This is an automated email from the ASF dual-hosted git repository.
mck pushed a commit to branch cassandra-4.0
in repository https://gitbox.apache.org/repos/asf/cassandra.git
The following commit(s) were added to refs/heads/cassandra-4.0 by this push:
new 9abed87ba4 Autogenerate toplevel .snyk file from owasp suppressions
9abed87ba4 is described below
commit 9abed87ba4674864bb772bf6c8a0fdb2285b50c7
Author: Mick Semb Wever <[email protected]>
AuthorDate: Wed Feb 12 18:33:44 2025 +0100
Autogenerate toplevel .snyk file from owasp suppressions
patch by Mick Semb Wever; reviewed by Brandon Williams for CASSANDRA-20319
---
.build/build-owasp.xml | 3 ++
.build/build-rat.xml | 1 +
.build/generate-snyk-file | 75 +++++++++++++++++++++++++++++++++++++++++
.snyk | 50 +++++++++++++++++++++++++++
CHANGES.txt | 1 +
build.xml | 3 +-
debian/rules | 2 +-
redhat/cassandra.spec | 2 +-
redhat/noboolean/cassandra.spec | 2 +-
9 files changed, 135 insertions(+), 4 deletions(-)
diff --git a/.build/build-owasp.xml b/.build/build-owasp.xml
index 35da8fdac7..d4b44c897b 100644
--- a/.build/build-owasp.xml
+++ b/.build/build-owasp.xml
@@ -112,4 +112,7 @@
<antcall target="-run-owasp-scan" inheritrefs="true"
inheritall="true"/>
</target>
+ <target name="generate-snyk-file" unless="ant.gen-snyk.skip">
+ <exec executable="${basedir}/.build/generate-snyk-file"
failonerror="true"/>
+ </target>
</project>
diff --git a/.build/build-rat.xml b/.build/build-rat.xml
index 09c7fd2041..210112da55 100644
--- a/.build/build-rat.xml
+++ b/.build/build-rat.xml
@@ -42,6 +42,7 @@
<fileset dir="." includesfile="${build.dir}/.ratinclude">
<!-- Config files with not much creativity -->
<exclude name=".asf.yaml"/>
+ <exclude name=".snyk"/>
<exclude name="**/cassandra*.yaml"/>
<exclude name="conf/metrics-reporter-config-sample.yaml"/>
<exclude NAME="doc/antora.yml"/>
diff --git a/.build/generate-snyk-file b/.build/generate-snyk-file
new file mode 100755
index 0000000000..bf9255ffd5
--- /dev/null
+++ b/.build/generate-snyk-file
@@ -0,0 +1,75 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""
+Regenerates the toplevel .snyk file from the dependency-check-suppressions.xml
found in this directory.
+"""
+
+import re
+import os
+
+
+script_dir = os.path.dirname(os.path.abspath(__file__))
+with open(os.path.join(script_dir, "dependency-check-suppressions.xml"), "r",
encoding="utf-8") as f:
+ xml_lines = [line.strip() for line in f.readlines()]
+
+snyk_data = {"ignore": {}}
+
+# Parse XML (keeping track of comments)
+last_comment = None
+i = 0
+while i < len(xml_lines):
+ # Detect XML comments (these contain the suppression reason)
+ if xml_lines[i].startswith("<!--") and xml_lines[i].endswith("-->"):
+ last_comment = xml_lines[i][4:-3].strip()
+
+ # Collect CVE suppressions
+ if "<suppress>" in xml_lines[i]:
+ cve_ids = []
+ packages = ''
+ i += 1
+ while i < len(xml_lines):
+ if xml_lines[i].startswith("<!--") and
xml_lines[i].endswith("-->"):
+ last_comment = xml_lines[i][4:-3].strip()
+ if "<cve>" in xml_lines[i] and "</cve>" in xml_lines[i]:
+ cve_ids.append(xml_lines[i].strip().replace("<cve>",
"").replace("</cve>", "").strip())
+ if "<packageUrl" in xml_lines[i] and "</packageUrl>" in
xml_lines[i]:
+ packages = re.sub(r'<packageUrl(?:
regex="(?:true|false)")?>|</packageUrl>', '', xml_lines[i]).strip()
+ if "</suppress>" in xml_lines[i]:
+ break
+ i += 1
+ reason = f"{last_comment} -- {packages}" if last_comment else
"Suppressed due to internal review, see project's
.build/dependency-check-suppressions.xml"
+
+ # Add suppressions
+ for cve_id in cve_ids:
+ snyk_data["ignore"][cve_id] = [{"reason": reason}]
+
+ last_comment = None
+ else:
+ i += 1
+
+with open(os.path.join(script_dir, "../.snyk"), "w") as snyk_file:
+ snyk_file.write("# Snyk (https://snyk.io) policy file, provides ignores
for known false positives.\n")
+ snyk_file.write("# This file is autogenerated from
.build/dependency-check-suppressions.xml\n")
+ snyk_file.write("version: v1.25.0\n")
+ snyk_file.write(f"ignore:\n")
+ for cve_id, ignores in snyk_data["ignore"].items():
+ snyk_file.write(f" {cve_id}:\n")
+ for ignore in ignores:
+ snyk_file.write(f" - reason: {ignore['reason']}\n")
+
diff --git a/.snyk b/.snyk
new file mode 100644
index 0000000000..68d9a43e94
--- /dev/null
+++ b/.snyk
@@ -0,0 +1,50 @@
+# Snyk (https://snyk.io) policy file, provides ignores for known false
positives.
+# This file is autogenerated from .build/dependency-check-suppressions.xml
+version: v1.25.0
+ignore:
+ CVE-2022-1471:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
+ CVE-2022-25857:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
+ CVE-2022-38749:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
+ CVE-2022-38750:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
+ CVE-2022-38751:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
+ CVE-2022-38752:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
+ CVE-2022-41854:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 --
^pkg:maven/org\.yaml/snakeyaml@.*$
+ CVE-2020-8908:
+ - reason: not applicable https://nvd.nist.gov/vuln/detail/CVE-2020-8908 --
^pkg:maven/com\.google\.guava/guava@.*$
+ CVE-2023-2976:
+ - reason: not applicable https://nvd.nist.gov/vuln/detail/CVE-2020-8908 --
^pkg:maven/com\.google\.guava/guava@.*$
+ CVE-2021-21290:
+ - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
+ CVE-2021-21295:
+ - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
+ CVE-2021-21409:
+ - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
+ CVE-2021-37136:
+ - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
+ CVE-2021-37137:
+ - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
+ CVE-2021-43797:
+ - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
+ CVE-2022-24823:
+ - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
+ CVE-2022-41881:
+ - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
+ CVE-2023-34462:
+ - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
+ CVE-2023-44487:
+ - reason: netty's http stuff is not applicable here --
^pkg:maven/io\.netty/netty\-all@.*$
+ CVE-2022-42003:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17966 --
^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$
+ CVE-2022-42004:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17966 --
^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$
+ CVE-2023-35116:
+ - reason: https://issues.apache.org/jira/browse/CASSANDRA-17966 --
^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$
+ CVE-2023-6378:
+ - reason: Suppressed due to internal review, see project's
.build/dependency-check-suppressions.xml
diff --git a/CHANGES.txt b/CHANGES.txt
index a8a6062366..a1d17c3e5f 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,4 +1,5 @@
4.0.18
+ * Include in source tree and build packages a Snyk policy file that lists
known false positives (CASSANDRA-20319)
* Update zstd-jni to 1.5.7-2 (CASSANDRA-20453)
* Suppress CVE-2024-12801 (CASSANDRA-20412)
* Suppress CVE-2024-12798 (CASSANDRA-20408)
diff --git a/build.xml b/build.xml
index 59749daa57..313a8caabb 100644
--- a/build.xml
+++ b/build.xml
@@ -943,7 +943,7 @@
</javac>
</target>
- <target
depends="init,gen-cql3-grammar,generate-cql-html,generate-jflex-java,rat-check"
+ <target
depends="init,gen-cql3-grammar,generate-cql-html,generate-jflex-java,rat-check,generate-snyk-file"
name="build-project">
<echo message="${ant.project.name}: ${ant.file}"/>
<!-- Order matters! -->
@@ -1177,6 +1177,7 @@
<copy todir="${dist.dir}/">
<fileset dir="${basedir}">
<include name="*.txt" />
+ <include name=".snyk" />
</fileset>
</copy>
<copy todir="${dist.dir}/tools/bin">
diff --git a/debian/rules b/debian/rules
index 81812b1806..4923058537 100755
--- a/debian/rules
+++ b/debian/rules
@@ -82,7 +82,7 @@ binary-indep: build install
dh_testroot
dh_installchangelogs
dh_installinit -u'start 50 2 3 4 5 . stop 50 0 1 6 .'
- dh_installdocs README.asc CHANGES.txt NEWS.txt doc/cql3/CQL.css
doc/cql3/CQL.html CASSANDRA-14092.txt
+ dh_installdocs README.asc CHANGES.txt NEWS.txt doc/cql3/CQL.css
doc/cql3/CQL.html CASSANDRA-14092.txt .snyk
dh_installexamples tools/*.yaml
dh_bash-completion
dh_compress
diff --git a/redhat/cassandra.spec b/redhat/cassandra.spec
index 775aa2a208..a9fc164643 100644
--- a/redhat/cassandra.spec
+++ b/redhat/cassandra.spec
@@ -137,7 +137,7 @@ exit 0
%files
%defattr(0644,root,root,0755)
-%doc CHANGES.txt LICENSE.txt README.asc NEWS.txt NOTICE.txt CASSANDRA-14092.txt
+%doc CHANGES.txt LICENSE.txt README.asc NEWS.txt NOTICE.txt
CASSANDRA-14092.txt .snyk
%attr(755,root,root) %{_bindir}/auditlogviewer
%attr(755,root,root) %{_bindir}/jmxtool
%attr(755,root,root) %{_bindir}/cassandra-stress
diff --git a/redhat/noboolean/cassandra.spec b/redhat/noboolean/cassandra.spec
index 269d9993a3..d3166e56b8 100644
--- a/redhat/noboolean/cassandra.spec
+++ b/redhat/noboolean/cassandra.spec
@@ -140,7 +140,7 @@ exit 0
%files
%defattr(0644,root,root,0755)
-%doc CHANGES.txt LICENSE.txt README.asc NEWS.txt NOTICE.txt CASSANDRA-14092.txt
+%doc CHANGES.txt LICENSE.txt README.asc NEWS.txt NOTICE.txt
CASSANDRA-14092.txt .snyk
%attr(755,root,root) %{_bindir}/auditlogviewer
%attr(755,root,root) %{_bindir}/jmxtool
%attr(755,root,root) %{_bindir}/cassandra-stress
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
