Snakeyaml was removed and replaced by safeyaml #76
Conversation
There was a problem hiding this comment.
It looks sensible to me in terms of satisfying scanners which are flagging https://nvd.nist.gov/vuln/detail/CVE-2022-1471. I think the key question, though, is whether this switch creates any runtime issues for Cassandra, which will need some testing to confirm.
We will also, I think, want to move this forward to 4.1.10.
| <dependency groupId="com.boundary" artifactId="high-scale-lib" version="1.0.6"/> | ||
| <dependency groupId="com.github.jbellis" artifactId="jamm" version="${jamm.version}"/> | ||
| <dependency groupId="org.yaml" artifactId="snakeyaml" version="1.26"/> | ||
| <dependency groupId="com.konloch" artifactId="safeyaml" version="1.34.1"/> |
There was a problem hiding this comment.
Oh - Reading https://github.com/Konloch/SafeYAML/ they seem to recommend using 1.33.0 rather than 1.34.1. Is there a reason you think we should prefer 1.34.1?
There was a problem hiding this comment.
I tried to build and use the 1.33.0 version, but it seems that there is no such branch in the repo right now. I've downloaded the 1.33.0 from the releases page and built mine from sources, and compared them. There are no differences between them right now, so I used 1.34.1.
Furthermore, there are no transitive dependencies for the snakeyaml that were mentioned in the SafeYaml Readme file, so I've decided to use the latest one.
There was a problem hiding this comment.
Used this command to check BTW:
japi-compliance-checker ~/Downloads/safeyaml-1.33.0.jar ../cassandra/build/lib/jars/safeyaml-1.34.1.jar
2 participants
This PR replaces SnakeYAML 1.26 with SafeYAML 1.34.1
This change replaces the outdated SnakeYAML library that contains critical vulnerabilities with SafeYAML to address security considerations and improve YAML parsing safety.
patch by Danylo Savchneko