Summary

Remediates CVE-2022-1471 (Critical) — SnakeYAML ≤ 1.33 allows arbitrary class instantiation via the default Constructor, enabling deserialization RCE when new Yaml() is used on untrusted input.

Fix: Add a <dependencyManagement> entry to the root pom.xml pinning org.yaml:snakeyaml to 2.2. In 2.x the safe constructor is the default, so forcing the transitive version pulled by Spring Boot to 2.2 mitigates the vulnerability.

Code scan: grep -rn 'org.yaml.snakeyaml' src/ returned no matches — the app does not directly construct new Yaml(), so the version pin alone is sufficient (no SafeConstructor swap needed).

Dependency-tree verification

$ mvn -DskipTests -B dependency:tree -Dincludes=org.yaml:snakeyaml
[INFO] com.example:bankapp:jar:0.0.1-SNAPSHOT
[INFO] \- org.springframework.boot:spring-boot-starter-security:jar:3.3.3:compile
[INFO]    \- org.springframework.boot:spring-boot-starter:jar:3.3.3:compile
[INFO]       \- org.yaml:snakeyaml:jar:2.2:compile

Review & Testing Checklist for Human

• Base branch: This PR targets DevOps (the repo's default branch). The parent task spec requested main, but no main branch exists on this repo — please confirm DevOps is the intended target, or re-target if a main branch should be created.
• Confirm Spring Boot 3.3.3 has no compatibility issues with the forced snakeyaml 2.2 override in your environment (Spring Boot 3.3.x ships snakeyaml 2.2 by default, so this should be a no-op in practice).
• Run mvn -DskipTests -B dependency:tree -Dincludes=org.yaml:snakeyaml locally to reproduce the resolution.

Notes

• Scope limited strictly to pom.xml per finding; no changes to Jackson, Spring Boot parent, or JWT config (handled by sibling sessions).
• Spawned by parent orchestrator session for Northern Trust demo (2026-04-23).

Link to Devin session: https://app.devin.ai/sessions/14a13554816f40e5a87ae530a1149df8
Requested by: @achalc