Use snakeyaml to write configured features #16857
Conversation
|
Given the recent CVE in snakeyaml, I'm not sure this is something we want to do. Also, why introduce yet another dependency when Jackson can already do this? |
|
@wendigo can you fill in the description and/or the commit message to say what problem this is solving and how? |
|
@martint Jackson is delegating to snakeyaml afaik hence the change to remove indirection |
|
Version 2.0 is the one that fixes this CVE. jackson still relies on the old version |
|
See this FasterXML/jackson-dataformats-text#382 |
|
If only security scanners could read that @nineinchnick ;) |
|
Just to be clear, it's a goal to Trino to be secure, but it's not a goal to make security scanners happy. |
|
@wendigo the name of this PR had me thinking you were adding in more snakeyaml, which I think added some confusion. |
| "configured_connectors", | ||
| configuredFeatures.asMap().getOrDefault(CONNECTOR, ImmutableList.of()), | ||
| "configured_password_authenticators", | ||
| configuredFeatures.asMap().getOrDefault(PASSWORD_AUTHENTICATOR, ImmutableList.of())))), writer); |
There was a problem hiding this comment.
Super nit: can you move the writer to the next line? It's hard to spot that yaml.dump() actually takes two arguments.
|
Closing. Snakeyaml always is generating anchors which is something that tempto does not like. |
Description
Additional context and related issues
Release notes
(x) This is not user-visible or docs only and no release notes are required.
( ) Release notes are required, please propose a release note for me.
( ) Release notes are required, with the following suggested text: