From ff9a1eb061ed5d5b8428103ab586dfdf961a7735 Mon Sep 17 00:00:00 2001
From: Patrick Doyle <810052+prdoyle@users.noreply.github.com>
Date: Wed, 22 Jan 2025 08:20:38 -0500
Subject: [PATCH] Exclude (unused) snakeyaml dependency (#120553)

* Exclude (unused) snakeyaml dependency

* Explanatory comment and CVE link
---
 x-pack/snapshot-tool/build.gradle | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/x-pack/snapshot-tool/build.gradle b/x-pack/snapshot-tool/build.gradle
index 3bd4c2f617a36..b24260726dadd 100644
--- a/x-pack/snapshot-tool/build.gradle
+++ b/x-pack/snapshot-tool/build.gradle
@@ -70,6 +70,10 @@ dependencies {
   api 'javax.xml.bind:jaxb-api:2.2.2'
 }
 
+configurations.configureEach {
+  exclude group: 'org.yaml', module: 'snakeyaml' // Avoid CVE: https://nvd.nist.gov/vuln/detail/cve-2022-1471
+}
+
 tasks.named("dependencyLicenses").configure {
   mapping from: /aws-java-sdk-.*/, to: 'aws-java-sdk'
   mapping from: /jmespath-java.*/, to: 'aws-java-sdk'