Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-70994

Update snakeyaml plugin to 2.0 to silence security scanners

      The latest weekly Jenkins build has the following vulnerability detected:

       CVE-2022-1471 - Package: org.yaml:snakeyaml - Package Type: MAVEN\n  Affected Version: 1.32,  Fixed Version: 2.0
       
      Can someone update the latest build with the above version that applies the fixes ?

          [JENKINS-70994] Update snakeyaml plugin to 2.0 to silence security scanners

          Andrew created issue -
          Mark Waite made changes -
          Priority Original: Critical [ 2 ] New: Minor [ 4 ]

          Mark Waite added a comment -

          teilo has reported in a GitHub comment that:

          https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md

          There is no vulnerability in snakeyaml - it works as expected - the vulnerability is in any libraries that use it insecurely with untrusted data. The Jenkins plugin ecosystem has been checked for this usage.

          There was a very good commentary on this in the snakeyaml issue tracker - but it seems the whole issue tracker has gone awol :-o

          Additionally as commented above - 2.0 is potentially breaking so this needs some time to check all consumers will not break and adjust them as appropriate. In the interim - unless you are using a plugin that has not come from a supported Jenkins update center your scanner is wrong, ie check the plugins you have installed in your instance that depend on this plugin, and if any are internally written or have been installed manually then they need to be inspected.

          I reduced the severity of this from Critical to Minor, since the benefit to Jenkins users is to avoid spurious warnings from security scanners, not to resolve a vulnerability.

          Mark Waite added a comment - teilo has reported in a GitHub comment that: https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md There is no vulnerability in snakeyaml - it works as expected - the vulnerability is in any libraries that use it insecurely with untrusted data. The Jenkins plugin ecosystem has been checked for this usage. There was a very good commentary on this in the snakeyaml issue tracker - but it seems the whole issue tracker has gone awol :-o Additionally as commented above - 2.0 is potentially breaking so this needs some time to check all consumers will not break and adjust them as appropriate. In the interim - unless you are using a plugin that has not come from a supported Jenkins update center your scanner is wrong, ie check the plugins you have installed in your instance that depend on this plugin, and if any are internally written or have been installed manually then they need to be inspected. I reduced the severity of this from Critical to Minor, since the benefit to Jenkins users is to avoid spurious warnings from security scanners, not to resolve a vulnerability.
          Mark Waite made changes -
          Remote Link New: This issue links to "CVE-2022-1471 in the national vulnerability database (Web Link)" [ 28575 ]
          Mark Waite made changes -
          Remote Link New: This issue links to "Snakeyaml CVE and NIST article on bitbucket.org (Web Link)" [ 28576 ]
          Mark Waite made changes -
          Summary Original: CVE-2022-1471 New: Update snakeyaml plugin to 2.0 to silence security scanners
          Mark Waite made changes -
          Assignee Original: Emilio Escobar [ escoem ]
          Mark Waite made changes -
          Remote Link New: This issue links to "PR 75 - update Snakeyaml plugin to use 2.0 (Web Link)" [ 28577 ]
          Mark Waite made changes -
          Description Original: The latest weekly Jenkins build has the following vulnerability detected:

           
          CVE-2022-1471 - Package: org.yaml:snakeyaml - Package Type: MAVEN\n  Affected Version: 1.32,  Fixed Version: 2.0
           
          Can someone update the latest build with the above version that applies the fixes ?
          New: The latest weekly Jenkins build has the following vulnerability detected:

           [CVE-2022-1471|https://nvd.nist.gov/vuln/detail/CVE-2022-1471] - Package: org.yaml:snakeyaml - Package Type: MAVEN\n  Affected Version: 1.32,  Fixed Version: 2.0
           
          Can someone update the latest build with the above version that applies the fixes ?

          Basil Crow added a comment -

          From jenkinsci/snakeyaml-api-plugin#79:

           I recommend that the @jenkinsci/snakeyaml-plugin-developers consult https://diff.revapi.org to determine the API differences between the current 1.x version and the desired 2.x version, search for consumers using https://github.com/jenkins-infra/usage-in-plugins, and release a new version of snakeyaml-api-plugin after having adapted any consumers (if necessary) to the breaking API changes.

          Basil Crow added a comment - From jenkinsci/snakeyaml-api-plugin#79 :  I recommend that the @jenkinsci/snakeyaml-plugin-developers consult https://diff.revapi.org to determine the API differences between the current 1.x version and the desired 2.x version, search for consumers using https://github.com/jenkins-infra/usage-in-plugins , and release a new version of snakeyaml-api-plugin after having adapted any consumers (if necessary) to the breaking API changes.

            Unassigned Unassigned
            fitzwar Andrew
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: