DuckYAML

Convert your Spring .yml configuration to .properties files and get rid of SnakeYAML.

What the duck is this about?

This is a simple Python script that is designed to generate .properties files from an existing .yml file.

Since this process involves removing SnakeYAML, make sure your application does not directly use SnakeYAML.
It will generate separate files for each profile named application-{profile}.properties.
Shared properties are saved to application.properties file.
This is tested for a single application.yml file with multiple profiles.

Background

Spring uses SnakeYAML to parse configuration stored in the .yml file. Despite being a mature library, SnakeYAML has a track record of having vulnerabilities since its inception on 2009 -- checkout it out on mvnrepository! Even the recent versions (>= 1.32) have critical vulnerability (CVE-1471). In an enterprise setting, you application could be marked as vulnerable because of this.

However, it doesn't have to be that way. Spring doesn't really need SnakeYAML if .properties files are used instead. This is where the library comes handy. It automatically creates .properties files based on your current application.yaml file.

Steps to use

Make sure you have Python3 Installed.

Clone this repo to a safe directory.
cd DuckYAML
Install dependencies using: pip3 install -r requirements.txt.
Place your application.yml file under input directory.
Run the command as python3 main.py.
Check output directory to see your .properties files.
Copy the properties files to your applications src/main/resources directory.
Follow the SnakeYAML Removal Process below.

Folders after script run

SnakeYAML Removal Process

Run mvn dependency:tree and see any snakeyaml transitive dependency. It should be under spring-boot-starter.
Exclude snakeyaml using maven exclusion.
Repeat step 1 and 2 until you don't see snakeyaml in the dependency tree.
Run the application to ensure its functional.

Excluding snakeyaml Dependency