{
  "root_cause_equivalence": {
    "parent_cause": "KustomizationFileReader.convert parses attacker-controlled kustomization.yaml with SnakeYAML general Constructor(Kustomization.class), which honors arbitrary YAML tags and instantiates attacker-chosen Java objects (RCE).",
    "variant_cause": "Identical sink: POST /api/v2/manifest/bake/KUSTOMIZE4 dispatches to KustomizeBakeManifestService (handles KUSTOMIZE and KUSTOMIZE4) and reaches the same KustomizationFileReader.convert sink via KustomizeTemplateUtils.getFilesFromArtifact.",
    "shared_sink": "KustomizationFileReader.convert",
    "same_root_cause_confidence": "high",
    "rationale": "Both KUSTOMIZE and KUSTOMIZE4 endpoints route through V2BakeryController -> KustomizeBakeManifestService -> KustomizeTemplateUtils -> KustomizationFileReader.getKustomization -> convert(). The only difference is the {type} path variable and templateRenderer field. The vulnerable YAML deserialization sink is byte-for-byte the same code.",
    "fix_coverage": "The fix changes convert() itself (SafeConstructor + Jackson convertValue), which is downstream of and shared by both endpoints, so both are covered."
  }
}
