This is an automated email from the ASF dual-hosted git repository.
mck pushed a commit to branch cassandra-4.0
in repository https://gitbox.apache.org/repos/asf/cassandra.git
The following commit(s) were added to refs/heads/cassandra-4.0 by this push:
new e2a881959b ninja-fix – python2 compat on .build/generate-snyk-file
e2a881959b is described below
commit e2a881959babc1ddf52821b55cbf940d58857e7c
Author: Mick Semb Wever <m...@apache.org>
AuthorDate: Sun Mar 30 10:58:07 2025 +0200
ninja-fix – python2 compat on .build/generate-snyk-file
debian packaging still uses python2
redhat packaging clobbers the exec bit on git clones
---
.build/build-owasp.xml | 1 +
.build/generate-snyk-file | 12 ++++++------
.snyk | 44 ++++++++++++++++++++++++--------------------
3 files changed, 31 insertions(+), 26 deletions(-)
diff --git a/.build/build-owasp.xml b/.build/build-owasp.xml
index d4b44c897b..3b4a5a6298 100644
--- a/.build/build-owasp.xml
+++ b/.build/build-owasp.xml
@@ -113,6 +113,7 @@
</target>
<target name="generate-snyk-file" unless="ant.gen-snyk.skip">
+ <chmod file="${basedir}/.build/generate-snyk-file" perm="+x"/>
<exec executable="${basedir}/.build/generate-snyk-file"
failonerror="true"/>
</target>
</project>
diff --git a/.build/generate-snyk-file b/.build/generate-snyk-file
index bf9255ffd5..8c556abf62 100755
--- a/.build/generate-snyk-file
+++ b/.build/generate-snyk-file
@@ -25,7 +25,7 @@ import os
script_dir = os.path.dirname(os.path.abspath(__file__))
-with open(os.path.join(script_dir, "dependency-check-suppressions.xml"), "r",
encoding="utf-8") as f:
+with open(os.path.join(script_dir, "dependency-check-suppressions.xml"), "r")
as f:
xml_lines = [line.strip() for line in f.readlines()]
snyk_data = {"ignore": {}}
@@ -53,7 +53,7 @@ while i < len(xml_lines):
if "</suppress>" in xml_lines[i]:
break
i += 1
- reason = f"{last_comment} -- {packages}" if last_comment else
"Suppressed due to internal review, see project's
.build/dependency-check-suppressions.xml"
+ reason = (last_comment + " -- " + packages) if last_comment else
"Suppressed due to internal review, see project's
.build/dependency-check-suppressions.xml"
# Add suppressions
for cve_id in cve_ids:
@@ -67,9 +67,9 @@ with open(os.path.join(script_dir, "../.snyk"), "w") as
snyk_file:
snyk_file.write("# Snyk (https://snyk.io) policy file, provides ignores
for known false positives.\n")
snyk_file.write("# This file is autogenerated from
.build/dependency-check-suppressions.xml\n")
snyk_file.write("version: v1.25.0\n")
- snyk_file.write(f"ignore:\n")
- for cve_id, ignores in snyk_data["ignore"].items():
- snyk_file.write(f" {cve_id}:\n")
+ snyk_file.write("ignore:\n")
+ for cve_id, ignores in sorted(snyk_data["ignore"].items()):
+ snyk_file.write(" {}:\n".format(cve_id))
for ignore in ignores:
- snyk_file.write(f" - reason: {ignore['reason']}\n")
+ snyk_file.write(" - reason: {}\n".format(ignore['reason']))
diff --git a/.snyk b/.snyk
index 68d9a43e94..66d72fb74c 100644
--- a/.snyk
+++ b/.snyk
@@ -2,24 +2,8 @@
# This file is autogenerated from .build/dependency-check-suppressions.xml
version: v1.25.0
ignore:
- CVE-2022-1471:
- - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
- CVE-2022-25857:
- - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
- CVE-2022-38749:
- - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
- CVE-2022-38750:
- - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
- CVE-2022-38751:
- - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
- CVE-2022-38752:
- - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
- CVE-2022-41854:
- - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
CVE-2020-8908:
- reason: not applicable https://nvd.nist.gov/vuln/detail/CVE-2020-8908 --
^pkg:maven/com\.google\.guava/guava@.*$
- CVE-2023-2976:
- - reason: not applicable https://nvd.nist.gov/vuln/detail/CVE-2020-8908 --
^pkg:maven/com\.google\.guava/guava@.*$
CVE-2021-21290:
- reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
CVE-2021-21295:
@@ -32,19 +16,39 @@ ignore:
- reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
CVE-2021-43797:
- reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
+ CVE-2022-1471:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
CVE-2022-24823:
- reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
+ CVE-2022-25857:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
+ CVE-2022-38749:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
+ CVE-2022-38750:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
+ CVE-2022-38751:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
+ CVE-2022-38752:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
+ CVE-2022-41854:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
CVE-2022-41881:
- reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
- CVE-2023-34462:
- - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
- CVE-2023-44487:
- - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
CVE-2022-42003:
- reason: https://issues.apache.org/jira/browse/CASSANDRA-17966 --
^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$
CVE-2022-42004:
- reason: https://issues.apache.org/jira/browse/CASSANDRA-17966 --
^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$
+ CVE-2023-2976:
+ - reason: not applicable https://nvd.nist.gov/vuln/detail/CVE-2020-8908 --
^pkg:maven/com\.google\.guava/guava@.*$
+ CVE-2023-34462:
+ - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
CVE-2023-35116:
- reason: https://issues.apache.org/jira/browse/CASSANDRA-17966 --
^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$
+ CVE-2023-44487:
+ - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
CVE-2023-6378:
- reason: Suppressed due to internal review, see project's
.build/dependency-check-suppressions.xml
+ CVE-2024-12798:
+ - reason: Suppressed due to internal review, see project's
.build/dependency-check-suppressions.xml
+ CVE-2024-12801:
+ - reason: Suppressed due to internal review, see project's
.build/dependency-check-suppressions.xml
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
