https://nvd.nist.gov/vuln/detail/CVE-2022-1471 has a NIST base score of "9.8 CRITICAL" and says:
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
SnakeYaml doesn't plan to release a SnakeYaml version that by default uses SafeConstructor.
So we need to manually check each SnakeYaml use.
This is vulnerable:
new Yaml()
This is not vulnerable:
new Yaml(new SafeConstructor())
Searching for "new yaml" in folio-org:
https://github.com/search?q=org%3Afolio-org+%22new+yaml%22&type=code
Use of SnakeYaml in dependencies:
- vertx-conf/vertx-conf-yaml has been fixed since Vert.x 4.3.4
- vertx-web has been fixed since Vert.x 4.3.4
- Spring Framework has been fixed since spring-framework 5.3.4
- Spring Boot has been fixed since spring boot 2.1.15.RELEASE
If SnakeYaml is only used to parse a hard-coded yaml file like a configuration file from the git repository then there is no exploit.
If Snyk reports about "org.yaml:snakeyaml - Arbitrary Code Execution - CVE-2022-1471" investigate as explained above. Set report to "Ignore" if the FOLIO code is not vulnerable.