Exclude snakeyaml from pinot dependencies

[wendigo]

It's used transitively by calcite to load model definitions

Description

Additional context and related issues

Release notes

( ) This is not user-visible or docs only and no release notes are required.
( ) Release notes are required, please propose a release note for me.
( ) Release notes are required, with the following suggested text:

# Section
* Fix some things. ({issue}`issuenumber`)

[martint]

What’s the motivation for this?

[wendigo]

@martint snakeyaml has known vulnerabilites that are reportered by security scanners. We don't use it so it's better to exclude it

[martint]

If it’s not used then those vulnerabilities don’t affect Trino, so what problem does it solve?

[wendigo]

@martint Some security scanners are eager to report vulnerability by mere existence of the jar. This particular CVE has score of 9.8/10

[martint]

Adding an exclusion is brittle. We need to remember to remove it when the library is updated, it adds more cruft to the pom, etc.

If it’s a problem, it’d be better to get it updated upstream.

[wendigo]

@martint This is harder to do and will take a lot more time and resources

[kokosing]

Adding an exclusion is brittle

It is is. The library can be added again as transitive dependency for something else.

Let's use something like https://maven.apache.org/enforcer/enforcer-rules/bannedDependencies.html. Let's add it first here but then let's add it to airbase.

see my latest comment about https://maven.apache.org/enforcer/enforcer-rules/bannedDependencies.html

[wendigo]

@kokosing I don't know if we can do that. Tempto and benchto are still dependant on snakeyaml. I've updated it in https://github.com/trinodb/tempto/pull/109/files, but in benchto it's harder and will take some more time.

[kokosing]

We can do it as follow up.

[hashhar]

maven-checks timeout is known issue - see #16863

re-ran anyway to make sure compile works

[wendigo]

@hashhar cancelled :(