[jira] [Comment Edited] (CASSANDRA-18875) Upgrade the snakeyaml library version
[ https://issues.apache.org/jira/browse/CASSANDRA-18875?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17792167#comment-17792167 ] Brandon Williams edited comment on CASSANDRA-18875 at 12/1/23 7:15 PM: --- It seems that OWASP is broken on all the branches and the real error lies in https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json which has an extra dot in the date. I have restored the work (that is, reverted the revert) done here since it's not at fault in 7204bc45b6. was (Author: brandon.williams): It seems that OWASP is broken on all the branches and the real error lies in https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json which has an extra dot in the date. I have restored the work (that is, reverted the revert) done here since it's not at fault in 5d607f07cdf. > Upgrade the snakeyaml library version > - > > Key: CASSANDRA-18875 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18875 > Project: Cassandra > Issue Type: Task > Components: Local/Config >Reporter: Jai Bheemsen Rao Dhanwada >Assignee: Raymond Huffman >Priority: Normal > Fix For: 5.1-alpha1 > > Time Spent: 10m > Remaining Estimate: 0h > > Apache cassandra uses 1.26 version of snakeyaml dependency and there are > several > [vulnerabilities|https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.26#] > in this version that can be fixed by upgrading to 2.x version. I understand > that this is not security issue as cassandra already uses SafeConstructor and > is not a vulnerability under OWASP, so there are no plans to fix it as per > CASSANDRA-18122 > > Cassandra as a open source used and distributed by many enterprise customers > and also when downloading cassandra as tar and using it external scanners are > not aware of the implementation of SafeConstructor have no idea if it's > vulnerable or not. > Can we consider upgrading the version to 2.x in the next releases as > snakeyaml is not something that has a large dependency between the major and > minor versions. I am happy to open a PR for this. Please let me know your > thoughts on this. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-18875) Upgrade the snakeyaml library version
[
https://issues.apache.org/jira/browse/CASSANDRA-18875?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17792125#comment-17792125
]
Brandon Williams edited comment on CASSANDRA-18875 at 12/1/23 4:29 PM:
---
Unfortunately, this broke OWASP:
{quote}
BUILD FAILED
/home/user/cassandra/trunk/.build/build-owasp.xml:82: One or more exceptions
occurred during analysis:
org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions
occurred during analysis:
UpdateException: Unable to find the CISA Known Exploited
Vulnerabilities file to parse
caused by InvalidFormatException: Cannot deserialize value of
type `java.util.Date` from String "2023-12-01T15:09:26..642Z": not a valid
representation (error: Failed to parse Date value '2023-12-01T15:09:26..642Z':
Cannot parse date "2023-12-01T15:09:26..642Z": while it seems to fit format
'-MM-dd'T'HH:mm:ss.SSSX', parsing fails (leniency? null))
at [Source: (InputStreamReader); line: 4, column: 21] (through reference
chain:
org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema["dateReleased"])
NoDataException: No documents exist
at
org.owasp.dependencycheck.Engine.throwFatalExceptionCollection(Engine.java:1175)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:637)
at
org.owasp.dependencycheck.taskdefs.Check.callExecuteAnalysis(Check.java:2084)
at
org.owasp.dependencycheck.taskdefs.Check.executeWithContextClassloader(Check.java:2041)
at org.owasp.dependencycheck.taskdefs.Purge.execute(Purge.java:151)
at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292)
at jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at
org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:99)
at org.apache.tools.ant.Task.perform(Task.java:350)
at org.apache.tools.ant.Target.execute(Target.java:449)
at org.apache.tools.ant.Target.performTasks(Target.java:470)
at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1401)
at org.apache.tools.ant.Project.executeTarget(Project.java:1374)
at
org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
at org.apache.tools.ant.Project.executeTargets(Project.java:1264)
at org.apache.tools.ant.Main.runBuild(Main.java:827)
at org.apache.tools.ant.Main.startAnt(Main.java:223)
at org.apache.tools.ant.launch.Launcher.run(Launcher.java:284)
at org.apache.tools.ant.launch.Launcher.main(Launcher.java:101)
Next Exception:
org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to find
the CISA Known Exploited Vulnerabilities file to parse
at
org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser.parse(KnownExploitedVulnerabilityParser.java:84)
at
org.owasp.dependencycheck.data.update.KnownExploitedDataSource.update(KnownExploitedDataSource.java:82)
at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:900)
at
org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:705)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:631)
at
org.owasp.dependencycheck.taskdefs.Check.callExecuteAnalysis(Check.java:2084)
at
org.owasp.dependencycheck.taskdefs.Check.executeWithContextClassloader(Check.java:2041)
at org.owasp.dependencycheck.taskdefs.Purge.execute(Purge.java:151)
at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292)
at jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at
org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:99)
at org.apache.tools.ant.Task.perform(Task.java:350)
at org.apache.tools.ant.Target.execute(Target.java:449)
at org.apache.tools.ant.Target.performTasks(Target.java:470)
at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1401)
at org.apache.tools.ant.Project.executeTarget(Project.java:1374)
at
org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
at org.apache.tools.ant.Project.executeTargets(Project.java:1264)
at org.apache.tools.ant.Main.runBuild(Main.java:827)
at org.apache.tools.ant.Main.startAnt(Main.java:223)
at org.apache.tools.ant.launch.Launcher.run(Launcher.java:284)
at
[jira] [Comment Edited] (CASSANDRA-18875) Upgrade the snakeyaml library version
[ https://issues.apache.org/jira/browse/CASSANDRA-18875?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17791281#comment-17791281 ] Brandon Williams edited comment on CASSANDRA-18875 at 11/29/23 7:57 PM: Ah yes, I remember [suppressing|https://github.com/apache/cassandra/blob/trunk/.build/dependency-check-suppressions.xml#L31] that one. I think we should just set it to 64 all the time, there's no significant cost and if there is some reason for a large yaml over 3MiB I can't think of, that's a tough spot to be in since you can't easily workaround it aside from shrinking your config. was (Author: brandon.williams): Ah yes, I remember [suppressing|https://github.com/apache/cassandra/blob/trunk/.build/dependency-check-suppressions.xml#L31] that one. I think we should just set it to 64 all the time, there's no significant cost and if there some reason for a large yaml over 3MiB I can't think of, that's a tough spot to be in since you can't easily workaround it aside from shrinking your config. > Upgrade the snakeyaml library version > - > > Key: CASSANDRA-18875 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18875 > Project: Cassandra > Issue Type: Task > Components: Local/Config >Reporter: Jai Bheemsen Rao Dhanwada >Assignee: Raymond Huffman >Priority: Normal > Fix For: 5.x > > > Apache cassandra uses 1.26 version of snakeyaml dependency and there are > several > [vulnerabilities|https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.26#] > in this version that can be fixed by upgrading to 2.x version. I understand > that this is not security issue as cassandra already uses SafeConstructor and > is not a vulnerability under OWASP, so there are no plans to fix it as per > CASSANDRA-18122 > > Cassandra as a open source used and distributed by many enterprise customers > and also when downloading cassandra as tar and using it external scanners are > not aware of the implementation of SafeConstructor have no idea if it's > vulnerable or not. > Can we consider upgrading the version to 2.x in the next releases as > snakeyaml is not something that has a large dependency between the major and > minor versions. I am happy to open a PR for this. Please let me know your > thoughts on this. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-18875) Upgrade the snakeyaml library version
[ https://issues.apache.org/jira/browse/CASSANDRA-18875?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17768071#comment-17768071 ] Brandon Williams edited comment on CASSANDRA-18875 at 9/22/23 4:06 PM: --- No, those are in bugfix-only. We can't risk regressions in stable branches to appease less sophisticated scanners. was (Author: brandon.williams): No, those are in bugfix-only. > Upgrade the snakeyaml library version > - > > Key: CASSANDRA-18875 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18875 > Project: Cassandra > Issue Type: Task > Components: Local/Config >Reporter: Jai Bheemsen Rao Dhanwada >Priority: Normal > Fix For: 5.x > > > Apache cassandra uses 1.26 version of snakeyaml dependency and there are > several > [vulnerabilities|https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.26#] > in this version that can be fixed by upgrading to 2.x version. I understand > that this is not security issue as cassandra already uses SafeConstructor and > is not a vulnerability under OWASP, so there are no plans to fix it as per > CASSANDRA-18122 > > Cassandra as a open source used and distributed by many enterprise customers > and also when downloading cassandra as tar and using it external scanners are > not aware of the implementation of SafeConstructor have no idea if it's > vulnerable or not. > Can we consider upgrading the version to 2.x in the next releases as > snakeyaml is not something that has a large dependency between the major and > minor versions. I am happy to open a PR for this. Please let me know your > thoughts on this. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
