[
https://issues.apache.org/jira/browse/CASSJAVA-83?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17932091#comment-17932091
]
Bret McGuire commented on CASSJAVA-83:
--------------------------------------
We know we can't _compile_ the 3.x driver against newer versions of Guava but
the baseline for seeing what needs to be done is to run the 3.x driver test
suite using a newer version of Guava in the classpath to see if anything
breaks. Since the build and test run are discrete steps in the 3.x Jenkins
config this is actually pretty easy to test:
{code:java}
diff --git a/Jenkinsfile-datastax b/Jenkinsfile-datastax
index e8e6a1ecf3..1841b38073 100644
--- a/Jenkinsfile-datastax
+++ b/Jenkinsfile-datastax
@@ -99,7 +99,8 @@ def executeTests() {
-DfailIfNoTests=false \
-Dmaven.test.failure.ignore=true \
-Dmaven.javadoc.skip=true \
- -Dproxy.path=${HOME}/proxy
+ -Dproxy.path=${HOME}/proxy \
+ -Dguava.version=33.3.1-jre
# run isolated tests
mvn -B -V verify \
@@ -113,7 +114,8 @@ def executeTests() {
-Dccm.maxNumberOfNodes=3 \
-DfailIfNoTests=false \
-Dmaven.test.failure.ignore=true \
- -Dmaven.javadoc.skip=true
+ -Dmaven.javadoc.skip=true \
+ -Dguava.version=33.3.1-jre
'''
}{code}
Running this test on current 3.x (head of [this
commit|https://github.com/apache/cassandra-java-driver/commit/2b8b221b5f40bec2c2a85fa9f55341feaa1f5531])
gives only a few test failures. There are a number of OSGi test failures
which appear to be based on dependency resolutions brought on by the use of a
new version at all. Only other failure that wasn't a timeout or a known bad
test was caused by AbstractReconnectionHandlerTest, specifically [this
line|https://github.com/apache/cassandra-java-driver/blob/3.12.1/driver-core/src/test/java/com/datastax/driver/core/AbstractReconnectionHandlerTest.java#L268]
which appears to leverage a static method on Futures which doesn't exist in
newer versions of Guava.
Based on these results simply including a newer version of Guava in the
classpath appears to work well. In the short-to-near term users should follow
that path. We may at some point release a new 3.x version which updates the
bundled Guava but that isn't necessary to address the CVEs in question at this
time.
> Update Guava version used in cassandra-java-driver 3.x branch
> -------------------------------------------------------------
>
> Key: CASSJAVA-83
> URL: https://issues.apache.org/jira/browse/CASSJAVA-83
> Project: Apache Cassandra Java driver
> Issue Type: Task
> Reporter: Brandon Bordeaux
> Priority: Normal
>
> Java driver 3.12.1 has some CVE's associated with the Guava version (16.0.1).
> CASSJAVA-53 updated Guava for the 4.x branch; this ticket requests the same
> be done for the 3.x branch.
> Vulnerabilities from Nessus Scan:
> * CVE-2023-2976
> * CVE-2018-10237
> * sonatype-2020-0926
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
