[ https://issues.apache.org/jira/browse/CASSANDRA-18875?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17792167#comment-17792167 ]
Brandon Williams edited comment on CASSANDRA-18875 at 12/1/23 7:15 PM: ----------------------------------------------------------------------- It seems that OWASP is broken on all the branches and the real error lies in https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json which has an extra dot in the date. I have restored the work (that is, reverted the revert) done here since it's not at fault in 7204bc45b6. was (Author: brandon.williams): It seems that OWASP is broken on all the branches and the real error lies in https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json which has an extra dot in the date. I have restored the work (that is, reverted the revert) done here since it's not at fault in 5d607f07cdf. > Upgrade the snakeyaml library version > ------------------------------------- > > Key: CASSANDRA-18875 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18875 > Project: Cassandra > Issue Type: Task > Components: Local/Config > Reporter: Jai Bheemsen Rao Dhanwada > Assignee: Raymond Huffman > Priority: Normal > Fix For: 5.1-alpha1 > > Time Spent: 10m > Remaining Estimate: 0h > > Apache cassandra uses 1.26 version of snakeyaml dependency and there are > several > [vulnerabilities|https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.26#] > in this version that can be fixed by upgrading to 2.x version. I understand > that this is not security issue as cassandra already uses SafeConstructor and > is not a vulnerability under OWASP, so there are no plans to fix it as per > CASSANDRA-18122 > > Cassandra as a open source used and distributed by many enterprise customers > and also when downloading cassandra as tar and using it external scanners are > not aware of the implementation of SafeConstructor have no idea if it's > vulnerable or not. > Can we consider upgrading the version to 2.x in the next releases as > snakeyaml is not something that has a large dependency between the major and > minor versions. I am happy to open a PR for this. Please let me know your > thoughts on this. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org