Old version of Guava dependency #223
Comments
denesb
added a commit
that referenced
this issue
Nov 1, 2023
… Grabowski This PR updates several dependencies which were flagged by security scanners. In particular: 1. Jackson dependencies: com.fasterxml.jackson.core:jackson-databind used in the project was vulnerable to CVE-2022-42003 and CVE-2022-42004 ("HIGH" severity) 2. snakeyaml dependency: org.yaml:snakeyaml used in the project was vulnerable to CVE-2022-1471 ("CRITICAL" severity), CVE-2022-25857, CVE-2022-38749, CVE-2022-38750, CVE-2022-38751, CVE-2022-38752, CVE-2022-41854 3. Guava dependency: com.google.guava used in the project was vulnerable to CVE-2023-2976 ("HIGH" severity) and CVE-2020-8908 Please note that at the moment there is no reason to believe that those dependency issues could have affected scylla-jmx itself. This version of JMX was successfully tested through ScyllaDB CI: scylladb/scylladb#15783 (comment) Fixes #221 Fixes #222 Fixes #223 Closes: #220 * github.com:scylladb/scylla-jmx: scylla-apiclient: update Guava dependency scylla-apiclient: update snakeyaml dependency scylla-apiclient: update Jackson dependencies
denesb
added a commit
that referenced
this issue
Nov 23, 2023
… Grabowski This PR updates several dependencies which were flagged by security scanners. In particular: 1. Jackson dependencies: com.fasterxml.jackson.core:jackson-databind used in the project was vulnerable to CVE-2022-42003 and CVE-2022-42004 ("HIGH" severity) 2. snakeyaml dependency: org.yaml:snakeyaml used in the project was vulnerable to CVE-2022-1471 ("CRITICAL" severity), CVE-2022-25857, CVE-2022-38749, CVE-2022-38750, CVE-2022-38751, CVE-2022-38752, CVE-2022-41854 3. Guava dependency: com.google.guava used in the project was vulnerable to CVE-2023-2976 ("HIGH" severity) and CVE-2020-8908 Please note that at the moment there is no reason to believe that those dependency issues could have affected scylla-jmx itself. This version of JMX was successfully tested through ScyllaDB CI: scylladb/scylladb#15783 (comment) Fixes #221 Fixes #222 Fixes #223 Closes: #220 * github.com:scylladb/scylla-jmx: scylla-apiclient: update Guava dependency scylla-apiclient: update snakeyaml dependency scylla-apiclient: update Jackson dependencies (cherry picked from commit 05bb7b6)
denesb
added a commit
that referenced
this issue
Nov 23, 2023
… Grabowski This PR updates several dependencies which were flagged by security scanners. In particular: 1. Jackson dependencies: com.fasterxml.jackson.core:jackson-databind used in the project was vulnerable to CVE-2022-42003 and CVE-2022-42004 ("HIGH" severity) 2. snakeyaml dependency: org.yaml:snakeyaml used in the project was vulnerable to CVE-2022-1471 ("CRITICAL" severity), CVE-2022-25857, CVE-2022-38749, CVE-2022-38750, CVE-2022-38751, CVE-2022-38752, CVE-2022-41854 3. Guava dependency: com.google.guava used in the project was vulnerable to CVE-2023-2976 ("HIGH" severity) and CVE-2020-8908 Please note that at the moment there is no reason to believe that those dependency issues could have affected scylla-jmx itself. This version of JMX was successfully tested through ScyllaDB CI: scylladb/scylladb#15783 (comment) Fixes #221 Fixes #222 Fixes #223 Closes: #220 * github.com:scylladb/scylla-jmx: scylla-apiclient: update Guava dependency scylla-apiclient: update snakeyaml dependency scylla-apiclient: update Jackson dependencies (cherry picked from commit 05bb7b6)
denesb
added a commit
that referenced
this issue
Nov 23, 2023
… Grabowski This PR updates several dependencies which were flagged by security scanners. In particular: 1. Jackson dependencies: com.fasterxml.jackson.core:jackson-databind used in the project was vulnerable to CVE-2022-42003 and CVE-2022-42004 ("HIGH" severity) 2. snakeyaml dependency: org.yaml:snakeyaml used in the project was vulnerable to CVE-2022-1471 ("CRITICAL" severity), CVE-2022-25857, CVE-2022-38749, CVE-2022-38750, CVE-2022-38751, CVE-2022-38752, CVE-2022-41854 3. Guava dependency: com.google.guava used in the project was vulnerable to CVE-2023-2976 ("HIGH" severity) and CVE-2020-8908 Please note that at the moment there is no reason to believe that those dependency issues could have affected scylla-jmx itself. This version of JMX was successfully tested through ScyllaDB CI: scylladb/scylladb#15783 (comment) Fixes #221 Fixes #222 Fixes #223 Closes: #220 * github.com:scylladb/scylla-jmx: scylla-apiclient: update Guava dependency scylla-apiclient: update snakeyaml dependency scylla-apiclient: update Jackson dependencies (cherry picked from commit 05bb7b6)
This was referenced Nov 23, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
scylla-jmx (as of 8d15342) uses Guava in version 29.0-jre. This dependency is flagged by security scanners and should be updated.
The fix should be backported to older Scylla versions.
The text was updated successfully, but these errors were encountered: