The art of simplicity is a puzzle of complexity.
When you are here because of some vulnerability report please be aware that it is most probably a false positive.
When you use SnakeYAML to configure your application you are totally safe.
- Go to the issue tracker of your low quality tooling and file a bug report about a false positive. You will be impressed with the amount of bugs already created and ignored (this makes the tool low quality - the bugs are created but ignored). The big amount of already reported issues should not stop you - they must be aware of the stream of false positives they produce.
- Go to your manager or security specialist and present this information. If you pay for the low quality tooling they cannot leave it unattended.
- Develop further and be happy !
YAML is a data serialization format designed for human readability and interaction with scripting languages.
SnakeYAML is a YAML 1.1 processor for the Java Virtual Machine version 8+. For YAML 1.2 (which is a superset of JSON) you may have a look at SnakeYAML Engine
- a complete YAML 1.1 processor. (If you need YAML 1.2 support have a look here). In particular, SnakeYAML can parse all examples from the specification.
- Unicode support including UTF-8/UTF-16 input/output.
- high-level API for serializing and deserializing native Java objects.
- support for all types from the YAML types repository.
- relatively sensible error messages.
- when you plan to feed the parser with untrusted data please study the settings which allow to restrict incoming data.
- GIT is now used to dance with the source code.
- If you find a bug in SnakeYAML, please file a bug report.
- You may discuss SnakeYAML at the mailing list.
- Slack workspace
- Telegram group is removed because of the spam
- YAML community