Upgrade to SnakeYaml 2.2 and use SafeConstructor to mitigate CVE-2022-1471

Related links:

• https://www.websec.ca/publication/Blog/CVE-2022-21404-Another-story-of-developers-fixing-vulnerabilities-unknowingly-because-of-CodeQL
• https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2
• https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in
• https://medium.com/@snyksec/snakeyaml-2-0-solving-the-unsafe-deserialization-vulnerability-c29a0f08f152

It seems passing SafeConstructor to Yaml instances makes them safe, even in 1.x versions, regarding this particular CVE. The only problem with just using SafeConstructor is that the 1.x versions will still be tagged with a CVE and scanners will not ignore that so the version upgrade is also necessary.

Note that 2.0 changes the default Yaml constructor so that it will use SafeConstructor so after upgrading the library, no code changes to Yaml construction should be needed unless you've been dealing with custom Java classes already in your use case.