[jira] [Commented] (CASSANDRA-20501) Update to latest dependency-check to fix incompatibility with new data feed format

Stefan Miklosovic (Jira) Mon, 31 Mar 2025 16:36:51 -0700


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-20501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17939759#comment-17939759
 ]


Stefan Miklosovic commented on CASSANDRA-20501:
-----------------------------------------------

Updating it to 12.1.0 to have something usable as 10.x does not work anymore 
yields these problems:

trunk 

{code}
Dependency-Check Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS 
score greater than or equal to '1.0': 
cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-resolver/pom.xml
 (pkg:maven/io.netty/netty-resolver@4.1.94.Final, 
cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-25193
cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-transport-classes-epoll/pom.xml
 (pkg:maven/io.netty/netty-transport-classes-epoll@4.1.94.Final, 
cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-25193
cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-transport-native-unix-common/pom.xml
 (pkg:maven/io.netty/netty-transport-native-unix-common@4.1.94.Final, 
cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-25193
netty-common-4.1.113.Final.jar (pkg:maven/io.netty/netty-common@4.1.113.Final, 
cpe:2.3:a:netty:netty:4.1.113:*:*:*:*:*:*:*): CVE-2025-25193, CVE-2024-47535
netty-handler-4.1.113.Final.jar 
(pkg:maven/io.netty/netty-handler@4.1.113.Final, 
cpe:2.3:a:netty:netty:4.1.113:*:*:*:*:*:*:*): CVE-2025-24970, CVE-2025-25193
netty-transport-4.1.113.Final.jar 
(pkg:maven/io.netty/netty-transport@4.1.113.Final, 
cpe:2.3:a:netty:netty:4.1.113:*:*:*:*:*:*:*): CVE-2025-25193
{code}


5.0

{code}
Dependency-Check Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS 
score greater than or equal to '1.0': 
cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-resolver/pom.xml
 (pkg:maven/io.netty/netty-resolver@4.1.94.Final, 
cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-25193
cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-transport-classes-epoll/pom.xml
 (pkg:maven/io.netty/netty-transport-classes-epoll@4.1.94.Final, 
cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-25193
cassandra-driver-core-3.11.5-shaded.jar/META-INF/maven/io.netty/netty-transport-native-unix-common/pom.xml
 (pkg:maven/io.netty/netty-transport-native-unix-common@4.1.94.Final, 
cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-25193
netty-common-4.1.96.Final.jar (pkg:maven/io.netty/netty-common@4.1.96.Final, 
cpe:2.3:a:netty:netty:4.1.96:*:*:*:*:*:*:*): CVE-2025-25193, CVE-2024-47535
netty-handler-4.1.96.Final.jar (pkg:maven/io.netty/netty-handler@4.1.96.Final, 
cpe:2.3:a:netty:netty:4.1.96:*:*:*:*:*:*:*): CVE-2025-24970, CVE-2025-25193
netty-transport-4.1.96.Final.jar 
(pkg:maven/io.netty/netty-transport@4.1.96.Final, 
cpe:2.3:a:netty:netty:4.1.96:*:*:*:*:*:*:*): CVE-2025-25193
See the dependency-check report for more details.
{code}

For 4.x, we need to build it with Java 11, Java 8 is not supported with 12.1.0. 
I do not think this is a fundamental problem as we are not running 
dependency-check target in the pipeline anyway and if it requires to run it 
with Java 11 while executing it manually so be it ...

4.1

{code}
ant realclean -Duse.jdk11=true && ant dependency-check -Duse.jdk11=true
{code}

{code}
Dependency-Check Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS 
score greater than or equal to '1.0': 
netty-all-4.1.58.Final.jar (pkg:maven/io.netty/netty-all@4.1.58.Final, 
cpe:2.3:a:netty:netty:4.1.58:*:*:*:*:*:*:*): CVE-2025-25193
{code}

4.0

{code}
ant realclean -Duse.jdk11=true && ant dependency-check -Duse.jdk11=true
{code}

{code}
Dependency-Check Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS 
score greater than or equal to '1.0': 
netty-all-4.1.58.Final.jar (pkg:maven/io.netty/netty-all@4.1.58.Final, 
cpe:2.3:a:netty:netty:4.1.58:*:*:*:*:*:*:*): CVE-2025-25193
{code}

For 3.0 / 3.11 we are truly done. 10.x does not work anymore and 11.x is 
impossible to run with 8 while 3.x does not work with Java 11. 

> Update to latest dependency-check to fix incompatibility with new data feed 
> format
> ----------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-20501
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-20501
>             Project: Apache Cassandra
>          Issue Type: Task
>          Components: Build
>            Reporter: Doug Rohrer
>            Assignee: Stefan Miklosovic
>            Priority: Normal
>             Fix For: 3.0.x, 3.11.x, 4.0.x, 4.1.x, 5.0.x, 5.x
>
>         Attachments: dependency-check-fix.patch
>
>
> The dependency-check task at the version we have is broken due to a change in 
> the format of the data from NVD. See 
> [https://github.com/dependency-check/DependencyCheck/issues/7463] for more 
> information on the need for this change.
>  
> Update to latest (12.1.0, from the new location at 
> [https://github.com/dependency-check/DependencyCheck/] as it also moved to a 
> GitHub org).
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-20501) Update to latest dependency-check to fix incompatibility with new data feed format

Reply via email to