Hello all, I use Karaf's feature processing to blacklist bundles. For example, I use this capability to exclude the cxf bundle cxf-rt-rs-service-description in a custom karaf distribution.
> <?xml version="1.0" encoding="UTF-8"?> > <featuresProcessing xmlns=" > http://karaf.apache.org/xmlns/features-processing/v1.0.0"; xmlns:f=" > http://karaf.apache.org/xmlns/features/v1.6.0";> > > <blacklistedBundles> > <bundle>mvn:org.apache.cxf/cxf-rt-rs-service-description</bundle> > </blacklistedBundles> > > </featuresProcessing> > Best regards, João On Wed, Apr 16, 2025 at 10:20 PM Matt Pavlovich <mattr...@apache.org> wrote: > Hi Jose- > > Yes, you would need to update the feature file (or other deployment > approach) that references that and override it there. If your project does > not use snakeyaml, you may be able to safely remove it. Snakeyaml is most > likely being pulled in by the JSON support features cxf-jaxrs-jackson (or > similar). > > Keep in mind, newer patched dependency libraries are starting to require > JDK 11 (and possibly JDK 17, since JDK 11 is also nearing end-of-life). You > are probably starting down a path that involves more than upgrading just > the single snakeyaml library. > > Thanks > Matt Pavlovich > > On Apr 16, 2025, at 1:34 PM, jose.garn...@toshibagcs.com wrote: > > Karaf folks, > > We have a Project with Karaf 4.2.16 and java 8, in the project is used the > CXF features and looks like this is including the snakeyaml 1.33, we want > to remove or upgrade it to avoid getting the CVE-2022-1471 vulnerability > > > In Karaf exist a way to solve this? > > > Just FYI , this is the library > <!-- https://mvnrepository.com/artifact/org.yaml/snakeyaml --> > <dependency> > <groupId>org.yaml</groupId> > <artifactId>snakeyaml</artifactId> > <version>2.0</version> > </dependency> > > >
