[
https://issues.apache.org/jira/browse/CASSANDRA-20501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17939759#comment-17939759
]
Stefan Miklosovic edited comment on CASSANDRA-20501 at 3/31/25 5:39 PM:
------------------------------------------------------------------------
Updating it to 12.1.0 to have something usable as 10.x does not work anymore
yields these problems:
trunk
{code}
Dependency-Check Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS
score greater than or equal to '1.0':
cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-resolver/pom.xml
(pkg:maven/io.netty/netty-resolver@4.1.94.Final,
cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-25193
cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-transport-classes-epoll/pom.xml
(pkg:maven/io.netty/netty-transport-classes-epoll@4.1.94.Final,
cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-25193
cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-transport-native-unix-common/pom.xml
(pkg:maven/io.netty/netty-transport-native-unix-common@4.1.94.Final,
cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-25193
netty-common-4.1.113.Final.jar (pkg:maven/io.netty/netty-common@4.1.113.Final,
cpe:2.3:a:netty:netty:4.1.113:*:*:*:*:*:*:*): CVE-2025-25193, CVE-2024-47535
netty-handler-4.1.113.Final.jar
(pkg:maven/io.netty/netty-handler@4.1.113.Final,
cpe:2.3:a:netty:netty:4.1.113:*:*:*:*:*:*:*): CVE-2025-24970, CVE-2025-25193
netty-transport-4.1.113.Final.jar
(pkg:maven/io.netty/netty-transport@4.1.113.Final,
cpe:2.3:a:netty:netty:4.1.113:*:*:*:*:*:*:*): CVE-2025-25193
{code}
5.0
{code}
Dependency-Check Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS
score greater than or equal to '1.0':
cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-resolver/pom.xml
(pkg:maven/io.netty/netty-resolver@4.1.94.Final,
cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-25193
cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-transport-classes-epoll/pom.xml
(pkg:maven/io.netty/netty-transport-classes-epoll@4.1.94.Final,
cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-25193
cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-transport-native-unix-common/pom.xml
(pkg:maven/io.netty/netty-transport-native-unix-common@4.1.94.Final,
cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-25193
netty-common-4.1.96.Final.jar (pkg:maven/io.netty/netty-common@4.1.96.Final,
cpe:2.3:a:netty:netty:4.1.96:*:*:*:*:*:*:*): CVE-2025-25193, CVE-2024-47535
netty-handler-4.1.96.Final.jar (pkg:maven/io.netty/netty-handler@4.1.96.Final,
cpe:2.3:a:netty:netty:4.1.96:*:*:*:*:*:*:*): CVE-2025-24970, CVE-2025-25193
netty-transport-4.1.96.Final.jar
(pkg:maven/io.netty/netty-transport@4.1.96.Final,
cpe:2.3:a:netty:netty:4.1.96:*:*:*:*:*:*:*): CVE-2025-25193
See the dependency-check report for more details.
{code}
For 4.x, we need to build it with Java 11, Java 8 is not supported with 12.1.0.
I do not think this is a fundamental problem as we are not running
dependency-check target in the pipeline anyway and if it requires to run it
with Java 11 while executing it manually so be it ...
4.1
{code}
ant realclean -Duse.jdk11=true && ant dependency-check -Duse.jdk11=true
{code}
{code}
Dependency-Check Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS
score greater than or equal to '1.0':
netty-all-4.1.58.Final.jar (pkg:maven/io.netty/netty-all@4.1.58.Final,
cpe:2.3:a:netty:netty:4.1.58:*:*:*:*:*:*:*): CVE-2025-25193
{code}
4.0
{code}
ant realclean -Duse.jdk11=true && ant dependency-check -Duse.jdk11=true
{code}
{code}
Dependency-Check Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS
score greater than or equal to '1.0':
netty-all-4.1.58.Final.jar (pkg:maven/io.netty/netty-all@4.1.58.Final,
cpe:2.3:a:netty:netty:4.1.58:*:*:*:*:*:*:*): CVE-2025-25193
{code}
For 3.0 / 3.11 we are truly done. 10.x does not work anymore and 11.x is
impossible to run with 8 while 3.x does not work with Java 11.
I suggest to update to 12.1.0 in 4.0, 4.1, 5.0 and trunk, then in the next
ticket we will go over the dependencies and suppress / address the
vulnerabilities. I do not want to mix the task of updating the check with the
task of suppressing it in one ticket.
[~brandon.williams] how does that sound?
was (Author: smiklosovic):
Updating it to 12.1.0 to have something usable as 10.x does not work anymore
yields these problems:
trunk
{code}
Dependency-Check Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS
score greater than or equal to '1.0':
cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-resolver/pom.xml
(pkg:maven/io.netty/netty-resolver@4.1.94.Final,
cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-25193
cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-transport-classes-epoll/pom.xml
(pkg:maven/io.netty/netty-transport-classes-epoll@4.1.94.Final,
cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-25193
cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-transport-native-unix-common/pom.xml
(pkg:maven/io.netty/netty-transport-native-unix-common@4.1.94.Final,
cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-25193
netty-common-4.1.113.Final.jar (pkg:maven/io.netty/netty-common@4.1.113.Final,
cpe:2.3:a:netty:netty:4.1.113:*:*:*:*:*:*:*): CVE-2025-25193, CVE-2024-47535
netty-handler-4.1.113.Final.jar
(pkg:maven/io.netty/netty-handler@4.1.113.Final,
cpe:2.3:a:netty:netty:4.1.113:*:*:*:*:*:*:*): CVE-2025-24970, CVE-2025-25193
netty-transport-4.1.113.Final.jar
(pkg:maven/io.netty/netty-transport@4.1.113.Final,
cpe:2.3:a:netty:netty:4.1.113:*:*:*:*:*:*:*): CVE-2025-25193
{code}
5.0
{code}
Dependency-Check Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS
score greater than or equal to '1.0':
cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-resolver/pom.xml
(pkg:maven/io.netty/netty-resolver@4.1.94.Final,
cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-25193
cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-transport-classes-epoll/pom.xml
(pkg:maven/io.netty/netty-transport-classes-epoll@4.1.94.Final,
cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-25193
cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-transport-native-unix-common/pom.xml
(pkg:maven/io.netty/netty-transport-native-unix-common@4.1.94.Final,
cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-25193
netty-common-4.1.96.Final.jar (pkg:maven/io.netty/netty-common@4.1.96.Final,
cpe:2.3:a:netty:netty:4.1.96:*:*:*:*:*:*:*): CVE-2025-25193, CVE-2024-47535
netty-handler-4.1.96.Final.jar (pkg:maven/io.netty/netty-handler@4.1.96.Final,
cpe:2.3:a:netty:netty:4.1.96:*:*:*:*:*:*:*): CVE-2025-24970, CVE-2025-25193
netty-transport-4.1.96.Final.jar
(pkg:maven/io.netty/netty-transport@4.1.96.Final,
cpe:2.3:a:netty:netty:4.1.96:*:*:*:*:*:*:*): CVE-2025-25193
See the dependency-check report for more details.
{code}
For 4.x, we need to build it with Java 11, Java 8 is not supported with 12.1.0.
I do not think this is a fundamental problem as we are not running
dependency-check target in the pipeline anyway and if it requires to run it
with Java 11 while executing it manually so be it ...
4.1
{code}
ant realclean -Duse.jdk11=true && ant dependency-check -Duse.jdk11=true
{code}
{code}
Dependency-Check Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS
score greater than or equal to '1.0':
netty-all-4.1.58.Final.jar (pkg:maven/io.netty/netty-all@4.1.58.Final,
cpe:2.3:a:netty:netty:4.1.58:*:*:*:*:*:*:*): CVE-2025-25193
{code}
4.0
{code}
ant realclean -Duse.jdk11=true && ant dependency-check -Duse.jdk11=true
{code}
{code}
Dependency-Check Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS
score greater than or equal to '1.0':
netty-all-4.1.58.Final.jar (pkg:maven/io.netty/netty-all@4.1.58.Final,
cpe:2.3:a:netty:netty:4.1.58:*:*:*:*:*:*:*): CVE-2025-25193
{code}
For 3.0 / 3.11 we are truly done. 10.x does not work anymore and 11.x is
impossible to run with 8 while 3.x does not work with Java 11.
> Update to latest dependency-check to fix incompatibility with new data feed
> format
> ----------------------------------------------------------------------------------
>
> Key: CASSANDRA-20501
> URL: https://issues.apache.org/jira/browse/CASSANDRA-20501
> Project: Apache Cassandra
> Issue Type: Task
> Components: Build
> Reporter: Doug Rohrer
> Assignee: Stefan Miklosovic
> Priority: Normal
> Fix For: 3.0.x, 3.11.x, 4.0.x, 4.1.x, 5.0.x, 5.x
>
> Attachments: dependency-check-fix.patch
>
>
> The dependency-check task at the version we have is broken due to a change in
> the format of the data from NVD. See
> [https://github.com/dependency-check/DependencyCheck/issues/7463] for more
> information on the need for this change.
>
> Update to latest (12.1.0, from the new location at
> [https://github.com/dependency-check/DependencyCheck/] as it also moved to a
> GitHub org).
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
