[
https://issues.apache.org/jira/browse/CASSANDRA-18875?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17791281#comment-17791281
]
Brandon Williams edited comment on CASSANDRA-18875 at 11/29/23 7:57 PM:
------------------------------------------------------------------------
Ah yes, I remember
[suppressing|https://github.com/apache/cassandra/blob/trunk/.build/dependency-check-suppressions.xml#L31]
that one. I think we should just set it to 64 all the time, there's no
significant cost and if there is some reason for a large yaml over 3MiB I can't
think of, that's a tough spot to be in since you can't easily workaround it
aside from shrinking your config.
was (Author: brandon.williams):
Ah yes, I remember
[suppressing|https://github.com/apache/cassandra/blob/trunk/.build/dependency-check-suppressions.xml#L31]
that one. I think we should just set it to 64 all the time, there's no
significant cost and if there some reason for a large yaml over 3MiB I can't
think of, that's a tough spot to be in since you can't easily workaround it
aside from shrinking your config.
> Upgrade the snakeyaml library version
> -------------------------------------
>
> Key: CASSANDRA-18875
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18875
> Project: Cassandra
> Issue Type: Task
> Components: Local/Config
> Reporter: Jai Bheemsen Rao Dhanwada
> Assignee: Raymond Huffman
> Priority: Normal
> Fix For: 5.x
>
>
> Apache cassandra uses 1.26 version of snakeyaml dependency and there are
> several
> [vulnerabilities|https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.26#]
> in this version that can be fixed by upgrading to 2.x version. I understand
> that this is not security issue as cassandra already uses SafeConstructor and
> is not a vulnerability under OWASP, so there are no plans to fix it as per
> CASSANDRA-18122
>
> Cassandra as a open source used and distributed by many enterprise customers
> and also when downloading cassandra as tar and using it external scanners are
> not aware of the implementation of SafeConstructor have no idea if it's
> vulnerable or not.
> Can we consider upgrading the version to 2.x in the next releases as
> snakeyaml is not something that has a large dependency between the major and
> minor versions. I am happy to open a PR for this. Please let me know your
> thoughts on this.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
