Change yaml parser to org.snakeyaml:snakeyaml-engine

[NAJ10]

The existing snakeyaml library is listed as vulnerable to security vulnerabilities because it allows create of arbitrary java objects which could lead to remote code execution. org.snakeyaml:snakeyaml-engine seems to be a follow on from the existing snakeyaml library from the same developers but is able to parse YAML 1.2. Please could you consider using snakeyaml-engine to help developers working in organisations where automated security scanning for vulnerable dependencies causes friction between in house security teams and ordinary developers who happen to pull in uap-java as a dependency.

[NAJ10]

This will also address #68

[bpossolo]

At first I was hoping the snakeyaml maintainers would address the issue in their library but I read through their issue/conversation and, apparently, it's very controversial...

I'll check out snakeyaml-engine and see how complicated it is to swap over.

[thomasdarimont]

How about simply removing the dependency to snakeyaml?

The regex format file regexes.yaml is quite simple and could be parsed by a small handwritten parser that just turns the yaml into a ``Map<String,List<Map<String,String>>>`

[bpossolo]

I'd prefer to avoid writing a custom yaml parser

[aminadinari19]

Hi! There is a new version of snakeyaml (2.0) which seems to be free of vulnerabilities. Do you plan to upgrade to that?

[jmini]

I have opened a PR to update to version 2.0 of the regular snakeyaml: #82

I agree with the discussion here, snakeyaml-engine might be a good fit for this library:
https://bitbucket.org/snakeyaml/snakeyaml-engine/wiki/Home

[jmini]

I think it is even better to remove the need to have any YAML parsing at runtime.

So I have opened a PR for that: #83

[bpossolo]

I'm pleased to announce version 1.6.1 has been released to Maven Central and the security vulnerability has been addressed.

see here for what's changed
https://github.com/ua-parser/uap-java/releases/tag/v1.6.1