issue-4273: upgrade to snakeyaml 2.0 due to cve

[pjfanning]

What is the purpose of the change

upgrade snakeyaml due to cve

Related issues/PRs

Related issues: #4273

Brief change log

• pom change

Checklist

• I have read the Contributing Guidelines on pull requests.
• I have explained the need for this PR and the problem it solves
• I have explained the changes or the new features added to this PR
• I have added tests corresponding to this change
• I have updated the documentation to reflect this change
• I have verified that this change is backward compatible (If not, please discuss on the Linkis mailing list first)
• If this is a code change: I have written unit tests to fully verify the new behavior.

[pjfanning]

Looks like we'll need to wait for spring framework to uptake snakeyaml 2.0.

2023-02-26T14:26:26.8919812Z [ERROR] org.apache.linkis.cs.persistence.dao.ContextKeyListenerMapperTest.removeAllTest  Time elapsed: 0.005 s  <<< ERROR!
2023-02-26T14:26:26.8920836Z java.lang.NoSuchMethodError: org.yaml.snakeyaml.representer.Representer: method <init>()V not found
2023-02-26T14:26:26.8921920Z 	at org.springframework.boot.env.OriginTrackedYamlLoader.createYaml(OriginTrackedYamlLoader.java:74)
2023-02-26T14:26:26.8923110Z 	at org.springframework.boot.env.OriginTrackedYamlLoader.createYaml(OriginTrackedYamlLoader.java:69)
2023-02-26T14:26:26.8924160Z 	at org.springframework.beans.factory.config.YamlProcessor.process(YamlProcessor.java:162)
2023-02-26T14:26:26.8925214Z 	at org.springframework.boot.env.OriginTrackedYamlLoader.load(OriginTrackedYamlLoader.java:82)
2023-02-26T14:26:26.8926275Z 	at org.springframework.boot.env.YamlPropertySourceLoader.load(YamlPropertySourceLoader.java:50)
2023-02-26T14:26:26.8927440Z 	at org.springframework.boot.context.config.ConfigFileApplicationListener$Loader.loadDocuments(ConfigFileApplicationListener.java:632)

[peacewong]

Yes, or we need to check why the unit test is not compatible.

[pjfanning]

It looks like the upgrade needed for spring and spring-boot is significant - the snakeyaml code in the latest spring-boot classes looks like it is probably compatible with snakeyaml 2.0.

But upgrading spring and spring-boot will require a very large number of other jars to be updated (as well as dozens of spring jars themselves). Latest spring jars use jakarta dependencies instead of javax.

[aiceflower]

Compilation seems not to pass, you can check the cause of the error.

[pjfanning]

@aiceflower the issue is that Linkis is using an old version of Spring

[peacewong]

@aiceflower the issue is that Linkis is using an old version of Spring

@pjfanning Thank you, the community has a plan to upgrade Spring Cloud, Spring Cloud Gateway and Spring. After the upgrade is completed, adjust Snakeyaml.

[casionone]

close with #4469

[pjfanning]

@casionone #4469 appears to revert back to snakeyaml 1.x which is the opposite of what this issue is about

Edit: the issue #4273 is still open - and this PR is outdated so you are right to close this PR