When I upgrade snakeyaml from 1.33 to 2.0 version, Springboot Application run failed as below. I have tried springboot 2.7.4 and 3.0.0, neither works. Also I have tried JDK 8,11 and 17, none works. + snakeyaml dependency
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>2.0</version>
</dependency>
- Error log
11:28:31.187 [main] ERROR org.springframework.boot.SpringApplication - Application run failed
java.lang.NoSuchMethodError: org.yaml.snakeyaml.representer.Representer: method 'void <init>()' not found
at org.springframework.boot.env.OriginTrackedYamlLoader.createYaml(OriginTrackedYamlLoader.java:76)
at org.springframework.boot.env.OriginTrackedYamlLoader.createYaml(OriginTrackedYamlLoader.java:71)
at org.springframework.beans.factory.config.YamlProcessor.process(YamlProcessor.java:164)
at org.springframework.boot.env.OriginTrackedYamlLoader.load(OriginTrackedYamlLoader.java:84)
at org.springframework.boot.env.YamlPropertySourceLoader.load(YamlPropertySourceLoader.java:50)
at org.springframework.boot.context.config.StandardConfigDataLoader.load(StandardConfigDataLoader.java:54)
at org.springframework.boot.context.config.StandardConfigDataLoader.load(StandardConfigDataLoader.java:36)
at org.springframework.boot.context.config.ConfigDataLoaders.load(ConfigDataLoaders.java:107)
at org.springframework.boot.context.config.ConfigDataImporter.load(ConfigDataImporter.java:128)
at org.springframework.boot.context.config.ConfigDataImporter.resolveAndLoad(ConfigDataImporter.java:86)
at org.springframework.boot.context.config.ConfigDataEnvironmentContributors.withProcessedImports(ConfigDataEnvironmentContributors.java:116)
at org.springframework.boot.context.config.ConfigDataEnvironment.processInitial(ConfigDataEnvironment.java:240)
at org.springframework.boot.context.config.ConfigDataEnvironment.processAndApply(ConfigDataEnvironment.java:227)
at org.springframework.boot.context.config.ConfigDataEnvironmentPostProcessor.postProcessEnvironment(ConfigDataEnvironmentPostProcessor.java:102)
at org.springframework.boot.context.config.ConfigDataEnvironmentPostProcessor.postProcessEnvironment(ConfigDataEnvironmentPostProcessor.java:94)
at org.springframework.boot.env.EnvironmentPostProcessorApplicationListener.onApplicationEnvironmentPreparedEvent(EnvironmentPostProcessorApplicationListener.java:102)
at org.springframework.boot.env.EnvironmentPostProcessorApplicationListener.onApplicationEvent(EnvironmentPostProcessorApplicationListener.java:87)
at org.springframework.context.event.SimpleApplicationEventMulticaster.doInvokeListener(SimpleApplicationEventMulticaster.java:176)
at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:169)
at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:143)
at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:131)
at org.springframework.boot.context.event.EventPublishingRunListener.environmentPrepared(EventPublishingRunListener.java:85)
at org.springframework.boot.SpringApplicationRunListeners.lambda$environmentPrepared$2(SpringApplicationRunListeners.java:66)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1541)
at org.springframework.boot.SpringApplicationRunListeners.doWithListeners(SpringApplicationRunListeners.java:120)
at org.springframework.boot.SpringApplicationRunListeners.doWithListeners(SpringApplicationRunListeners.java:114)
at org.springframework.boot.SpringApplicationRunListeners.environmentPrepared(SpringApplicationRunListeners.java:65)
at org.springframework.boot.SpringApplication.prepareEnvironment(SpringApplication.java:343)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:301)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1317)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1306)
at cc.vayne.Application.main(Application.java:10)
Comment From: wilkinsona
As far as we know, the problem above should only occur with Spring Boot 2.7. While not officially supported, the failure above should not occur with SnakeYAML 2.0 and Spring Boot 3.0. Can you please provide a minimal sample that shows a failure with Spring Boot 3.0.3 and SnakeYAML 2.0?
Comment From: DRoppelt
@wilkinsona would you consider supporting a backport of this change to the 2.7.X line? https://github.com/spring-projects/spring-boot/commit/bf5bd4f91c8b5617b589795b4db6a2371b26d5f5#diff-07741e308f54bc7fc66aabb0a1594c1ff8a9785103fb8cdf4c930ad3b44ed2c6
I would submit a PR?
It appears to be both compatible with snakeyaml 1.30 and 2.0
I cannot chime in for reproducing this with spring boot 3.0, we also have this issue with some services that are stuck on 2.7.X (tested with 2.7.9), but would like to upgrade to snakeyaml 2.0 due to the safe defaults it is bringing (not related to spring, but just usage within the app).
Comment From: flashvayne
It seems I made a mistake while test with SnakeYAML 2.0 and Spring Boot 3.0. It actually works with Spring Boot 3.0. Also would you consider supporting SnakeYAML 2.0 in Spring Boot 2.7.X?
Comment From: wilkinsona
@DRoppelt Yes, that's a change that we're considering: https://github.com/wilkinsona/spring-boot/commit/6aa1ce75b0bade8e21b818d402b6abd9bfc8f57c. It will require further testing and we'll also have to decide how much support we want to add for SnakeYAML 2.0 in maintenance releases.
Comment From: dvag-joerg-winter
@wilkinsona Hi ! "... While not officially supported, the failure above should not occur with SnakeYAML 2.0 and Spring Boot 3.0"
Since there is a Secuurity-Alert for snakeyaml (and we'd like to upgrade to snakeyaml 2.0 by including it top-level dependencies to fix the alert), could you elaborate a bit, what Spring's recommendation is in this regard ?
Comment From: wilkinsona
I assume it's CVE-2022-1471 that's triggering the alert. It's very likely to be a false positive as Spring Boot itself is not vulnerable due to the way it uses SnakeYAML. Unless you're using SnakeYAML in an unsafe manner and passing untrusted input into it, your application is not vulnerable. There's some more background in https://github.com/spring-projects/spring-boot/issues/33457.
You have a few options right now:
- Exclude SnakeYAML from your application's build and configure it using
application.propertiesfiles - If you're using Spring Boot 3, you could upgrade to SnakeYAML 2.0 and see if it works for you
- Check your own code for usage of SnakeYAML that is unsafe and ensure that it does not process untrusted input before ignoring the alert
The situation with 2 may improve in time, depending on the outcome of the further testing that we want to do as well as possible changes in Spring Framework being tracked by https://github.com/spring-projects/spring-framework/pull/30048.
Comment From: zhudaxi
@wilkinsona Thanks for providing the options. May I ask the estimated timeline for Spring Boot 2 to pick up SnakeYAML 2.0 ? Thanks.
Comment From: philwebb
@zhudaxi We won't be upgrading to SnakeYAML 2.0 in Spring Boot 2.7.x (which is the last planned 2.x release) since it's a major version bump. We will try to make it possible to users to upgrade themselves, but we don't have an estimate for when that will happen.
Comment From: AkashMukhopadhyay25
@wilkinsona , I'm facing the same issue with snakeYaml 2.0 and micronaut 3.4.1. I've tried upgrading micronaut to the latest 3.8.6 too. But I still am facing the same issue. Is snakeYaml 2.0 compatible with any version of micronaut?
Comment From: wilkinsona
@AkashMukhopadhyay25 I have no idea. That's a question for the Micronaut team.
Comment From: sourabhsparkala
Hello All,
From the above discussion, it is still unclear if SnakeYaml 2.0 is compatible with Spring Boot 3.0.x or not. Could someone clarify?
Thanks Sourabh
Comment From: sportymsk
- Exclude SnakeYAML from your application's build and configure it using
application.propertiesfiles
@wilkinsona, can you elaborate option 1 provided here bit more?
Comment From: wilkinsona
From the above discussion, it is still unclear if SnakeYaml 2.0 is compatible with Spring Boot 3.0.x or not. Could someone clarify?
@flashvayne has tried it and it worked for them:
It seems I made a mistake while test with SnakeYAML 2.0 and Spring Boot 3.0. It actually works with Spring Boot 3.0.
You are encouraged to do the same experiment:
If you're using Spring Boot 3, you could upgrade to SnakeYAML 2.0 and see if it works for you
However, you should note that SnakeYAML 2.0 is not yet officially supported with any version of Spring Boot but this may change in the future, as already stated above:
The situation with […] may improve in time, depending on the outcome of the further testing that we want to do as well as possible changes in Spring Framework being tracked by https://github.com/spring-projects/spring-framework/pull/30048.
We have not yet done all of that testing. This issue will be used to communicate its outcome.
Comment From: wilkinsona
Exclude SnakeYAML from your application's build and configure it using application.properties files
@wilkinsona, can you elaborate option 1 provided here bit more?
@sportymsk, Spring Boot doesn't require Snake YAML. It's only used if you choose to configure your application using YAML files rather than properties files. It's a dependency of spring-boot-starter purely for convenience and it you don't use YAML configuration files it can be excluded using the appropriate configuration in your build.gradle or pom.xml file.
Comment From: asomov
@wilkinsona feel free to ping me if you need any help with SnakeYAML for Spring Boot 3 By the way, I fully support your proposals here. (this false positive CVE-2022-1471 drives me crazy - we have lost so much time for nothing)
Comment From: jliu1970
We recently also ran into Springboot 2.7.7 and 2.7.8 issue with snakeyaml 1.33:
java.lang.NoSuchMethodError: org.yaml.snakeyaml.representer.Representer: method 'void <init>()' not found
at org.springframework.boot.env.OriginTrackedYamlLoader.createYaml(OriginTrackedYamlLoader.java:80) ~[spring-boot-2.7.7.jar!/:2.7.7]
at org.springframework.boot.env.OriginTrackedYamlLoader.createYaml(OriginTrackedYamlLoader.java:75) ~[spring-boot-2.7.7.jar!/:2.7.7]
at org.springframework.beans.factory.config.YamlProcessor.process(YamlProcessor.java:164) ~[spring-beans-5.3.24.jar!/:5.3.24]
at org.springframework.boot.env.OriginTrackedYamlLoader.load(OriginTrackedYamlLoader.java:88) ~[spring-boot-2.7.7.jar!/:2.7.7]
at org.springframework.boot.env.YamlPropertySourceLoader.load(YamlPropertySourceLoader.java:50) ~[spring-boot-2.7.7.jar!/:2.7.7]
at com.microsoft.azure.spring.autoconfigure.aad.YamlFileApplicationContextInitializer.yamlPropertySourceLoad(YamlFileApplicationContextInitializer.java:34) ~[azure-spring-boot-2.0.8.jar!/:?]
at com.microsoft.azure.spring.autoconfigure.aad.YamlFileApplicationContextInitializer.initialize(YamlFileApplicationContextInitializer.java:48) ~[azure-spring-boot-2.0.8.jar!/:?]
at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:604) ~[spring-boot-2.7.7.jar!/:2.7.7]
at org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:373) ~[spring-boot-2.7.7.jar!/:2.7.7]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:306) ~[spring-boot-2.7.7.jar!/:2.7.7]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1303) ~[spring-boot-2.7.7.jar!/:2.7.7]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1292) ~[spring-boot-2.7.7.jar!/:2.7.7]
at com.msi.location.servicecentralsim.ServiceCentralSimApplication.main(ServiceCentralSimApplication.java:11) ~[classes!/:0.0.1-SNAPSHOT]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49) ~[app.jar:0.0.1-SNAPSHOT]
at org.springframework.boot.loader.Launcher.launch(Launcher.java:108) ~[app.jar:0.0.1-SNAPSHOT]
at org.springframework.boot.loader.Launcher.launch(Launcher.java:58) ~[app.jar:0.0.1-SNAPSHOT]
at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:65) ~[app.jar:0.0.1-SNAPSHOT]
Comment From: jliu1970
Any suggestion on how to get around this?
Comment From: wilkinsona
@jliu1970 I would not expect that error with SnakeYAML 1.33 as org.yaml.snakeyaml.representer.Representer has a default constructor in that version. If you can reproduce the problem, please open a new issue with a minimal sample that does so.
Comment From: jliu1970
Thanks for commenting, @wilkinsona. I will try to reproduce the issue and will open a new issue if that is reproducible. Jimmy
Comment From: dVenkatNaveen
Even I have faced similar issue while i tried to update snakeyaml from 1.33 to 2.0
getting the below error
Exception in thread "main" java.lang.NoSuchMethodError: org.yaml.snakeyaml.parser.ParserImpl.
Comment From: Abahafart
Hello, could you help me? I have the same issue and I'm working with spring 3.0.0, here the details
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.0.0</version>
</parent>
<snakeyaml.version>2.0</snakeyaml.version>
````
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'liquibase' defined in class path resource [org/springframework/boot/autoconfigure/liquibase/LiquibaseAutoConfiguration$LiquibaseConfiguration.class]: org.yaml.snakeyaml.constructor.SafeConstructor: method 'void
**Comment From: asomov**
@Abahafart as far as I know, liquibase already fixed the issue.
**Comment From: wilkinsona**
Thanks, @asomov. @Abahafart, https://github.com/liquibase/liquibase/pull/3893 is the change in Liquibase. If you have any further questions about Liquibase's compatibility please follow up with the Liquibase community as it is out of Spring Boot's control.
**Comment From: Nicoagarciac**
Hello could you help me, I have this versions
<spring-framework-version>5.3.20</spring-framework-version>
<spring-boot-version>2.5.12</spring-boot-version>
<snakeyaml.version>2.0</snakeyaml.version>
JDK 11
We are currently working to migrate from java 11 to 17, but I wanted to know if with the current dependency versions SnakeYAML 2.0 works, or I have to migrate to JDK 17 and spring 3 to fix the NoSuchMethodError
**Comment From: asomov**
@Nicoagarciac migration to another version of SnakeYAML is completely independent from migration to another Java. Separate the two.
**Comment From: wilkinsona**
@Nicoagarciac Spring Boot 2.5.x is [no longer supported](https://spring.io/projects/spring-boot#support). If you are using `application.yaml` files, SnakeYAML 2.0 will not work with it. To use Spring Boot 2.x with SnakeYAML 2.0 you will have to upgrade to Spring Boot 2.7.10 when it is released later this week.
**Comment From: sportymsk**
> > > Exclude SnakeYAML from your application's build and configure it using application.properties files
>
> > @wilkinsona, can you elaborate option 1 provided here bit more?
>
> @sportymsk, Spring Boot doesn't require Snake YAML. It's only used if you choose to configure your application using YAML files rather than properties files. It's a dependency of `spring-boot-starter` purely for convenience and it you don't use YAML configuration files it can be excluded using the appropriate configuration in your `build.gradle` or `pom.xml` file.
We are on spring boot version 2.7.6 and snakeyaml 1.33. For us, changing the application.yml to application.properties and excluding the snakeyaml from dependency fixed the issue. Thanks @wilkinsona
**Comment From: sandipbhttachrya**
> @Nicoagarciac Spring Boot 2.5.x is [no longer supported](https://spring.io/projects/spring-boot#support). If you are using `application.yaml` files, SnakeYAML 2.0 will not work with it. To use Spring Boot 2.x with SnakeYAML 2.0 you will have to upgrade to Spring Boot 2.7.10 when it is released later this week.
Hi @wilkinsona , may I know the planned release date of Spring Boot 2.7.x with SnakeYAML 2.0? We have critical release for our products which is on hold due to this support unavailability till date. would appreciate if you kindly let me know it's availability. Thanks!
**Comment From: philwebb**
@sandipbhttachrya We won't be upgrading Spring Boot 2.7.x to use SnakeYAML 2.0 by default, however, Spring Boot 2.7.10 will allow you to upgrade the dependency yourself and not suffer the `NoSuchMethodError`. We plan to release 2.7.10 tomorrow. For future reference, the [milestones](https://github.com/spring-projects/spring-boot/milestones) page has target release dates.
**Comment From: rowi1de**
was this fixed in Spring 2.7.10?
https://docs.spring.io/spring-boot/docs/2.7.10/reference/html/dependency-versions.html still lists snakeyaml 1.33?
I'm getting
```shell
***************************
APPLICATION FAILED TO START
***************************
Description:
An attempt was made to call a method that does not exist. The attempt was made from the following location:
com.fasterxml.jackson.dataformat.yaml.YAMLParser.<init>(YAMLParser.java:178)
The following method did not exist:
'void org.yaml.snakeyaml.parser.ParserImpl.<init>(org.yaml.snakeyaml.reader.StreamReader)'
The calling method's class, com.fasterxml.jackson.dataformat.yaml.YAMLParser, was loaded from the following location:
jar:file:/Users/r/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/2.13.5/fa79b136b42d37b588b5e7bb77e46897583b9fc8/jackson-dataformat-yaml-2.13.5.jar!/com/fasterxml/jackson/dataformat/yaml/YAMLParser.class
The called method's class, org.yaml.snakeyaml.parser.ParserImpl, is available from the following locations:
jar:file:/Users/r/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/2.0/3aab2116756442bf0d4cd1c089b24d34c3baa253/snakeyaml-2.0.jar!/org/yaml/snakeyaml/parser/ParserImpl.class
The called method's class hierarchy was loaded from the following locations:
org.yaml.snakeyaml.parser.ParserImpl: file:/Users/r/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/2.0/3aab2116756442bf0d4cd1c089b24d34c3baa253/snakeyaml-2.0.jar
Action:
Correct the classpath of your application so that it contains compatible versions of the classes com.fasterxml.jackson.dataformat.yaml.YAMLParser and org.yaml.snakeyaml.parser.ParserImpl
It works with "2.14.2" when I override jackson-bom
Comment From: rowi1de
was this fixed in Spring 2.7.10?
I'm getting
***************************
APPLICATION FAILED TO START
***************************
Description:
An attempt was made to call a method that does not exist. The attempt was made from the following location:
com.fasterxml.jackson.dataformat.yaml.YAMLParser.<init>(YAMLParser.java:178)
The following method did not exist:
'void org.yaml.snakeyaml.parser.ParserImpl.<init>(org.yaml.snakeyaml.reader.StreamReader)'
The calling method's class, com.fasterxml.jackson.dataformat.yaml.YAMLParser, was loaded from the following location:
jar:file:/Users/r/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/2.13.5/fa79b136b42d37b588b5e7bb77e46897583b9fc8/jackson-dataformat-yaml-2.13.5.jar!/com/fasterxml/jackson/dataformat/yaml/YAMLParser.class
The called method's class, org.yaml.snakeyaml.parser.ParserImpl, is available from the following locations:
jar:file:/Users/r/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/2.0/3aab2116756442bf0d4cd1c089b24d34c3baa253/snakeyaml-2.0.jar!/org/yaml/snakeyaml/parser/ParserImpl.class
The called method's class hierarchy was loaded from the following locations:
org.yaml.snakeyaml.parser.ParserImpl: file:/Users/r/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/2.0/3aab2116756442bf0d4cd1c089b24d34c3baa253/snakeyaml-2.0.jar
Action:
Correct the classpath of your application so that it contains compatible versions of the classes com.fasterxml.jackson.dataformat.yaml.YAMLParser and org.yaml.snakeyaml.parser.ParserImpl
Comment From: wilkinsona
@rowi1de that's an incompatibility between Jackson and SnakeYAML which is out of Spring Boot's control. Please see https://github.com/spring-projects/spring-boot/issues/34527 for some further details.
Comment From: rowi1de
@rowi1de that's an incompatibility between Jackson and SnakeYAML which is out of Spring Boot's control. Please see #34527 for some further details.
Thanks @wilkinsona ... however at some point spring will update Jackson to a newer version (that is compatible) again or? As mentioned overriding jackson-bom with 2.14.2 works with spring boot 2.7.10 (sorry about duplicate comments, GitHub had a hickup)
Comment From: wilkinsona
We have already upgraded to Jackson 2.14 in Boot 3.0. Boot 2.7.x will not upgrade to 2.14 as we generally do not upgrade to new minor versions of dependencies in maintenance releases of Spring Boot. If you are using Jackson's YAML support and manually upgrading SnakeYAML to 2.0, you should also upgrade Jackson as needed.
Comment From: Salzie
@wilkinsona I see that the Spring boot 2.7.10 release notes mention that this bug related to SnakeYAML 2.0 incompatibility has been fixed in 2.7.10. But the linked PR shows "Declined". Can you please provide a confirmation whether or not SnakeYAML 2.0 is compatible with 2.7.10?
Comment From: wilkinsona
@Salzie I'm not sure which PR you are referring to, but I can confirm that Spring Boot 2.7.10's application.yaml loading is compatible with SnakeYAML 2.0.
Comment From: sheetalj2205
I am also facing a similar problem. On upgrading the version of org.yaml:snakeyaml to 2.0, I am getting this error: java.lang.NoSuchMethodError: org.yaml.snakeyaml.representer.Representer: method <init>()V not found
My project has so many vulnerabilities and my Java version is 11 gradle version - 6.7.1 org.springframework.boot' version '2.4.2' com.jfrog.artifactory' version '4.17.2'
I don't want to change the Java version. Can anyone tell me how can I fix these security issues of JFrog?
Comment From: wilkinsona
@sheetalj2205 To use SnakeYAML 2.0 you'll need to upgrade to Spring Boot 2.7.10. You don't need to upgrade your Java version to do is as, like Spring Boot 2.4, Spring Boot 2.7.10 requires Java 8 or later.
Comment From: sheetalj2205
@sheetalj2205 To use SnakeYAML 2.0 you'll need to upgrade to Spring Boot 2.7.10. You don't need to upgrade your Java version to do is as, like Spring Boot 2.4, Spring Boot 2.7.10 requires Java 8 or later.
On changing the versions of both spring-boot and snakeyaml, I am getting this error
An exception occurred applying plugin request [id: 'org.springframework.boot', version: '2.7.10']
> Failed to apply plugin 'org.springframework.boot'.
> Spring Boot plugin requires Gradle 6.8.x, 6.9.x, or 7.x. The current version is Gradle 6.7.1
Comment From: sheetalj2205
I am also getting vulnerabilities for these artifacts in JFrog, how can I fix these security vulnerabilities? Because changing some of them to the fixed version suggested by JFrog is not compatible with Java 11.
io.dropwizard:dropwizard-validation
commons-beanutils:commons-beanutils
com.fasterxml.jackson.core:jackson-databind
net.minidev:json-smart
commons-fileupload:commons-fileupload
org.apache.tomcat.embed:tomcat-embed-core
com.fasterxml.jackson.core:jackson-databind
org.apache.commons:commons-compress
org.springframework:spring-core
Comment From: snicoll
@sheetalj2205 unfortunately, that's not the right place to ask. You've mentioned you're using Gradle 6.7 and Spring Boot 2.7.10 requires Gradle 6.8.x at a minimum:
Spring Boot plugin requires Gradle 6.8.x, 6.9.x, or 7.x.
If you have further questions, please use StackOverflow.
Comment From: asomov
The amount of work because of this false positive is enormous. Why not to keep using SnakeYAML 1.* ?
Comment From: DManstrator
Would it be possible to get that backport mentioned above also for SB 2.6? I have an application where I can't update to SB 2.7. The issue is from what I saw, that Spring Security was changed and is generating a new JSESSIONID for each request which interferes with the UI. I was not able to resolve that yet.
Comment From: wilkinsona
@DManstrator We have no plans to back port the changes. Firstly, Spring Boot 2.6.x is no longer supported. Secondly, unless you are passing untrusted input to SnakeYAML for processing, the CVE is a false positive. You can safely use application.yaml without being vulnerable as it is trusted input. If, out of an abundance of caution, you want to eliminate the dependency anyway, you can configure your application using application.properties and exclude the SnakeYAML dependency.
Comment From: DManstrator
@wilkinsona Thank you for your fast answer. Sad to here that SB 2.6.X is not longer supported but also understandable.
I'm not using SnakeYAML directly, I'm using it over Liquibase. The newest Liquibase (4.21.0) already supports SnakeYAML 2.0 but due to using spring-boot-dependencies (which itself uses SnakeYAML 1.27 in SB 2.6), SnakeYAML 2.0 is not used. To avoid the CVE I tried to add an Override for SnakeYAML which failed due to incompatibility.
But from what you said I guess that the CVE still counts as a false-positive for me?
Comment From: wilkinsona
Yes, I think so. Your Liquibase change logs are trusted input so you are not at risk. You also have the option of upgrading both SnakeYAML and Liquibase using the snakeyaml.version and liquidate.version properties.
Comment From: DManstrator
Thank you very much.
However, I'm not sure what you mean with the upgrade of both versions. It's already possible for me to use latest SB 2.6.X, Liquibase 4.21.0 and SnakeYAML 1.33. And due to being stuck on SB 2.6.X, I cannot update any of those anymore, can I?
Comment From: mrpiggi
https://docs.spring.io/spring-boot/docs/2.6.14/reference/htmlsingle/#using.build-systems.dependency-management https://docs.spring.io/spring-boot/docs/2.6.14/reference/htmlsingle/#appendix.dependency-versions.properties
Comment From: wilkinsona
@DManstrator I was assuming an upgrade to Spring Boot 2.7 where you can then upgrade to SnakeYAML 2.0 and, hopefully, Liquibase 4.21.0. IMO, a far better option for your situation is to configure your security scanning tool so that it ignores CVE-2022-1471 (or whichever problem it has identified that requires untrusted input to exploit).
Unfortunately, security scanners remain very blunt instruments and their output cannot be used directly. Instead, you should consider each vulnerability that it highlights as a possible problem that requires further investigation. The outcome of that investigation could be that you need to upgrade a dependency, but it could also be that you ignore the warning as a false positive.
Comment From: DManstrator
As mentioned before, I can't update to SB 2.7 due to another issue regarding JSESSIONIDs.
But I can confirm from another project that SB 2.7.10, Liquibase 4.21 and SnakeYAML 2.0 work together.
Comment From: shreeparnas
SB 2.7.11 and SnakeYAML 2.0 dont work together. Gives the same error.
Comment From: wilkinsona
@shreeparnas We have tests that verify that the error no longer occurs. Perhaps it's some other code that's calling SnakeYAML in an incompatible manner? If you're seeing a NoSuchMethodError caused by code in Spring Boot (from a class within an org.springframework.boot package) calling SnakeYAML, can you please open a new issue with a minimal example that reproduces the problem?
Comment From: sheetalj2205
Hello, @wilkinsona Can you please tell me how can I fix the security vulnerabilities if I am using spring-boot: 2.4.2 with gradle: 6.7.1 and Java 11? I don't want to change my Java version. Is there any way to get rid of all these around 40 vulnerabilities?
Comment From: wilkinsona
@sheetalj2205, Spring Boot 2.7.x requires Java 8 or later so there's no need to change your Java version. You should upgrade to Spring Boot 2.7.x and Gradle 6.8.x or later. If you have any further questions, please follow up on Stack Overflow or Gitter. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements.
Comment From: sheetalj2205
@sheetalj2205, Spring Boot 2.7.x requires Java 8 or later so there's no need to change your Java version. You should upgrade to Spring Boot 2.7.x and Gradle 6.8.x or later. If you have any further questions, please follow up on Stack Overflow or Gitter. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements.
But @wilkinsona , spring-boot: 2.7.x also has so many vulnerabilities, I changed the version of both gradle and spring-boot still there are so many security vulnerabilities, I can see in JFrog Xray data. How can I fix this?
Comment From: asomov
@sheetalj2205 feel free to report a bug in JFrog Xray. They create a false positive.
Comment From: wilkinsona
Unfortunately, security scans cannot be taken at face value and they often report many false positives. For each vulnerability that a scan identifies, you will have to identify whether or not your application is actually affected. If it isn't, you may want to configure the scanner so that the false positive is ignored in the future. If your application is affected, you will then have to determine how to address the problem. That could be changing a configuration setting or updating a dependency for example.
Comment From: kpavan3697
I am facing NoSuchMethod error after upgrading spring to 2.7.11 and snakeyaml to 2.0.
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'dataServiceConfigurationManager': Invocation of init method failed; nested exception is java.lang.NoSuchMethodError: 'void org.yaml.snakeyaml.parser.ParserImpl.<init>(org.yaml.snakeyaml.reader.StreamReader)'
Caused by: java.lang.NoSuchMethodError: 'void org.yaml.snakeyaml.parser.ParserImpl.<init>(org.yaml.snakeyaml.reader.StreamReader)'
Comment From: wilkinsona
@kpavan3697 That doesn't look to be related to loading application.yml which is the subject of this issue. Your problem appears to be the creation of a dataServiceConfigurationManager bean. It, or something upon which it depends, appears to be using SnakeYAML in a way that isn't compatible with 2.0. The complete stack trace of the NoSuchMethodError should identify the code that needs to be updated.
Comment From: kpavan3697
@wilkinsona Please find the stack trace below for the error
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'dataServiceConfigurationManager': Invocation of init method failed; nested exception is java.lang.NoSuchMethodError: 'void org.yaml.snakeyaml.parser.ParserImpl.(org.yaml.snakeyaml.reader.StreamReader)'
at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:160) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanFactory.java:440) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1796) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:620) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:542) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:333) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:208) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:955) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:920) ~[spring-context-5.3.27.jar:5.3.27]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:583) ~[spring-context-5.3.27.jar:5.3.27]
at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:399) ~[spring-web-5.3.27.jar:5.3.27]
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:278) ~[spring-web-5.3.27.jar:5.3.27]
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:103) ~[spring-web-5.3.27.jar:5.3.27]
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4768) ~[catalina.jar:9.0.50]
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5230) ~[catalina.jar:9.0.50]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) ~[catalina.jar:9.0.50]
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:728) ~[catalina.jar:9.0.50]
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:700) ~[catalina.jar:9.0.50]
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:696) ~[catalina.jar:9.0.50]
at org.apache.catalina.startup.HostConfig.manageApp(HostConfig.java:1783) ~[catalina.jar:9.0.50]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at org.apache.tomcat.util.modeler.BaseModelMBean.invoke(BaseModelMBean.java:293) ~[tomcat-coyote.jar:9.0.50]
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:809) ~[?:?]
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:801) ~[?:?]
at org.apache.catalina.mbeans.MBeanFactory.createStandardContext(MBeanFactory.java:460) ~[catalina.jar:9.0.50]
at org.apache.catalina.mbeans.MBeanFactory.createStandardContext(MBeanFactory.java:408) ~[catalina.jar:9.0.50]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at org.apache.tomcat.util.modeler.BaseModelMBean.invoke(BaseModelMBean.java:293) ~[tomcat-coyote.jar:9.0.50]
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:809) ~[?:?]
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:801) ~[?:?]
at com.sun.jmx.remote.security.MBeanServerAccessController.invoke(MBeanServerAccessController.java:468) ~[?:?]
at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1466) ~[?:?]
at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1307) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1406) ~[?:?]
at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:827) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:359) ~[?:?]
at sun.rmi.transport.Transport$1.run(Transport.java:200) ~[?:?]
at sun.rmi.transport.Transport$1.run(Transport.java:197) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
at sun.rmi.transport.Transport.serviceCall(Transport.java:196) ~[?:?]
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:562) ~[?:?]
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:796) ~[?:?]
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:677) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:676) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
at java.lang.Thread.run(Thread.java:829) ~[?:?]
Caused by: java.lang.NoSuchMethodError: 'void org.yaml.snakeyaml.parser.ParserImpl.(org.yaml.snakeyaml.reader.StreamReader)'
at com.fasterxml.jackson.dataformat.yaml.YAMLParser.(YAMLParser.java:178) ~[jackson-dataformat-yaml-2.13.5.jar:2.13.5]
at com.fasterxml.jackson.dataformat.yaml.YAMLFactory._createParser(YAMLFactory.java:466) ~[jackson-dataformat-yaml-2.13.5.jar:2.13.5]
at com.fasterxml.jackson.dataformat.yaml.YAMLFactory.createParser(YAMLFactory.java:368) ~[jackson-dataformat-yaml-2.13.5.jar:2.13.5]
at com.fasterxml.jackson.dataformat.yaml.YAMLFactory.createParser(YAMLFactory.java:15) ~[jackson-dataformat-yaml-2.13.5.jar:2.13.5]
at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3666) ~[jackson-databind-2.13.5.jar:2.13.5]
at com.xyz.dataplatform.configuration.DataServiceConfigurationManager.loadConfigurationFiles(DataServiceConfigurationManager.java:155) ~[data-service-retrieval-2.23.jar:2.23]
at com.xyz.dataplatform.configuration.DataServiceConfigurationManager.init(DataServiceConfigurationManager.java:117) ~[data-service-retrieval-2.23.jar:2.23]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleElement.invoke(InitDestroyAnnotationBeanPostProcessor.java:389) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMetadata.invokeInitMethods(InitDestroyAnnotationBeanPostProcessor.java:333) ~[spring-beans-5.3.27.jar:5.3.27]
at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:157) ~[spring-beans-5.3.27.jar:5.3.27]
... 60 more
Comment From: scottfrederick
@kpavan3697 The error says Error creating bean with name 'dataServiceConfigurationManager'. This dataServiceConfigurationManager bean is not part of Spring Boot so there's nothing we can do to help you. If this bean is in your application, then you will need to change your code in a way that is compatible with SnakeYaml 2.0. If this bean is in a library you are using in your application, you will need to contact the vendor of that library.
Comment From: DRoppelt
Caused by: java.lang.NoSuchMethodError: 'void org.yaml.snakeyaml.parser.ParserImpl.(org.yaml.snakeyaml.reader.StreamReader)' at com.fasterxml.jackson.dataformat.yaml.YAMLParser.(YAMLParser.java:178) ~[jackson-dataformat-yaml-2.13.5.jar:2.13.5]
there you go, jackson-dataformat-yaml, which you could try to change to a more recent version via jackson-bom.version property. 3.0.6 is on 2.14.2 as a reference.
From what it looks like, their repo is here https://github.com/FasterXML/jackson-dataformats-text I dug into the history and it appears that they have fixed it with 2.14 https://github.com/FasterXML/jackson-dataformats-text/pull/371/files
Maybe they would accept a backport to 2.13, from my understanding that should be compatible in their 2.13 line
e: judging by the context within the PR, if you can adjust the caller to inject a non-null loaderOptions, the deprecated method should also not be called, therefore preventing NoSuchMethodError
Comment From: timmussack
Upgrading Jackson to v 2.15.0 seems to fix this error when using SB 2.7.11 and snakeYAML 2.0.
Comment From: orchestr7
@wilkinsona sorry for bothering again with this infinite issue, but I also have the same problem with the following dependencies. May be you have seen it already and know the reason? 🙏
+--- org.springframework.boot:spring-boot-dependencies:2.7.12 +--- org.yaml:snakeyaml:2.0 +--- com.fasterxml.jackson.core:jackson-core:2.13.5 -> 2.14.2 (c) (this version comes with SB 2.7.*)
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [io.kubernetes.client.openapi.ApiClient]: Factory method 'defaultApiClient' threw exception; nested exception is java.lang.NoSuchMethodError: org.yaml.snakeyaml.constructor.SafeConstructor: method 'void <init>()' not found
Do you have any ideas on the reason? My be you have faced it already? 🙏
Very small spring boot service: https://github.com/saveourtool/save-cloud/tree/master/api-gateway :
./gradlew apiGateway:bootRun
problem comes from spring-cloud which uses old io.kubernetes:client-java, that is in conflict with latest snakeyaml:
+--- org.springframework.cloud:spring-cloud-starter-kubernetes-client-config:2.1.7
| +--- org.springframework.cloud:spring-cloud-kubernetes-commons:2.1.7
| | +--- org.springframework.boot:spring-boot-autoconfigure:2.6.14 -> 2.7.12 (*)
| | +--- org.springframework.cloud:spring-cloud-commons:3.1.6 (*)
| | +--- org.springframework.cloud:spring-cloud-context:3.1.6 (*)
| | \--- javax.annotation:javax.annotation-api:1.3.2
| +--- org.springframework.cloud:spring-cloud-kubernetes-client-autoconfig:2.1.7
| | +--- org.springframework.cloud:spring-cloud-kubernetes-commons:2.1.7 (*)
**| | +--- io.kubernetes:client-java:13.0.2**
Comment From: wilkinsona
It looks like io.kubernetes.client.openapi.ApiClient or something that it references isn't compatible with SnakeYAML 2.0. The complete stack trace will show you exactly where the incompatibility lies.
If you have any further questions, please follow up on Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements.
Comment From: markus-winkler
downgrade your jackson implementation for parsing YAML and this should solve this issue. I had the same one.
Comment From: hridya97
Hello, @wilkinsona we have upgraded snakeyaml from 1.32 to 2.0 as part of vulnerability fix.Our application is Spring framework with version 4.3.25 and having java version 11. On upgrading, application run with below error:
java.lang.NoSuchMethodError: 'void org.yaml.snakeyaml.parser.ParserImpl.<init>(org.yaml.snakeyaml.reader.StreamReader)'
at com.fasterxml.jackson.dataformat.yaml.YAMLParser.<init>(YAMLParser.java:178)
at com.fasterxml.jackson.dataformat.yaml.YAMLFactory._createParser(YAMLFactory.java:466)
at com.fasterxml.jackson.dataformat.yaml.YAMLFactory.createParser(YAMLFactory.java:368)
at com.fasterxml.jackson.dataformat.yaml.YAMLFactory.createParser(YAMLFactory.java:15)
at io.dropwizard.configuration.BaseConfigurationFactory.createParser(BaseConfigurationFactory.java:113)
at io.dropwizard.configuration.BaseConfigurationFactory.build(BaseConfigurationFactory.java:86)
at io.dropwizard.cli.ConfiguredCommand.parseConfiguration(ConfiguredCommand.java:139)
at io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:85)
at io.dropwizard.cli.Cli.run(Cli.java:78)
Is spring 4.3.25 not compatible with snake-yaml 2.0? Could you please provide a suggestion on wat can be done here? Thanks
Comment From: bclozel
@hridya97 this is the Spring Boot issue tracker, so this is not relevant here. Spring Framework 4.3 has been end of life for 3 years now, you can check the currently supported versions on the project page.
Looking at the stacktrace you've provided, this doesn't involve Spring at all so I guess you should reach out to the dropwizard community instead.