[fix][sec] Update dependencies to use snakeyaml 2.0

[eugene-cheverda]

Fixes #20224

Motivation

Fixes https://avd.aquasec.com/nvd/cve-2022-1471 caused by snakeyaml by updating all dependencies bringing it into the project

Modifications

Updated jackson and prometheus dependencies, updated code to use non-deprecated EnumResolver functions

Verifying this change

• Make sure that the change passes the CI checks.

This change is already covered by existing tests, such as FieldParserTest.

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

• Dependencies (add or upgrade a dependency)
• The public API
• The schema
• The default values of configurations
• The threading model
• The binary protocol
• The REST endpoints
• The admin CLI options
• The metrics
• Anything that affects deployment

Documentation

• doc
• doc-required
• doc-not-needed
• doc-complete

Matching PR in forked repository

PR in forked repository: eugene-cheverda#1

[mattisonchao]

There's a corner regression by Jackson 2.15. It will affect our json schema. We will need to talk about it this in the dev mail list.
FasterXML/jackson-databind#3874

[mattisonchao]

@codelipenghui @Technoboy- @lhotari @michaeljmarshall @tisonkun would you mind taking a look?

[eugene-cheverda]

There's a corner regression by Jackson 2.15. It will affect our json schema. We will need to talk about it this in the dev mail list. FasterXML/jackson-databind#3874

@mattisonchao So is my understanding correct that wherever @JsonIgnore is used with private transient fields we need to make sure that they're not getting serialized with 2.15.0?

UPD: please see 12f5421
I made a search over private transient fields with @JsonIgnore attribute and added tests to verify they're not present in serialized output. Please let me know if it's a right direction.

[eugene-cheverda]

Here's the gist, for future discussion, that reproduces regression for regular class, lombok.Data annotated class and lombok.Value annotated class https://gist.github.com/eugene-cheverda/e3370304895ada1048fc210d0261d853

[eugene-cheverda]

Regression changes behavior in the following cases:

1. For regular class, @Data annotated the following definition of json property is not serialized in 2.14.2, gets serialized in 2.15.0:

@JsonIgnore
private transient String field4;

public String getField4() {
    return field4;
}

public void setField4(String field4) {
    this.field4 = field4;
}

2. For @Value annotated class the following definitions of json property are not serialized in 2.14.2, get serialized in 2.15.0:

@JsonIgnore
private transient String field3;

@JsonIgnore
private transient String field4;

public String getField4() {
    return field4;
}

The most notable discrepancy in behavior between @Data and @Value annotated classes. The following property will be excluded for @Data and will be included in @Value class:

@JsonIgnore
private transient String field3;

i.e. for @Data annotated class @JsonIgnore is being propagated to the generated property, for @Value class it is not.

Speaking about usages of @JsonIgnore and private transient field in pulsar code, please see the list below:

• pulsar/pulsar-common/src/main/java/org/apache/pulsar/client/impl/schema/SchemaInfoImpl.java

  Line 73 in e956db7

  private transient SchemaHash schemaHash;

• pulsar/pulsar-client/src/main/java/org/apache/pulsar/client/impl/conf/ClientConfigurationData.java

  Line 62 in e956db7

  private transient ServiceUrlProvider serviceUrlProvider;

• pulsar/pulsar-client/src/main/java/org/apache/pulsar/client/impl/conf/ProducerConfigurationData.java

  Line 177 in e956db7

  private transient MessageCrypto messageCrypto = null;

• pulsar/pulsar-client/src/main/java/org/apache/pulsar/client/impl/conf/ConsumerConfigurationData.java

  Line 255 in e956db7

  private transient MessageCrypto messageCrypto = null;

• pulsar/pulsar-client/src/main/java/org/apache/pulsar/client/impl/conf/ConsumerConfigurationData.java

  Line 386 in e956db7

  private transient KeySharedPolicy keySharedPolicy;

• pulsar/pulsar-client/src/main/java/org/apache/pulsar/client/impl/conf/ConsumerConfigurationData.java

  Line 395 in e956db7

  private transient MessagePayloadProcessor payloadProcessor = null;

All of the above occurrences are in @Data annotated classes, hence the behavior matches to the one in 2.14.2, the absence of mentioned properties is covered in tests in PR

If this PR gets approved/merged, I'll cherry-pick additional changes into PR agains branch-3.0

[eugene-cheverda]

Hi @mattisonchao did you have a chance to discuss this in dev mail group? TIA

[tisonkun]

I remember that the client doesn't use snakeyaml actually. Maybe you can try exclude the dependency from shaded result so we get rid of all these things.

[github-actions]

The pr had no activity for 30 days, mark with Stale label.

[tisonkun]

Resolved by #20085.

[github-actions]

The pr had no activity for 30 days, mark with Stale label.

[lhotari]

already resolved with #20085