Jai Bheemsen Rao Dhanwada created CASSANDRA-18875:
-----------------------------------------------------
Summary: Upgrade the snakeyaml library version
Key: CASSANDRA-18875
URL: https://issues.apache.org/jira/browse/CASSANDRA-18875
Project: Cassandra
Issue Type: Task
Reporter: Jai Bheemsen Rao Dhanwada
Apache cassandra uses 1.26 version of snakeyaml dependency and there are
several
[vulnerabilities|https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.26#]
in this version that can be fixed by upgrading to 2.x version. I understand
that this is not security issue as cassandra already uses SafeConstructor and
is not a vulnerability under OWASP, so there are no plans to fix it as per
CASSANDRA-18122
Cassandra as a open source used and distributed by many enterprise customers
and also when downloading cassandra as tar and using it external scanners are
not aware of the implementation of SafeConstructor have no idea if it's
vulnerable or not.
Can we consider upgrading the version to 2.x in the next releases as snakeyaml
is not something that has a large dependency between the major and minor
versions. I am happy to open a PR for this. Please let me know your thoughts on
this.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
