[ https://issues.apache.org/jira/browse/CASSANDRA-18875?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17791281#comment-17791281 ]
Brandon Williams edited comment on CASSANDRA-18875 at 11/29/23 7:57 PM: ------------------------------------------------------------------------ Ah yes, I remember [suppressing|https://github.com/apache/cassandra/blob/trunk/.build/dependency-check-suppressions.xml#L31] that one. I think we should just set it to 64 all the time, there's no significant cost and if there is some reason for a large yaml over 3MiB I can't think of, that's a tough spot to be in since you can't easily workaround it aside from shrinking your config. was (Author: brandon.williams): Ah yes, I remember [suppressing|https://github.com/apache/cassandra/blob/trunk/.build/dependency-check-suppressions.xml#L31] that one. I think we should just set it to 64 all the time, there's no significant cost and if there some reason for a large yaml over 3MiB I can't think of, that's a tough spot to be in since you can't easily workaround it aside from shrinking your config. > Upgrade the snakeyaml library version > ------------------------------------- > > Key: CASSANDRA-18875 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18875 > Project: Cassandra > Issue Type: Task > Components: Local/Config > Reporter: Jai Bheemsen Rao Dhanwada > Assignee: Raymond Huffman > Priority: Normal > Fix For: 5.x > > > Apache cassandra uses 1.26 version of snakeyaml dependency and there are > several > [vulnerabilities|https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.26#] > in this version that can be fixed by upgrading to 2.x version. I understand > that this is not security issue as cassandra already uses SafeConstructor and > is not a vulnerability under OWASP, so there are no plans to fix it as per > CASSANDRA-18122 > > Cassandra as a open source used and distributed by many enterprise customers > and also when downloading cassandra as tar and using it external scanners are > not aware of the implementation of SafeConstructor have no idea if it's > vulnerable or not. > Can we consider upgrading the version to 2.x in the next releases as > snakeyaml is not something that has a large dependency between the major and > minor versions. I am happy to open a PR for this. Please let me know your > thoughts on this. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org