[Bug]: Vulnerable Dependency CVE NVD 9.8 Snakeyaml

[ZachChuba]

Module

Core

Testcontainers version

1.20.1

Using the latest Testcontainers version?

Yes

Host OS

MacOS

Host Arch

ARM

Docker version

Client:
 Version:           26.1.4
 API version:       1.45
 Go version:        go1.21.11
 Git commit:        5650f9b
 Built:             Wed Jun  5 11:26:02 2024
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

What happened?

The testcontainers core shades snakeyaml 1.33 into the jar. Snakeyaml 1.33 is vulnerable to CVE-2022-1471. Even though the code does not appear vulnerable to this issue because it uses SafeConstructor, enterprises may blacklist testcontainers for the mere presence of snakeyaml 1.33. Please consider upgrading to snakeyaml 2.0 or higher.

Relevant log output

No response

Additional Information

https://nvd.nist.gov/vuln/detail/CVE-2022-1471

[mranjit]

I can see that the latest versions of snakeyaml do not have any vulnerabilities(https://mvnrepository.com/artifact/org.yaml/snakeyaml). Is upgrading to the latest version the only expectation? Then, I can create a pull request to upgrade it.

[ZachChuba]

Yes version 2.0 and above remediate it, upgrading to 2.2 would work

[eddumelendez]

Please, do not open a PR for this. We should take into account when update a dependency to a major version when doing patch and minor releases.

[PiotrSierkin-Ki]

Any updates on the status of this vulnerability? It is causing some concerns for us.

cc @eddumelendez

[Orbifoldt]

Also for us, Nexus IQ/Sonatype is blocking this