Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cassandra: Security vulnerabilities in dependencies #2225

Closed
patriknw opened this issue Mar 23, 2020 · 5 comments
Closed

Cassandra: Security vulnerabilities in dependencies #2225

patriknw opened this issue Mar 23, 2020 · 5 comments
Labels
p:cassandra
Milestone
2.0.0-RC2

Comments

@patriknw
Copy link
Member

Security vulnerabilities reported in Whitesource for netty-all-4.1.39.Final and jackson-core-asl-1.9.12

It's strange that we have both netty-all 4.1.39 and also other netty dependencies of version 4.1.45

jackson-core-asl is via java-driver-core / esri-geometry-api

cc @ennru I guess same problem in Alpakka Cassandra
@patriknw patriknw transferred this issue from akka/akka-persistence-cassandra Mar 23, 2020
@ennru ennru changed the title Security vulnerabilities in dependencies Cassandra: Security vulnerabilities in dependencies Mar 23, 2020
@ennru
Copy link
Member

ennru commented Mar 23, 2020
edited
Loading

#2227 fixes the Netty mess.

@patriknw
Copy link
Member Author

@ennru Shall we try to run tests when excluding esri-geometry-api dependency? Looks like a rather optional feature (probably only needed for DSE). https://github.com/Esri/geometry-api-java

@ennru
Copy link
Member

ennru commented Mar 25, 2020
edited
Loading

I looked more into it and ended up excluding all the org.apache.tinkerpop dependencies and the com.esri.geometry dependency.
Furthermore I added Jackson Databind 2.10.3 explicitly to align with Akka 2.6.

[info] com.lightbend.akka:akka-stream-alpakka-cassandra_2.12:2.0.0-RC1+4-61cbef2b+20200325-0920 [S]
[info]   +-com.datastax.oss:java-driver-core:4.5.1
[info]   | +-com.datastax.oss:java-driver-shaded-guava:25.1-jre
[info]   | +-com.datastax.oss:native-protocol:1.4.9
[info]   | +-com.fasterxml.jackson.core:jackson-core:2.10.0 (evicted by: 2.10.3)
[info]   | +-com.fasterxml.jackson.core:jackson-databind:2.10.0 (evicted by: 2.10.3)
[info]   | +-com.github.jnr:jnr-ffi:2.1.10
[info]   | | +-com.github.jnr:jffi:1.2.19
[info]   | | +-com.github.jnr:jnr-a64asm:1.0.0
[info]   | | +-com.github.jnr:jnr-x86asm:1.0.2
[info]   | | +-org.ow2.asm:asm-analysis:7.1
[info]   | | | +-org.ow2.asm:asm-tree:7.1
[info]   | | |   +-org.ow2.asm:asm:7.1
[info]   | | |
[info]   | | +-org.ow2.asm:asm-commons:7.1
[info]   | | | +-org.ow2.asm:asm-analysis:7.1
[info]   | | | | +-org.ow2.asm:asm-tree:7.1
[info]   | | | |   +-org.ow2.asm:asm:7.1
[info]   | | | |
[info]   | | | +-org.ow2.asm:asm-tree:7.1
[info]   | | | | +-org.ow2.asm:asm:7.1
[info]   | | | |
[info]   | | | +-org.ow2.asm:asm:7.1
[info]   | | |
[info]   | | +-org.ow2.asm:asm-tree:7.1
[info]   | | | +-org.ow2.asm:asm:7.1
[info]   | | |
[info]   | | +-org.ow2.asm:asm-util:7.1
[info]   | | | +-org.ow2.asm:asm-analysis:7.1
[info]   | | | | +-org.ow2.asm:asm-tree:7.1
[info]   | | | |   +-org.ow2.asm:asm:7.1
[info]   | | | |
[info]   | | | +-org.ow2.asm:asm-tree:7.1
[info]   | | | | +-org.ow2.asm:asm:7.1
[info]   | | | |
[info]   | | | +-org.ow2.asm:asm:7.1
[info]   | | |
[info]   | | +-org.ow2.asm:asm:7.1
[info]   | |
[info]   | +-com.github.jnr:jnr-posix:3.0.50
[info]   | | +-com.github.jnr:jnr-constants:0.9.12
[info]   | | +-com.github.jnr:jnr-ffi:2.1.10
[info]   | |   +-com.github.jnr:jffi:1.2.19
[info]   | |   +-com.github.jnr:jnr-a64asm:1.0.0
[info]   | |   +-com.github.jnr:jnr-x86asm:1.0.2
[info]   | |   +-org.ow2.asm:asm-analysis:7.1
[info]   | |   | +-org.ow2.asm:asm-tree:7.1
[info]   | |   |   +-org.ow2.asm:asm:7.1
[info]   | |   |
[info]   | |   +-org.ow2.asm:asm-commons:7.1
[info]   | |   | +-org.ow2.asm:asm-analysis:7.1
[info]   | |   | | +-org.ow2.asm:asm-tree:7.1
[info]   | |   | |   +-org.ow2.asm:asm:7.1
[info]   | |   | |
[info]   | |   | +-org.ow2.asm:asm-tree:7.1
[info]   | |   | | +-org.ow2.asm:asm:7.1
[info]   | |   | |
[info]   | |   | +-org.ow2.asm:asm:7.1
[info]   | |   |
[info]   | |   +-org.ow2.asm:asm-tree:7.1
[info]   | |   | +-org.ow2.asm:asm:7.1
[info]   | |   |
[info]   | |   +-org.ow2.asm:asm-util:7.1
[info]   | |   | +-org.ow2.asm:asm-analysis:7.1
[info]   | |   | | +-org.ow2.asm:asm-tree:7.1
[info]   | |   | |   +-org.ow2.asm:asm:7.1
[info]   | |   | |
[info]   | |   | +-org.ow2.asm:asm-tree:7.1
[info]   | |   | | +-org.ow2.asm:asm:7.1
[info]   | |   | |
[info]   | |   | +-org.ow2.asm:asm:7.1
[info]   | |   |
[info]   | |   +-org.ow2.asm:asm:7.1
[info]   | |
[info]   | +-com.github.stephenc.jcip:jcip-annotations:1.0-1
[info]   | +-com.typesafe:config:1.3.4
[info]   | +-io.dropwizard.metrics:metrics-core:4.0.5
[info]   | | +-org.slf4j:slf4j-api:1.7.25 (evicted by: 1.7.26)
[info]   | | +-org.slf4j:slf4j-api:1.7.26
[info]   | |
[info]   | +-org.hdrhistogram:HdrHistogram:2.1.11
[info]   | +-org.javatuples:javatuples:1.2
[info]   | +-org.reactivestreams:reactive-streams:1.0.2
[info]   | +-org.slf4j:slf4j-api:1.7.26
[info]   |
[info]   +-com.fasterxml.jackson.core:jackson-core:2.10.3
[info]   +-com.fasterxml.jackson.core:jackson-databind:2.10.3
[info]   | +-com.fasterxml.jackson.core:jackson-annotations:2.10.3
[info]   |
[info]   +-com.typesafe.akka:akka-stream_2.12:2.5.30
[info]   | +-com.typesafe.akka:akka-actor_2.12:2.5.30
[info]   | | +-com.typesafe:config:1.3.3 (evicted by: 1.3.4)
[info]   | | +-com.typesafe:config:1.3.4
[info]   | | +-org.scala-lang.modules:scala-java8-compat_2.12:0.8.0
[info]   | |
[info]   | +-com.typesafe.akka:akka-protobuf_2.12:2.5.30
[info]   | +-com.typesafe:ssl-config-core_2.12:0.3.8
[info]   | | +-com.typesafe:config:1.3.3 (evicted by: 1.3.4)
[info]   | | +-com.typesafe:config:1.3.4
[info]   | | +-org.scala-lang.modules:scala-parser-combinators_2.12:1.1.2
[info]   | |
[info]   | +-org.reactivestreams:reactive-streams:1.0.2
[info]   |
[info]   +-io.netty:netty-handler:4.1.39.Final
[info]     +-io.netty:netty-buffer:4.1.39.Final
[info]     | +-io.netty:netty-common:4.1.39.Final
[info]     |
[info]     +-io.netty:netty-codec:4.1.39.Final
[info]     | +-io.netty:netty-buffer:4.1.39.Final
[info]     | | +-io.netty:netty-common:4.1.39.Final
[info]     | |
[info]     | +-io.netty:netty-common:4.1.39.Final
[info]     | +-io.netty:netty-transport:4.1.39.Final
[info]     |   +-io.netty:netty-buffer:4.1.39.Final
[info]     |   | +-io.netty:netty-common:4.1.39.Final
[info]     |   |
[info]     |   +-io.netty:netty-common:4.1.39.Final
[info]     |   +-io.netty:netty-resolver:4.1.39.Final
[info]     |     +-io.netty:netty-common:4.1.39.Final
[info]     |
[info]     +-io.netty:netty-common:4.1.39.Final
[info]     +-io.netty:netty-transport:4.1.39.Final
[info]       +-io.netty:netty-buffer:4.1.39.Final
[info]       | +-io.netty:netty-common:4.1.39.Final
[info]       |
[info]       +-io.netty:netty-common:4.1.39.Final
[info]       +-io.netty:netty-resolver:4.1.39.Final
[info]         +-io.netty:netty-common:4.1.39.Final

I'll push that to #2227

@ennru ennru added this to the 2.0.0-RC2 milestone Apr 3, 2020
@ennru
Copy link
Member

ennru commented Apr 3, 2020

Fixed with #2227

@ennru ennru closed this as completed Apr 3, 2020
@patriknw
Copy link
Member Author

patriknw commented Apr 3, 2020

We fixed the netty-all and jackson-core-asl problems. The Netty 4.1.39 vulnerability issue will be fixed by #2226

@patriknw patriknw mentioned this issue Sep 10, 2020
Closed
@ennru ennru mentioned this issue Jan 20, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
p:cassandra
Projects
None yet
Milestone
2.0.0-RC2
Development

No branches or pull requests
2 participants
@patriknw @ennru