[jira] [Commented] (CASSANDRA-18875) Upgrade the snakeyaml library version

Wed, 29 Nov 2023 12:51:05 -0800 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-18875?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17791318#comment-17791318
 ] 

Brandon Williams commented on CASSANDRA-18875:
----------------------------------------------

He already pushed the update.

||Branch||CI||
|[trunk|https://github.com/driftx/cassandra/tree/CASSANDRA-18875-trunk]|[j11|https://app.circleci.com/pipelines/github/driftx/cassandra/1397/workflows/92b2644d-cb65-47d3-a86a-d51f448a85ad],
 
[j17|https://app.circleci.com/pipelines/github/driftx/cassandra/1397/workflows/2c562c0b-9561-4c6a-a186-75af810c67cf]|

bq. We might also want to remove any CVE suppressions resolved by these version 
bumps

Dependency-check will warn us when we have unused rules, so I'll file a ticket 
after we commit this to remove them.

> Upgrade the snakeyaml library version
> -------------------------------------
>
>                 Key: CASSANDRA-18875
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-18875
>             Project: Cassandra
>          Issue Type: Task
>          Components: Local/Config
>            Reporter: Jai Bheemsen Rao Dhanwada
>            Assignee: Raymond Huffman
>            Priority: Normal
>             Fix For: 5.x
>
>
> Apache cassandra uses 1.26 version of snakeyaml dependency and there are 
> several 
> [vulnerabilities|https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.26#] 
> in this version that can be fixed by upgrading to 2.x version. I understand 
> that this is not security issue as cassandra already uses SafeConstructor and 
> is not a vulnerability under OWASP, so there are no plans to fix it as per  
> CASSANDRA-18122
>  
> Cassandra as a open source used and distributed by many enterprise customers 
> and also when downloading cassandra as tar and using it external scanners are 
> not aware of the implementation of SafeConstructor have no idea if it's 
> vulnerable or not. 
> Can we consider upgrading the version to 2.x in the next releases as 
> snakeyaml is not something that has a large dependency between the major and 
> minor versions. I am happy to open a PR for this. Please let me know your 
> thoughts on this.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to