Fix 500 on request /api/openapi.yaml

[mgaffigan]

Closes #189 by adding missing dependency of a dependency.

Example after:

GET https://localhost:8443/api/openapi.yaml HTTP/1.1
X-Requested-With: example
User-Agent: Fiddler
Host: 10.200.38.176:8443

HTTP/1.1 200 OK
Date: Sun, 19 Oct 2025 21:21:19 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
Access-Control-Allow-Methods: GET, POST, DELETE, PUT
Access-Control-Allow-Headers: Content-Type
Content-Security-Policy: frame-ancestors 'none'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Type: application/yaml
Content-Length: 366861

openapi: 3.0.1
info:
  title: Open Integration Engine Client API
  description: Swagger documentation for the Open Integration Engine Client API.
  version: 4.5.2
servers:
- url: /api
paths:
  /connectors/doc/_testWrite:
    post:
      tags:
      - Connector Services
      summary: Tests whether a file can be written to the specified directory.
      operationId: testWrite
      parameters:
      - name: channelId
        in: query
...

[tonygermano]

sha1sum of the file matches that found at https://repo1.maven.org/maven2/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar.sha1

Is it possible to flesh out the commit message a bit and note that it is satisfying a dependency of jackson-dataformat-yaml-2.14.3.jar? I also find it helpful to add a trailer to the message referring to the issue along with the sign-off trailer, e.g., 5ff9715

I see that the pom file for jackson-dataformat-yaml-2.14.3.jar specifically requests version 1.33 of snakeyaml, but it has a "High" level CVE. Checking the changelog it appears there are minimal backward incompatible changes between 1.33 and the most recent version. Should we check to see if the most recent version of this library will work as a drop-in replacement to avoid introducing a library with a known vulnerability?

[kpalang]

I like @tonygermano's idea of trying to avoid introducing a dependency with a known vulnerability.

[mgaffigan]

Latest version fails with:

<java.lang.NoSuchMethodError>
  <detailMessage>&apos;void com.fasterxml.jackson.core.base.GeneratorBase.&lt;init&gt;(int, com.fasterxml.jackson.core.ObjectCodec, com.fasterxml.jackson.core.io.IOContext)&apos;</detailMessage>
  <stackTrace>
    <trace>com.fasterxml.jackson.dataformat.yaml.YAMLGenerator.&lt;init&gt;(YAMLGenerator.java:299)</trace>
    <trace>com.fasterxml.jackson.dataformat.yaml.YAMLFactory._createGenerator(YAMLFactory.java:533)</trace>
    <trace>com.fasterxml.jackson.dataformat.yaml.YAMLFactory.createGenerator(YAMLFactory.java:482)</trace>
    <trace>com.fasterxml.jackson.dataformat.yaml.YAMLFactory.createGenerator(YAMLFactory.java:15)</trace>
    <trace>com.fasterxml.jackson.databind.ObjectMapper.createGenerator(ObjectMapper.java:1215)</trace>
    <trace>com.fasterxml.jackson.databind.ObjectMapper.writeValueAsString(ObjectMapper.java:3869)</trace>
    <trace>io.swagger.v3.jaxrs2.integration.resources.BaseOpenApiResource.getOpenApi(BaseOpenApiResource.java:74)</trace>
    <trace>io.swagger.v3.jaxrs2.integration.resources.OpenApiResource.getOpenApi(OpenApiResource.java:32)</trace>
    <trace>java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)</trace>
    <trace>java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)</trace>
    <trace>java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</trace>
    <trace>java.base/java.lang.reflect.Method.invoke(Method.java:569)</trace>
    <trace>com.mirth.connect.server.api.providers.MirthResourceInvocationHandlerProvider$1.invoke(MirthResourceInvocationHandlerProvider.java:219)</trace>
    <trace>org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:144)</trace>
    <trace>org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:161)</trace>
    <trace>org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:160)</trace>
    <trace>org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:99)</trace>
    <trace>org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:389)</trace>
    <trace>org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:347)</trace>
    <trace>org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:102)</trace>
    <trace>org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:326)</trace>
    <trace>org.glassfish.jersey.internal.Errors$1.call(Errors.java:271)</trace>
    <trace>org.glassfish.jersey.internal.Errors$1.call(Errors.java:267)</trace>
    <trace>org.glassfish.jersey.internal.Errors.process(Errors.java:315)</trace>
    <trace>org.glassfish.jersey.internal.Errors.process(Errors.java:297)</trace>
    <trace>org.glassfish.jersey.internal.Errors.process(Errors.java:267)</trace>
    <trace>org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317)</trace>
    <trace>org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305)</trace>
    <trace>org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154)</trace>
    <trace>org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:471)</trace>
    <trace>org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:425)</trace>
    <trace>org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:383)</trace>
    <trace>org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:336)</trace>
    <trace>org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:223)</trace>
    <trace>org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799)</trace>
    <trace>org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1656)</trace>
    <trace>com.mirth.connect.server.api.providers.StrictTransportSecurityFilter.doFilter(StrictTransportSecurityFilter.java:33)</trace>
    <trace>org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)</trace>
    <trace>org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)</trace>
    <trace>com.mirth.connect.server.MethodFilter.doFilter(MethodFilter.java:37)</trace>
    <trace>org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)</trace>
    <trace>org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)</trace>
    <trace>com.mirth.connect.server.api.providers.RequestedWithFilter.doFilter(RequestedWithFilter.java:53)</trace>
    <trace>org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)</trace>
    <trace>org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)</trace>
    <trace>com.mirth.connect.server.api.providers.ClickjackingFilter.doFilter(ClickjackingFilter.java:45)</trace>
    <trace>org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)</trace>
    <trace>org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)</trace>
    <trace>com.mirth.connect.server.api.providers.ApiOriginFilter.doFilter(ApiOriginFilter.java:71)</trace>
    <trace>org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)</trace>
    <trace>org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)</trace>
    <trace>org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:552)</trace>
    <trace>org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)</trace>
    <trace>org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)</trace>
    <trace>org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)</trace>
    <trace>org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440)</trace>
    <trace>org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)</trace>
    <trace>org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505)</trace>
    <trace>org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)</trace>
    <trace>org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)</trace>
    <trace>org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355)</trace>
    <trace>org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)</trace>
    <trace>org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:59)</trace>
    <trace>org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)</trace>
    <trace>org.eclipse.jetty.server.Server.handle(Server.java:516)</trace>
    <trace>org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487)</trace>
    <trace>org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732)</trace>
    <trace>org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479)</trace>
    <trace>org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)</trace>
    <trace>org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)</trace>
    <trace>org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)</trace>
    <trace>org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:555)</trace>
    <trace>org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:410)</trace>
    <trace>org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:164)</trace>
    <trace>org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)</trace>
    <trace>org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)</trace>
    <trace>org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)</trace>
    <trace>org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)</trace>
    <trace>org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)</trace>
    <trace>org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)</trace>
    <trace>org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409)</trace>
    <trace>org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)</trace>
    <trace>org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)</trace>
    <trace>java.base/java.lang.Thread.run(Thread.java:840)</trace>
  </stackTrace>
  <suppressedExceptions class="empty-list"/>

[tonygermano]

Latest version fails with:

<java.lang.NoSuchMethodError>

@mgaffigan How did you test? I just tried dropping snakeyaml-2.5.jar into the current main branch, and when I pulled https://localhost:8443/api/openapi.yaml it returned yaml with no java errors.

[mgaffigan]

How did you test?

The same as you describe, but it gave the above. Perhaps 146 updated a dependency.

[mgaffigan]

@tonygermano, after rebasing to main, I agree the error is not present with 2.5. Updated version and commit message.