From c39e5a7d9709f59c3fdbb5e69ae189dd06f9f054 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 10 Jul 2025 16:54:00 +0100 Subject: [PATCH 1/2] Update qhelp: SnakeYaml is safe from version 2.0 --- java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp index 087a873dfc77..8d76255fc733 100644 --- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp +++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp @@ -64,8 +64,8 @@ Recommendations specific to particular frameworks supported by this query:

SnakeYAML - org.yaml:snakeyaml

XML Decoder - Standard Java Library

From 9ef22fff8ead1738b78e820ba7313884dd38e6d0 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 15 Jul 2025 15:27:01 +0100 Subject: [PATCH 2/2] Update SnakeYaml reference to note that it is outdated --- java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp index 8d76255fc733..bf7205d535ff 100644 --- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp +++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp @@ -121,7 +121,7 @@ Alvaro Muñoz & Christian Schneider, RSAConference 2016:
  • SnakeYaml documentation on deserialization: -SnakeYaml deserialization. +SnakeYaml deserialization (not updated for new behaviour in version 2.0).
  • Hessian deserialization and related gadget chains: