Update to Snakeyaml 2.2 (#662)

This closes #660

Co-authored-by: Georg Henzler <[email protected]>

Author: kwin

accesscontroltool-bundle/bnd.bnd

@@ -16,3 +16,6 @@ org.apache.sling.commons.scheduler.*;resolution:=optional,\
 org.apache.jackrabbit.oak.spi.security.principal;version="[1.5.0,3)",\
 !jakarta.servlet*,\
 *
+
+# snakeyaml 2.0 uses multi version jars which are not supported: https://github.com/bndtools/bnd/issues/3514
+-fixupmessages "Classes found in the wrong directory"; restrict:=error; is:=warning

accesscontroltool-bundle/pom.xml

@@ -209,7 +209,18 @@
                         <skip>false</skip><!-- only enable in specific submodules -->
                         <suppressionFile>${project.basedir}/suppression.xml</suppressionFile>
                     </configuration>
-                 </plugin>
+                </plugin>
+                <plugin>
+                    <groupId>org.jacoco</groupId>
+                    <artifactId>jacoco-maven-plugin</artifactId>
+                    <configuration>
+                        <excludes>
+                            <!-- Exclude multi-version snakeyaml for Jacoco due to https://github.com/jacoco/jacoco/issues/407 -->
+                            <exclude>snakeyaml-2.2.jar</exclude>
+                            <exclude>tomcat-*.jar</exclude>
+                        </excludes>
+                    </configuration>
+                </plugin>
             </plugins>
         </pluginManagement>
         <plugins>

accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/configreader/YamlConfigurationAdminPluginScalarConstructor.java

@@ -6,6 +6,7 @@
 import org.osgi.service.cm.ConfigurationPlugin;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.constructor.AbstractConstruct;
 import org.yaml.snakeyaml.constructor.Constructor;
 import org.yaml.snakeyaml.env.EnvScalarConstructor;
@@ -23,7 +24,7 @@
  * Usually this is called with 
  * <a href="https://github.com/apache/felix-dev/tree/master/configadmin-plugins/interpolation">Felix Configadmin Interpolation Plugin</a>.
  * 
- * @see <a href="https://bitbucket.org/asomov/snakeyaml/wiki/Variable%20substitution">Variable substitution</a>
+ * @see <a href="https://bitbucket.org/snakeyaml/snakeyaml/wiki/Variable%20substitution">Variable substitution</a>
  *
  */
 public class YamlConfigurationAdminPluginScalarConstructor extends Constructor {
@@ -37,6 +38,7 @@ public class YamlConfigurationAdminPluginScalarConstructor extends Constructor {
     private final InstallationLogger installLog;
 
     public YamlConfigurationAdminPluginScalarConstructor(InstallationLogger installLog, ConfigurationPlugin interpolationPlugin) {
+        super(new LoaderOptions());
         this.yamlConstructors.put(TAG, new ConstructYamlConfigurationAdminPlugin());
         this.interpolationPlugin = interpolationPlugin;
         this.installLog = installLog;

accesscontroltool-bundle/suppression.xml

@@ -1,10 +1,3 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress>
-       <notes><![CDATA[
-Snakeyaml 2.0.0 is not out yet, and the yaml is only executed by admins (compare with https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in)
-       ]]></notes>
-       <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
-       <vulnerabilityName>CVE-2022-1471</vulnerabilityName>
-    </suppress>
 </suppressions>

pom.xml

@@ -114,7 +114,7 @@
             <dependency>
                 <groupId>org.yaml</groupId>
                 <artifactId>snakeyaml</artifactId>
-                <version>1.32</version>
+                <version>2.2</version>
             </dependency>
             <!-- due to https://bugs.openjdk.java.net/browse/JDK-8231581 OOTB JRE is not sufficient -->
             <dependency>
@@ -434,6 +434,11 @@
                         <skip>true</skip><!-- only enable in specific submodules -->
                     </configuration>
                 </plugin>
+                <plugin>
+                    <groupId>org.jacoco</groupId>
+                    <artifactId>jacoco-maven-plugin</artifactId>
+                    <version>0.8.8</version>
+                </plugin>
             </plugins>
         </pluginManagement>
         <plugins>
@@ -671,7 +676,6 @@
                     <plugin>
                         <groupId>org.jacoco</groupId>
                         <artifactId>jacoco-maven-plugin</artifactId>
-                        <version>0.8.8</version>
                         <executions>
                             <execution>
                                 <id>prepare-agent</id>