This is an automated email from the ASF dual-hosted git repository.
mck pushed a commit to branch cassandra-5.0
in repository https://gitbox.apache.org/repos/asf/cassandra.git
commit 1311766ad18b125ad5642cac57ed730d2b883ed0
Merge: 31235c4314 ef3dc6491e
Author: Mick Semb Wever <m...@apache.org>
AuthorDate: Sun Mar 30 09:31:20 2025 +0200
Merge branch 'cassandra-4.1' into cassandra-5.0
* cassandra-4.1:
Autogenerate toplevel .snyk file from owasp suppressions
.build/build-owasp.xml | 3 ++
.build/build-rat.xml | 1 +
.build/generate-snyk-file | 75 +++++++++++++++++++++++++++++++++++++++++
.snyk | 32 ++++++++++++++++++
CHANGES.txt | 1 +
build.xml | 3 +-
debian/rules | 2 +-
redhat/cassandra.spec | 2 +-
redhat/noboolean/cassandra.spec | 2 +-
9 files changed, 117 insertions(+), 4 deletions(-)
diff --cc .build/build-owasp.xml
index 892def80ae,d4b44c897b..b71127982a
--- a/.build/build-owasp.xml
+++ b/.build/build-owasp.xml
@@@ -112,4 -112,7 +112,7 @@@
<antcall target="-run-owasp-scan" inheritrefs="true"
inheritall="true"/>
</target>
+ <target name="generate-snyk-file" unless="ant.gen-snyk.skip">
- <exec executable="${basedir}/.build/generate-snyk-file"
failonerror="true"/>
++ <exec executable="python3" failonerror="true"><arg
value="${basedir}/.build/generate-snyk-file"/></exec>
+ </target>
</project>
diff --cc .build/build-rat.xml
index 27e8f63ae4,f4a2aab588..2f6f5c7156
--- a/.build/build-rat.xml
+++ b/.build/build-rat.xml
@@@ -42,10 -42,11 +42,11 @@@
<fileset dir="." includesfile="${build.dir}/.ratinclude">
<!-- Config files with not much creativity -->
<exclude name=".asf.yaml"/>
+ <exclude name=".snyk"/>
<exclude name="**/cassandra*.yaml"/>
- <exclude name="conf/metrics-reporter-config-sample.yaml"/>
<exclude NAME="doc/antora.yml"/>
<exclude name="ide/**/*"/>
+ <exclude name="**/*.json"/>
<exclude
name="pylib/cqlshlib/test/config/sslhandling*.config"/>
<exclude
NAME="src/resources/org/apache/cassandra/cql3/reserved_keywords.txt"/>
<exclude
NAME="src/resources/org/apache/cassandra/index/sasi/analyzer/filter/*.txt"/>
diff --cc .build/generate-snyk-file
index 0000000000,bf9255ffd5..4ed94589db
mode 000000,100755..100755
--- a/.build/generate-snyk-file
+++ b/.build/generate-snyk-file
@@@ -1,0 -1,75 +1,75 @@@
-#!/usr/bin/env python
++#!/usr/bin/env python3
+ # -*- coding: utf-8 -*-
+ #
+ # Licensed to the Apache Software Foundation (ASF) under one
+ # or more contributor license agreements. See the NOTICE file
+ # distributed with this work for additional information
+ # regarding copyright ownership. The ASF licenses this file
+ # to you under the Apache License, Version 2.0 (the
+ # "License"); you may not use this file except in compliance
+ # with the License. You may obtain a copy of the License at
+ #
+ # http://www.apache.org/licenses/LICENSE-2.0
+ #
+ # Unless required by applicable law or agreed to in writing, software
+ # distributed under the License is distributed on an "AS IS" BASIS,
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+ """
+ Regenerates the toplevel .snyk file from the
dependency-check-suppressions.xml found in this directory.
+ """
+
+ import re
+ import os
+
+
+ script_dir = os.path.dirname(os.path.abspath(__file__))
-with open(os.path.join(script_dir, "dependency-check-suppressions.xml"), "r",
encoding="utf-8") as f:
++with open(os.path.join(script_dir,
"owasp/dependency-check-suppressions.xml"), "r", encoding="utf-8") as f:
+ xml_lines = [line.strip() for line in f.readlines()]
+
+ snyk_data = {"ignore": {}}
+
+ # Parse XML (keeping track of comments)
+ last_comment = None
+ i = 0
+ while i < len(xml_lines):
+ # Detect XML comments (these contain the suppression reason)
+ if xml_lines[i].startswith("<!--") and xml_lines[i].endswith("-->"):
+ last_comment = xml_lines[i][4:-3].strip()
+
+ # Collect CVE suppressions
+ if "<suppress>" in xml_lines[i]:
+ cve_ids = []
+ packages = ''
+ i += 1
+ while i < len(xml_lines):
+ if xml_lines[i].startswith("<!--") and
xml_lines[i].endswith("-->"):
+ last_comment = xml_lines[i][4:-3].strip()
+ if "<cve>" in xml_lines[i] and "</cve>" in xml_lines[i]:
+ cve_ids.append(xml_lines[i].strip().replace("<cve>",
"").replace("</cve>", "").strip())
+ if "<packageUrl" in xml_lines[i] and "</packageUrl>" in
xml_lines[i]:
+ packages = re.sub(r'<packageUrl(?:
regex="(?:true|false)")?>|</packageUrl>', '', xml_lines[i]).strip()
+ if "</suppress>" in xml_lines[i]:
+ break
+ i += 1
+ reason = f"{last_comment} -- {packages}" if last_comment else
"Suppressed due to internal review, see project's
.build/dependency-check-suppressions.xml"
+
+ # Add suppressions
+ for cve_id in cve_ids:
+ snyk_data["ignore"][cve_id] = [{"reason": reason}]
+
+ last_comment = None
+ else:
+ i += 1
+
+ with open(os.path.join(script_dir, "../.snyk"), "w") as snyk_file:
+ snyk_file.write("# Snyk (https://snyk.io) policy file, provides ignores
for known false positives.\n")
+ snyk_file.write("# This file is autogenerated from
.build/dependency-check-suppressions.xml\n")
+ snyk_file.write("version: v1.25.0\n")
+ snyk_file.write(f"ignore:\n")
+ for cve_id, ignores in snyk_data["ignore"].items():
+ snyk_file.write(f" {cve_id}:\n")
+ for ignore in ignores:
+ snyk_file.write(f" - reason: {ignore['reason']}\n")
+
diff --cc .snyk
index 0000000000,68d9a43e94..265caab402
mode 000000,100644..100644
--- a/.snyk
+++ b/.snyk
@@@ -1,0 -1,50 +1,32 @@@
+ # Snyk (https://snyk.io) policy file, provides ignores for known false
positives.
+ # This file is autogenerated from .build/dependency-check-suppressions.xml
+ version: v1.25.0
+ ignore:
+ CVE-2022-1471:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
+ CVE-2022-25857:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
+ CVE-2022-38749:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
+ CVE-2022-38750:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
+ CVE-2022-38751:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
+ CVE-2022-38752:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
+ CVE-2022-41854:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
- CVE-2020-8908:
- - reason: not applicable https://nvd.nist.gov/vuln/detail/CVE-2020-8908
-- ^pkg:maven/com\.google\.guava/guava@.*$
- CVE-2023-2976:
- - reason: not applicable https://nvd.nist.gov/vuln/detail/CVE-2020-8908
-- ^pkg:maven/com\.google\.guava/guava@.*$
- CVE-2021-21290:
- - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
- CVE-2021-21295:
- - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
- CVE-2021-21409:
- - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
- CVE-2021-37136:
- - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
- CVE-2021-37137:
- - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
- CVE-2021-43797:
- - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
- CVE-2022-24823:
- - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
- CVE-2022-41881:
- - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
- CVE-2023-34462:
- - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
+ CVE-2023-44487:
- - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
++ - reason: https://issues.apache.org/jira/browse/CASSANDRA-18943 --
^pkg:maven/io\.netty/netty\-.*@.*$
+ CVE-2022-42003:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17966 --
^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$
+ CVE-2022-42004:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17966 --
^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$
+ CVE-2023-35116:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17966 --
^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$
+ CVE-2023-6378:
+ - reason: Suppressed due to internal review, see project's
.build/dependency-check-suppressions.xml
++ CVE-2023-6481:
++ - reason: Suppressed due to internal review, see project's
.build/dependency-check-suppressions.xml
++ CVE-2024-45772:
++ - reason: https://issues.apache.org/jira/browse/CASSANDRA-20024 --
^pkg:maven/org\.apache\.lucene/lucene\-.*@9.7.0$
diff --cc build.xml
index f1d6e92515,d0af3b1bd4..b2c80ed7d3
--- a/build.xml
+++ b/build.xml
@@@ -536,7 -985,7 +536,7 @@@
</javac>
</target>
- <target
depends="init,gen-cql3-grammar,generate-cql-html,generate-jflex-java"
- <target
depends="init,gen-cql3-grammar,generate-cql-html,generate-jflex-java,rat-check,generate-snyk-file"
++ <target
depends="init,gen-cql3-grammar,generate-cql-html,generate-jflex-java,generate-snyk-file"
name="build-project">
<echo message="${ant.project.name}: ${ant.file}"/>
<!-- Order matters! -->
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
