Bump snakeyaml version to 2.2 to eliminate critical CVE-2022-1471

[ZachChuba]

Bumping the version of the shaded snakeyaml jar in core from 1.33 to 2.2, as 1.33 is flagged with CVE-2022-1471.

I have read the PR note on raising them just for dependency upgrades, but there have been two new releases since the 30 days ago this issue was raised and the version has not changed, making me suspect dependabot is missing this.

This addresses issue #9289

[eddumelendez]

Hi, I am pretty sure you also read my comment #9289 (comment)

[eddumelendez]

Reopening because snakeyaml is a shaded dependency.

[eddumelendez]

This snakeyaml version is not compatible with current jackson version

[ZachChuba]

I would recommend upgrading the jackson version as both this and the current jackson version have critical level security vulnerabilities should be updated... will look into the specific version to bump.

[ZachChuba]

Upgrading the whole jackson suite to version 2.15.4 would alleviate these vulnerabilities and be compatible with snakeyaml 2.x. However, it appears this shouldn't be changed for backwards compatibility. These severe vulnerabilities will essentially forbid the use of test containers in enterprises with sonatype lifecycle scanning or other security guards.

    // https://youtu.be/otCpCn0l4Wo
    // The core module depends on jackson-databind 2.8.x for backward compatibility.
    // Any >2.8 version here is not compatible with jackson-databind 2.8.x.

[eddumelendez]

We are planing to update dependencies in the next months. Is there any proof that CVEs are not false-positives for our usage?