
• Ensure you have provided tests - that demonstrates feature works or fixes the issue

[MarkEWaite]

I don't think this change will resolve the issue that you're trying to resolve.

I think that you want the plugin installation manager tool to include snakeyaml 1.31 or even better, snakeyaml 1.32. The changes you've made will adjust the tests, but won't change the version of snakeyaml that is packaged as a transitive dependency of the Jackson dataformat library.

The maven dependency tree shows:

[INFO] -------< io.jenkins.plugin-management:plugin-management-library >-------
[INFO] Building plugin-management-library 2.12.10-SNAPSHOT                [2/3]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ plugin-management-library ---
[INFO] io.jenkins.plugin-management:plugin-management-library:jar:2.12.10-SNAPSHOT
[INFO] +- org.jenkins-ci:version-number:jar:1.10:compile
[INFO] +- commons-io:commons-io:jar:2.11.0:compile
[INFO] +- org.apache.commons:commons-lang3:jar:3.12.0:compile
...
[INFO] +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.13.4:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.4:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.4:compile
[INFO] |  +- org.yaml:snakeyaml:jar:1.31:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-core:jar:2.13.4:compile

I think that means that a new dependency on snakeyaml will need to be added to the plugin-management-library/pom.xml file.

[mamccorm]

Thanks @MarkEWaite. Still finding my way at contributions so my apologies. Added the v1.32 dependency to the bom.xml

[timja]

This should be in a dependencyManagement block in the https://github.com/jenkinsci/plugin-installation-manager-tool/blob/master/plugin-management-library/pom.xml file

With a TODO comment to remove it when jackson-dataformat-yaml is updated and includes a newer version.
and the TODO should also go next to

plugin-installation-manager-tool/plugin-management-library/pom.xml

Line 66 in 4e58736

<version>2.13.4</version>

[MarkEWaite]

I confirmed that the snakeyaml version bundled in plugin installation manager tool when built with this pull request is 1.32 as expected.

[MarkEWaite]

I would prefer that the two changes to test data be reverted because they are not needed for the objective of this pull request and they check that we retain compatibility with older releases.

However, I'm also OK if the decision is to update the test data.

[MarkEWaite]

I think this setting can be retained to continue testing that behavior remains compatible even for older releases.

Suggested change

	Plugin snakeYamlAPI = new Plugin("snakeyaml-api", "1.31-84.ve43da_fb_49d0b", null, null);
	Plugin snakeYamlAPI = new Plugin("snakeyaml-api", "1.27.0", null, null);

[timja]

I think fine to update some firewalls may get angry at vulnerable deps getting downloaded although could also be left

[MarkEWaite]

I think this data value can be retained to continue testing that behavior remains compatible even for older releases.

Suggested change

	snakeyaml-api:1.31-84.ve43da_fb_49d0b
	snakeyaml-api:1.26.4

[MarkEWaite]

I'm approving this because my comments are non-blocking. I plan to merge it within 24 hours unless someone raises an objection.

Thanks for the pull request!

[timja]

@MarkEWaite I would like #480 (comment) addressed

[timja]

i.e. I don't think it should be in the root pom it should be in the library

[MarkEWaite]

i.e. I don't think it should be in the root pom it should be in the library

Sorry that I missed that the dependency management entry was in the wrong directory. Agreed. Thanks for catching that!

[MarkEWaite]

I pushed ec27c39 too soon. That change is not correct. It still bundles snakeyaml 1.31 in the jar file. Will need more investigation.

[MarkEWaite]

Pushed 6239603 after verifying that the snakeyaml version included in the library is now 1.32. I'm open to suggestions of better ways to do it...

[timja]

sure it'll do for now

[MarkEWaite]

@timja I've labeled this as a "bug" rather than "chore". I think we're ready to merge and release with this change. Any objections if I merge it?

[timja]

@timja I've labeled this as a "bug" rather than "chore". I think we're ready to merge and release with this change. Any objections if I merge it?

no objections