[jira] [Comment Edited] (CASSANDRA-18875) Upgrade the snakeyaml library version

[Brandon Williams (Jira)]

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-18875?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17791281#comment-17791281
 ] 

Brandon Williams edited comment on CASSANDRA-18875 at 11/29/23 7:57 PM:
------------------------------------------------------------------------

Ah yes, I remember 
[suppressing|https://github.com/apache/cassandra/blob/trunk/.build/dependency-check-suppressions.xml#L31]
 that one.  I think we should just set it to 64 all the time, there's no 
significant cost and if there is some reason for a large yaml over 3MiB I can't 
think of, that's a tough spot to be in since you can't easily workaround it 
aside from shrinking your config.


was (Author: brandon.williams):
Ah yes, I remember 
[suppressing|https://github.com/apache/cassandra/blob/trunk/.build/dependency-check-suppressions.xml#L31]
 that one.  I think we should just set it to 64 all the time, there's no 
significant cost and if there some reason for a large yaml over 3MiB I can't 
think of, that's a tough spot to be in since you can't easily workaround it 
aside from shrinking your config.

> Upgrade the snakeyaml library version
> -------------------------------------
>
>                 Key: CASSANDRA-18875
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-18875
>             Project: Cassandra
>          Issue Type: Task
>          Components: Local/Config
>            Reporter: Jai Bheemsen Rao Dhanwada
>            Assignee: Raymond Huffman
>            Priority: Normal
>             Fix For: 5.x
>
>
> Apache cassandra uses 1.26 version of snakeyaml dependency and there are 
> several 
> [vulnerabilities|https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.26#] 
> in this version that can be fixed by upgrading to 2.x version. I understand 
> that this is not security issue as cassandra already uses SafeConstructor and 
> is not a vulnerability under OWASP, so there are no plans to fix it as per  
> CASSANDRA-18122
>  
> Cassandra as a open source used and distributed by many enterprise customers 
> and also when downloading cassandra as tar and using it external scanners are 
> not aware of the implementation of SafeConstructor have no idea if it's 
> vulnerable or not. 
> Can we consider upgrading the version to 2.x in the next releases as 
> snakeyaml is not something that has a large dependency between the major and 
> minor versions. I am happy to open a PR for this. Please let me know your 
> thoughts on this.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org