From 3249af4719b33d922dbdc67314839349c67ba1c6 Mon Sep 17 00:00:00 2001
From: Jan Werner <jwerner@confluent.io>
Date: Tue, 12 Dec 2023 22:07:23 -0500
Subject: [PATCH 1/4] unpin snakeyaml, add suppressions and licenses

---
 licenses.yaml                           | 14 +++++++++-
 owasp-dependency-check-suppressions.xml | 34 ++++++++++++++++++++++---
 pom.xml                                 |  5 ----
 3 files changed, 43 insertions(+), 10 deletions(-)

diff --git a/licenses.yaml b/licenses.yaml
index 3eba322b089d..6d9e5a0ec09b 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -1022,7 +1022,7 @@ name: org.yaml snakeyaml
 license_category: binary
 module: extensions/druid-kubernetes-extensions
 license_name: Apache License version 2.0
-version: 1.33
+version: 2.2
 libraries:
   - org.yaml: snakeyaml
 
@@ -2872,6 +2872,18 @@ libraries:
   - io.confluent: kafka-schema-registry-client
   - io.confluent: common-utils
 
+---
+
+name: org.yaml snakeyaml
+license_category: binary
+module: extensions/druid-kubernetes-extensions
+license_name: Apache License version 2.0
+version: 2.0
+libraries:
+  - org.yaml: snakeyaml
+
+
+
 ---
 
 name: Confluent Kafka Client
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 4d68252dcf49..9aaf59bdd597 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -275,18 +275,44 @@
   </suppress>
 
   <suppress>
-    <!-- We need to wait for 17.0.0 of https://github.com/kubernetes-client/java/releases -->
-    <!-- We need to update several other components to move to Snakeyaml 2.0 to address CVE-2022-1471 -->
-    <!-- Snakeyaml 1.33 added to dependencyManagement in main pom file -->
+    <!-- The main use of snakeyaml in Druid is coming in test scope from:
+     com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.12.7
+     (version 1.27)
+     The contrib extension: druid-cassandra-storage uses version 1.6 in compile
+     scope
+     The integration tests use version 1.27 in compile scope.
+     Previous pinning of version to 1.33 forced the usage of the version across
+     all the modules, downgrading the version for some of them.
+     The removal of the pin in the main POM allows the modules choose which version
+     to be used, enabling the users to disable contrib extensions and use the
+     CVE free version of Snakeyaml in core extensions.
+      -->
+
     <notes><![CDATA[
-    file name: snakeyaml-1.33.jar
+    file name:  snakeyaml-1.27.jar
     ]]></notes>
+    <!-- Snakeyaml is used only in test scope in Druid core with trusted inputs -->
     <cve>CVE-2022-1471</cve>
+    <cve>CVE-2022-25857</cve>
     <!-- false positive -->
     <cve>CVE-2023-2251</cve>
     <cve>CVE-2022-3064</cve>
   </suppress>
 
+  <suppress>
+    <!-- This is for contrib extension for which dependency-check is disabled
+    restoring this data for accuracy -->
+    <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage -->
+    <notes><![CDATA[
+    file name: snakeyaml-1.6.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@1.6$</packageUrl>
+    <cve>CVE-2017-18640</cve>
+    <cve>CVE-2022-25857</cve>
+    <cve>CVE-2023-2251</cve>
+    <cve>CVE-2022-3064</cve>
+  </suppress>
+
   <suppress>
      <notes><![CDATA[
      file name: node-sass:4.13.1
diff --git a/pom.xml b/pom.xml
index 938c8d77d4b9..c7e853ba75ff 100644
--- a/pom.xml
+++ b/pom.xml
@@ -364,11 +364,6 @@
                 <artifactId>json-smart</artifactId>
                 <version>2.4.11</version>
             </dependency>
-            <dependency>
-                <groupId>org.yaml</groupId>
-                <artifactId>snakeyaml</artifactId>
-                <version>1.33</version>
-            </dependency>
 
             <!-- transitive dependency of testng
             this would be resolved by updating

From 2543ef825cfcdc78d4f718404463d61b2c90ce53 Mon Sep 17 00:00:00 2001
From: Jan Werner <jwerner@confluent.io>
Date: Wed, 13 Dec 2023 13:41:41 -0500
Subject: [PATCH 2/4] pin snakeyaml in the specific modules that require
 version 1.x, update licenses and owasp suppression

---
 extensions-contrib/cassandra-storage/pom.xml      | 10 ++++++++++
 .../kubernetes-overlord-extensions/pom.xml        |  9 +++++++++
 integration-tests/pom.xml                         | 10 ++++++++++
 licenses.yaml                                     |  2 +-
 owasp-dependency-check-suppressions.xml           | 15 ---------------
 5 files changed, 30 insertions(+), 16 deletions(-)

diff --git a/extensions-contrib/cassandra-storage/pom.xml b/extensions-contrib/cassandra-storage/pom.xml
index 9dc2faefcec4..caee9d9646ee 100644
--- a/extensions-contrib/cassandra-storage/pom.xml
+++ b/extensions-contrib/cassandra-storage/pom.xml
@@ -33,6 +33,16 @@
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.yaml</groupId>
+                <artifactId>snakeyaml</artifactId>
+                <version>1.33</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
     <dependencies>
         <dependency>
             <groupId>org.apache.druid</groupId>
diff --git a/extensions-contrib/kubernetes-overlord-extensions/pom.xml b/extensions-contrib/kubernetes-overlord-extensions/pom.xml
index 346cc3a00a9c..2a1e9c7c2efb 100644
--- a/extensions-contrib/kubernetes-overlord-extensions/pom.xml
+++ b/extensions-contrib/kubernetes-overlord-extensions/pom.xml
@@ -34,6 +34,15 @@
     <relativePath>../../pom.xml</relativePath>
   </parent>
 
+  <dependencyManagement>
+      <dependencies>
+          <dependency>
+              <groupId>org.yaml</groupId>
+              <artifactId>snakeyaml</artifactId>
+              <version>1.33</version>
+          </dependency>
+      </dependencies>
+  </dependencyManagement>
 
   <dependencies>
     <dependency>
diff --git a/integration-tests/pom.xml b/integration-tests/pom.xml
index 1b81d653fa9b..3563645d361f 100644
--- a/integration-tests/pom.xml
+++ b/integration-tests/pom.xml
@@ -43,6 +43,16 @@
         <hadoop.s3.impl>org.apache.hadoop.fs.s3a.S3AFileSystem</hadoop.s3.impl>
     </properties>
 
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.yaml</groupId>
+                <artifactId>snakeyaml</artifactId>
+                <version>1.33</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
     <dependencies>
         <dependency>
             <groupId>com.amazonaws</groupId>
diff --git a/licenses.yaml b/licenses.yaml
index 6d9e5a0ec09b..6b2d8faeca43 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -2876,7 +2876,7 @@ libraries:
 
 name: org.yaml snakeyaml
 license_category: binary
-module: extensions/druid-kubernetes-extensions
+module: extensions/druid-protobuf-extensions
 license_name: Apache License version 2.0
 version: 2.0
 libraries:
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 9aaf59bdd597..7013d5f52783 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -293,26 +293,11 @@
     ]]></notes>
     <!-- Snakeyaml is used only in test scope in Druid core with trusted inputs -->
     <cve>CVE-2022-1471</cve>
-    <cve>CVE-2022-25857</cve>
     <!-- false positive -->
     <cve>CVE-2023-2251</cve>
     <cve>CVE-2022-3064</cve>
   </suppress>
 
-  <suppress>
-    <!-- This is for contrib extension for which dependency-check is disabled
-    restoring this data for accuracy -->
-    <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-storage -->
-    <notes><![CDATA[
-    file name: snakeyaml-1.6.jar
-    ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@1.6$</packageUrl>
-    <cve>CVE-2017-18640</cve>
-    <cve>CVE-2022-25857</cve>
-    <cve>CVE-2023-2251</cve>
-    <cve>CVE-2022-3064</cve>
-  </suppress>
-
   <suppress>
      <notes><![CDATA[
      file name: node-sass:4.13.1

From 540d502152311f5f28c61a76487c14be6c71804f Mon Sep 17 00:00:00 2001
From: Jan Werner <jwerner@confluent.io>
Date: Wed, 13 Dec 2023 13:56:49 -0500
Subject: [PATCH 3/4] add reasoning for the individual snakeyaml pins

---
 extensions-contrib/cassandra-storage/pom.xml              | 5 +++++
 extensions-contrib/kubernetes-overlord-extensions/pom.xml | 3 +++
 integration-tests/pom.xml                                 | 3 +++
 3 files changed, 11 insertions(+)

diff --git a/extensions-contrib/cassandra-storage/pom.xml b/extensions-contrib/cassandra-storage/pom.xml
index caee9d9646ee..0760ed3cd3d4 100644
--- a/extensions-contrib/cassandra-storage/pom.xml
+++ b/extensions-contrib/cassandra-storage/pom.xml
@@ -35,6 +35,11 @@
 
     <dependencyManagement>
         <dependencies>
+            <!-- snakeyaml explicitly pinned to version 1.33 as it is
+            a transitive dependency of:
+            com.netflix.astyanax:astyanax:jar -> g.apache.cassandra:cassandra-all:jar
+            please remove this pin after the update of astyanax, see comment below
+             -->
             <dependency>
                 <groupId>org.yaml</groupId>
                 <artifactId>snakeyaml</artifactId>
diff --git a/extensions-contrib/kubernetes-overlord-extensions/pom.xml b/extensions-contrib/kubernetes-overlord-extensions/pom.xml
index 2a1e9c7c2efb..84770340f240 100644
--- a/extensions-contrib/kubernetes-overlord-extensions/pom.xml
+++ b/extensions-contrib/kubernetes-overlord-extensions/pom.xml
@@ -36,6 +36,9 @@
 
   <dependencyManagement>
       <dependencies>
+            <!-- snakeyaml explicitly pinned to version 1.33 as it is
+             a transitive dependency of com.fasterxml.jackson.dataformat:jackson-dataformat-yaml 2.12.7
+             please remove this pin, after updating jackson-dataform-yaml to version > 2.14.3  / 2.15.0 -->
           <dependency>
               <groupId>org.yaml</groupId>
               <artifactId>snakeyaml</artifactId>
diff --git a/integration-tests/pom.xml b/integration-tests/pom.xml
index 3563645d361f..2193dafd8552 100644
--- a/integration-tests/pom.xml
+++ b/integration-tests/pom.xml
@@ -45,6 +45,9 @@
 
     <dependencyManagement>
         <dependencies>
+             <!-- snakeyaml explicitly pinned to version 1.33 as it is
+             a transitive dependency of com.fasterxml.jackson.dataformat:jackson-dataformat-yaml 2.12.7
+             please remove this pin, after updating jackson-dataform-yaml to version > 2.14.3  / 2.15.0 -->
             <dependency>
                 <groupId>org.yaml</groupId>
                 <artifactId>snakeyaml</artifactId>

From 319b2b68aa30a61f4cbad45aa704470c2e70d6f1 Mon Sep 17 00:00:00 2001
From: Jan Werner <jwerner@confluent.io>
Date: Wed, 13 Dec 2023 20:16:11 -0500
Subject: [PATCH 4/4] add both versions of snakeyaml to suppression file

---
 owasp-dependency-check-suppressions.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index 7013d5f52783..fb1431626a70 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -289,7 +289,7 @@
       -->
 
     <notes><![CDATA[
-    file name:  snakeyaml-1.27.jar
+    file name: snakeyaml-1.27.jar snakeyaml-1.33.jar
     ]]></notes>
     <!-- Snakeyaml is used only in test scope in Druid core with trusted inputs -->
     <cve>CVE-2022-1471</cve>