Thanks. Added some comments to the PR. - Cham
On Mon, Feb 6, 2023 at 9:29 AM Pablo Estrada via dev <dev@beam.apache.org> wrote: > It's worth mentioning that neither of the libraries > (jackson-dataformat-yaml + snakeyaml) have a newer version without the > CVE. > -P. > > On Mon, Feb 6, 2023 at 9:19 AM Pablo Estrada <pabl...@google.com> wrote: > >> Hi all, >> I am proposing that we make the jackson-dataformat-yaml dependency >> optional in our expansion service module[1]. This is because it depends on >> SnakeYAML, and there is a known CVE for it[2]. >> >> It seems that given the way we use SnakeYAML, the CVE is not feasible to >> exploit[2], but this will not stop tooling/user policies from being >> alerted, so it may be convenient to simply make the dependency optional. >> >> I looked around for documentation on this code path (loading an allow >> list for the expansion service's classpath), but it's not very widely >> documented, so this feature may only be used by Beam devs, and not much by >> Beam users. >> >> Thoughts on making the dependency optional? >> Thanks! >> -P. >> >> [1] https://github.com/apache/beam/pull/25350 >> [2] https://github.com/snakeyaml/snakeyaml#cve >> >