Use newer hk2-locator in order to get rid of javassist (with a known vulnerable version or whatnot) #231

mykaul · 2024-01-04T15:07:23Z

See eclipse-ee4j/glassfish-hk2#30 - it's fixed in 2.5.0, and indeed, when looking at the deps:

[INFO] 
[INFO] --- dependency:2.8:tree (default-cli) @ scylla-apiclient ---
[WARNING] Parameter 'localRepository' is deprecated core expression; Avoid use of ArtifactRepository type. If you need access to local repository, switch to '${repositorySystemSession}' expression and get LRM from it instead.
[INFO] com.scylladb.jmx:scylla-apiclient:jar:1.0
[INFO] +- org.yaml:snakeyaml:jar:2.2:compile
[INFO] +- org.glassfish.jersey.core:jersey-common:jar:2.22.1:compile
[INFO] |  +- (javax.ws.rs:javax.ws.rs-api:jar:2.0.1:compile - omitted for duplicate)
[INFO] |  +- javax.annotation:javax.annotation-api:jar:1.2:compile
[INFO] |  +- org.glassfish.jersey.bundles.repackaged:jersey-guava:jar:2.22.1:compile
[INFO] |  +- org.glassfish.hk2:hk2-api:jar:2.4.0-b31:compile
[INFO] |  |  +- (org.glassfish.hk2:hk2-utils:jar:2.4.0-b31:compile - omitted for conflict with 2.5.0)
[INFO] |  |  \- (org.glassfish.hk2.external:aopalliance-repackaged:jar:2.4.0-b31:compile - omitted for conflict with 2.5.0)
[INFO] |  +- org.glassfish.hk2.external:javax.inject:jar:2.4.0-b31:compile
[INFO] |  +- (org.glassfish.hk2:hk2-locator:jar:2.4.0-b31:compile - omitted for conflict with 2.5.0)
[INFO] |  \- org.glassfish.hk2:osgi-resource-locator:jar:1.0.1:compile
[INFO] +- javax.ws.rs:javax.ws.rs-api:jar:2.0.1:compile
[INFO] +- javax.ws.rs:jsr311-api:jar:1.1.1:compile
[INFO] +- org.glassfish.jersey.core:jersey-client:jar:2.22.1:compile
[INFO] |  +- (javax.ws.rs:javax.ws.rs-api:jar:2.0.1:compile - omitted for duplicate)
[INFO] |  +- (org.glassfish.jersey.core:jersey-common:jar:2.22.1:compile - omitted for duplicate)
[INFO] |  +- (org.glassfish.hk2:hk2-api:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] |  +- (org.glassfish.hk2.external:javax.inject:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] |  \- (org.glassfish.hk2:hk2-locator:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] +- org.glassfish.hk2:hk2-locator:jar:2.5.0:compile
[INFO] |  +- org.glassfish.hk2.external:jakarta.inject:jar:2.5.0:compile
[INFO] |  +- org.glassfish.hk2.external:aopalliance-repackaged:jar:2.5.0:compile
[INFO] |  +- (org.glassfish.hk2:hk2-api:jar:2.5.0:compile - omitted for conflict with 2.4.0-b31)
[INFO] |  +- org.glassfish.hk2:hk2-utils:jar:2.5.0:compile
[INFO] |  |  +- (jakarta.annotation:jakarta.annotation-api:jar:1.3.4:compile - omitted for duplicate)
[INFO] |  |  \- (org.glassfish.hk2.external:jakarta.inject:jar:2.5.0:compile - omitted for duplicate)
[INFO] |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.4:compile
[INFO] |  \- org.javassist:javassist:jar:3.22.0-CR2:compile
[INFO] +- org.glassfish:javax.json:jar:1.0.4:compile
[INFO] +- com.google.guava:guava:jar:32.1.3-jre:compile
[INFO] |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  +- org.checkerframework:checker-qual:jar:3.37.0:compile
[INFO] |  +- com.google.errorprone:error_prone_annotations:jar:2.21.1:compile
[INFO] |  \- com.google.j2objc:j2objc-annotations:jar:2.8:compile
[INFO] +- com.google.collections:google-collections:jar:1.0:compile
[INFO] +- javax.activation:activation:jar:1.1:compile
[INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.15.3:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.15.3:compile
[INFO] |  +- (com.fasterxml.jackson.core:jackson-annotations:jar:2.15.3:compile - omitted for duplicate)
[INFO] |  \- com.fasterxml.jackson.core:jackson-core:jar:2.15.3:compile
[INFO] \- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.15.3:compile
[INFO]    +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.15.3:compile
[INFO]    |  +- (com.fasterxml.jackson.core:jackson-core:jar:2.15.3:compile - omitted for duplicate)
[INFO]    |  \- (com.fasterxml.jackson.core:jackson-databind:jar:2.15.3:compile - omitted for duplicate)
[INFO]    \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.15.3:compile
[INFO]       +- (com.fasterxml.jackson.core:jackson-annotations:jar:2.15.3:compile - omitted for duplicate)
[INFO]       +- (com.fasterxml.jackson.core:jackson-core:jar:2.15.3:compile - omitted for duplicate)
[INFO]       +- (com.fasterxml.jackson.core:jackson-databind:jar:2.15.3:compile - omitted for duplicate)
[INFO]       +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
[INFO]       |  \- (jakarta.activation:jakarta.activation-api:jar:1.2.2:compile - omitted for duplicate)
[INFO]       \- jakarta.activation:jakarta.activation-api:jar:1.2.2:compile

Vs. original:

[ykaul@ykaul scylla-apiclient]$ !mv
mvn dependency:tree -Dverbose=true 
[INFO] Scanning for projects...
[INFO] 
[INFO] -----------------< com.scylladb.jmx:scylla-apiclient >------------------
[INFO] Building Scylla REST API client 1.0
[INFO]   from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- dependency:2.8:tree (default-cli) @ scylla-apiclient ---
[WARNING] Parameter 'localRepository' is deprecated core expression; Avoid use of ArtifactRepository type. If you need access to local repository, switch to '${repositorySystemSession}' expression and get LRM from it instead.
[INFO] com.scylladb.jmx:scylla-apiclient:jar:1.0
[INFO] +- org.yaml:snakeyaml:jar:2.2:compile
[INFO] +- org.glassfish.jersey.core:jersey-common:jar:2.22.1:compile
[INFO] |  +- (javax.ws.rs:javax.ws.rs-api:jar:2.0.1:compile - omitted for duplicate)
[INFO] |  +- javax.annotation:javax.annotation-api:jar:1.2:compile
[INFO] |  +- org.glassfish.jersey.bundles.repackaged:jersey-guava:jar:2.22.1:compile
[INFO] |  +- org.glassfish.hk2:hk2-api:jar:2.4.0-b31:compile
[INFO] |  |  +- org.glassfish.hk2:hk2-utils:jar:2.4.0-b31:compile
[INFO] |  |  \- org.glassfish.hk2.external:aopalliance-repackaged:jar:2.4.0-b31:compile
[INFO] |  +- org.glassfish.hk2.external:javax.inject:jar:2.4.0-b31:compile
[INFO] |  +- org.glassfish.hk2:hk2-locator:jar:2.4.0-b31:compile
[INFO] |  |  +- (org.glassfish.hk2.external:javax.inject:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] |  |  +- (org.glassfish.hk2.external:aopalliance-repackaged:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] |  |  +- (org.glassfish.hk2:hk2-api:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] |  |  +- (org.glassfish.hk2:hk2-utils:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] |  |  \- org.javassist:javassist:jar:3.18.1-GA:compile          <-------------------------------------------------------------- XXXXXXXXXXXXX
[INFO] |  \- org.glassfish.hk2:osgi-resource-locator:jar:1.0.1:compile
[INFO] +- javax.ws.rs:javax.ws.rs-api:jar:2.0.1:compile
[INFO] +- javax.ws.rs:jsr311-api:jar:1.1.1:compile
[INFO] +- org.glassfish.jersey.core:jersey-client:jar:2.22.1:compile
[INFO] |  +- (javax.ws.rs:javax.ws.rs-api:jar:2.0.1:compile - omitted for duplicate)
[INFO] |  +- (org.glassfish.jersey.core:jersey-common:jar:2.22.1:compile - omitted for duplicate)
[INFO] |  +- (org.glassfish.hk2:hk2-api:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] |  +- (org.glassfish.hk2.external:javax.inject:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] |  \- (org.glassfish.hk2:hk2-locator:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] +- org.glassfish:javax.json:jar:1.0.4:compile
[INFO] +- com.google.guava:guava:jar:32.1.3-jre:compile
[INFO] |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  +- org.checkerframework:checker-qual:jar:3.37.0:compile
[INFO] |  +- com.google.errorprone:error_prone_annotations:jar:2.21.1:compile
[INFO] |  \- com.google.j2objc:j2objc-annotations:jar:2.8:compile
[INFO] +- com.google.collections:google-collections:jar:1.0:compile
[INFO] +- javax.activation:activation:jar:1.1:compile
[INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.15.3:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.15.3:compile
[INFO] |  +- (com.fasterxml.jackson.core:jackson-annotations:jar:2.15.3:compile - omitted for duplicate)
[INFO] |  \- com.fasterxml.jackson.core:jackson-core:jar:2.15.3:compile
[INFO] \- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.15.3:compile
[INFO]    +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.15.3:compile
[INFO]    |  +- (com.fasterxml.jackson.core:jackson-core:jar:2.15.3:compile - omitted for duplicate)
[INFO]    |  \- (com.fasterxml.jackson.core:jackson-databind:jar:2.15.3:compile - omitted for duplicate)
[INFO]    \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.15.3:compile
[INFO]       +- (com.fasterxml.jackson.core:jackson-annotations:jar:2.15.3:compile - omitted for duplicate)
[INFO]       +- (com.fasterxml.jackson.core:jackson-core:jar:2.15.3:compile - omitted for duplicate)
[INFO]       +- (com.fasterxml.jackson.core:jackson-databind:jar:2.15.3:compile - omitted for duplicate)
[INFO]       +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
[INFO]       |  \- (jakarta.activation:jakarta.activation-api:jar:1.2.2:compile - omitted for duplicate)
[INFO]       \- jakarta.activation:jakarta.activation-api:jar:1.2.2:compile
[INFO] ------------------------------------------------------------------------

Untested patch:

[ykaul@ykaul scylla-apiclient]$ git diff
diff --git a/scylla-apiclient/pom.xml b/scylla-apiclient/pom.xml
index 7667afe..7a92cf6 100644
--- a/scylla-apiclient/pom.xml
+++ b/scylla-apiclient/pom.xml
@@ -42,6 +42,11 @@
             <artifactId>jersey-client</artifactId>
             <version>2.22.1</version>
         </dependency>
+       <dependency>
+            <groupId>org.glassfish.hk2</groupId>
+            <artifactId>hk2-locator</artifactId>
+            <version>2.5.0</version>
+        </dependency>
         <dependency>
             <groupId>org.glassfish</groupId>
             <artifactId>javax.json</artifactId>

The text was updated successfully, but these errors were encountered:

mykaul · 2024-01-04T15:07:52Z

CC @roydahan , @yaronkaikov - one item out of the list that we need to get rid of. I hope it doesn't break compatibility.

roydahan · 2024-01-07T12:39:55Z

@yaronkaikov is it something that you guys can do or need @avelanarius?

yaronkaikov · 2024-01-07T12:42:35Z

We need @avelanarius for that.

(with a known vulnerable version or whatnot) Fixes: scylladb#231

Drop the dependency of hk2-locator, in order to get rid of javaassist and other 3rd party dependencies of it. there are two ways to address this problem: 1. bump up the dependencies which depend on hk2-locator to a version which depend on hk2-locator 2.5.0. because hk2-locator 2.5.0 contains a change to drop the unnecessary dependencies which made their way into the BOM. but they should have not. 2. bump up the dependencies which depend on hk2-locator to a version which does not depend on hk2-locator at all. before this change, per the output of `mvn dependency:tree -Dverbose=true`, we indirectly depend on hk2-locator 2.4.0. after this change, hk2-locator dependency is dropped by bumping up org.glassfish.jersey.core to the oldest stable version which was released (see https://mvnrepository.com/artifact/org.glassfish.jersey.core/jersey-common/2.27) after hk2-locator 2.5.0 was released (see https://mvnrepository.com/artifact/org.glassfish.hk2/hk2-locator/2.5.0-b42), otherwise we still depend on hk2-locator 2.4.0 indirectly. verified by running ```shell mvn dependency:tree -Dverbose=true | grep hk2-locator ``` nothing shows up with this change. Fixes scylladb#231 Signed-off-by: Kefu Chai <kefu.chai@scylladb.com>

Drop the dependency of hk2-locator, in order to get rid of javaassist and other 3rd party dependencies of it. there are two ways to address this problem: 1. bump up the dependencies which depend on hk2-locator to a version which depend on hk2-locator 2.5.0. because hk2-locator 2.5.0 contains a change to drop the unnecessary dependencies which made their way into the BOM. but they should have not. 2. bump up the dependencies which depend on hk2-locator to a version which does not depend on hk2-locator at all. before this change, per the output of `mvn dependency:tree -Dverbose=true`, we indirectly depend on hk2-locator 2.4.0. after this change, hk2-locator dependency is dropped by bumping up org.glassfish.jersey.core to the oldest stable version which was released (see https://mvnrepository.com/artifact/org.glassfish.jersey.core/jersey-common/2.27) after hk2-locator 2.5.0 was released (see https://mvnrepository.com/artifact/org.glassfish.hk2/hk2-locator/2.5.0-b42), otherwise we still depend on hk2-locator 2.4.0 indirectly. javax.ws.rs-api is bumped up to address the conflict reported by `mvn dependency:tree`, like ``` [INFO] | +- org.glassfish.jersey.core:jersey-client:jar:2.27:compile [INFO] | | +- (javax.ws.rs:javax.ws.rs-api:jar:2.1:compile - omitted for conflict with 2.0.1) ``` verified by running ```shell mvn dependency:tree -Dverbose=true | grep hk2-locator ``` nothing shows up with this change. Fixes scylladb#231 Signed-off-by: Kefu Chai <kefu.chai@scylladb.com>

Drop the dependency of hk2-locator, in order to get rid of javaassist and other 3rd party dependencies of it. there are two ways to address this problem: 1. bump up the dependencies which depend on hk2-locator to a version which depend on hk2-locator 2.5.0. because hk2-locator 2.5.0 contains a change to drop the unnecessary dependencies which made their way into the BOM. but they should have not. 2. bump up the dependencies which depend on hk2-locator to a version which does not depend on hk2-locator at all. before this change, per the output of `mvn dependency:tree -Dverbose=true`, we indirectly depend on hk2-locator 2.4.0. after this change, hk2-locator dependency is dropped by bumping up org.glassfish.jersey.core to the oldest stable version which was released (see https://mvnrepository.com/artifact/org.glassfish.jersey.core/jersey-common/2.27) after hk2-locator 2.5.0 was released (see https://mvnrepository.com/artifact/org.glassfish.hk2/hk2-locator/2.5.0-b42), otherwise we still depend on hk2-locator 2.4.0 indirectly. javax.ws.rs-api is bumped up to address the conflict reported by `mvn dependency:tree`, like ``` [INFO] | +- org.glassfish.jersey.core:jersey-client:jar:2.27:compile [INFO] | | +- (javax.ws.rs:javax.ws.rs-api:jar:2.1:compile - omitted for conflict with 2.0.1) ``` add jersey-hk2 to dependencies, to include the missing `InjectionManagerFactory` class, otherwise nodetools fails like: ``` > raise NodetoolError(" ".join(nodetool), exit_status, stdout, stderr) E ccmlib.node.ToolError: Subprocess /jenkins/workspace/scylla-master/gating-dtest-release/scylla/.ccm/scylla-repository/16680/share/cassandra/bin/nodetool -h 127.0.7.3 -p 7199 -Dcom.sun.jndi.rmiURLParsing=legacy drain exited with non-zero status; exit status: 1; E stdout: nodetool: InjectionManagerFactory not found. E See 'nodetool help' or 'nodetool help <command>'.` ``` verified by running ```shell mvn dependency:tree -Dverbose=true | grep hk2-locator ``` nothing shows up with this change. Fixes scylladb#231 Signed-off-by: Kefu Chai <kefu.chai@scylladb.com>

mykaul · 2024-01-10T07:12:04Z

Thanks @denesb and @tchaikov .
@scylladb/scylla-jmx-maint - let's get it backported ASAP (to 5.4 and more importantly, 5.2) so we can get it into Enterprise release.

denesb · 2024-01-10T07:18:12Z

I will backport it as soon as the submodule update is promoted (well, as soon as I notice, ping me if you notice sooner).

Drop the dependency of hk2-locator, in order to get rid of javaassist and other 3rd party dependencies of it. there are two ways to address this problem: 1. bump up the dependencies which depend on hk2-locator to a version which depend on hk2-locator 2.5.0. because hk2-locator 2.5.0 contains a change to drop the unnecessary dependencies which made their way into the BOM. but they should have not. 2. bump up the dependencies which depend on hk2-locator to a version which does not depend on hk2-locator at all. before this change, per the output of `mvn dependency:tree -Dverbose=true`, we indirectly depend on hk2-locator 2.4.0. after this change, hk2-locator dependency is dropped by bumping up org.glassfish.jersey.core to the oldest stable version which was released (see https://mvnrepository.com/artifact/org.glassfish.jersey.core/jersey-common/2.27) after hk2-locator 2.5.0 was released (see https://mvnrepository.com/artifact/org.glassfish.hk2/hk2-locator/2.5.0-b42), otherwise we still depend on hk2-locator 2.4.0 indirectly. javax.ws.rs-api is bumped up to address the conflict reported by `mvn dependency:tree`, like ``` [INFO] | +- org.glassfish.jersey.core:jersey-client:jar:2.27:compile [INFO] | | +- (javax.ws.rs:javax.ws.rs-api:jar:2.1:compile - omitted for conflict with 2.0.1) ``` add jersey-hk2 to dependencies, to include the missing `InjectionManagerFactory` class, otherwise nodetools fails like: ``` > raise NodetoolError(" ".join(nodetool), exit_status, stdout, stderr) E ccmlib.node.ToolError: Subprocess /jenkins/workspace/scylla-master/gating-dtest-release/scylla/.ccm/scylla-repository/16680/share/cassandra/bin/nodetool -h 127.0.7.3 -p 7199 -Dcom.sun.jndi.rmiURLParsing=legacy drain exited with non-zero status; exit status: 1; E stdout: nodetool: InjectionManagerFactory not found. E See 'nodetool help' or 'nodetool help <command>'.` ``` verified by running ```shell mvn dependency:tree -Dverbose=true | grep hk2-locator ``` nothing shows up with this change. Fixes #231 Closes #234 Signed-off-by: Kefu Chai <kefu.chai@scylladb.com> (cherry picked from commit 3257897)

* tools/jmx f45067f7...2f290059 (1): > scylla-apiclient: drop hk2-locator dependency Fixes: scylladb/scylla-jmx#231

Drop the dependency of hk2-locator, in order to get rid of javaassist and other 3rd party dependencies of it. there are two ways to address this problem: 1. bump up the dependencies which depend on hk2-locator to a version which depend on hk2-locator 2.5.0. because hk2-locator 2.5.0 contains a change to drop the unnecessary dependencies which made their way into the BOM. but they should have not. 2. bump up the dependencies which depend on hk2-locator to a version which does not depend on hk2-locator at all. before this change, per the output of `mvn dependency:tree -Dverbose=true`, we indirectly depend on hk2-locator 2.4.0. after this change, hk2-locator dependency is dropped by bumping up org.glassfish.jersey.core to the oldest stable version which was released (see https://mvnrepository.com/artifact/org.glassfish.jersey.core/jersey-common/2.27) after hk2-locator 2.5.0 was released (see https://mvnrepository.com/artifact/org.glassfish.hk2/hk2-locator/2.5.0-b42), otherwise we still depend on hk2-locator 2.4.0 indirectly. javax.ws.rs-api is bumped up to address the conflict reported by `mvn dependency:tree`, like ``` [INFO] | +- org.glassfish.jersey.core:jersey-client:jar:2.27:compile [INFO] | | +- (javax.ws.rs:javax.ws.rs-api:jar:2.1:compile - omitted for conflict with 2.0.1) ``` add jersey-hk2 to dependencies, to include the missing `InjectionManagerFactory` class, otherwise nodetools fails like: ``` > raise NodetoolError(" ".join(nodetool), exit_status, stdout, stderr) E ccmlib.node.ToolError: Subprocess /jenkins/workspace/scylla-master/gating-dtest-release/scylla/.ccm/scylla-repository/16680/share/cassandra/bin/nodetool -h 127.0.7.3 -p 7199 -Dcom.sun.jndi.rmiURLParsing=legacy drain exited with non-zero status; exit status: 1; E stdout: nodetool: InjectionManagerFactory not found. E See 'nodetool help' or 'nodetool help <command>'.` ``` verified by running ```shell mvn dependency:tree -Dverbose=true | grep hk2-locator ``` nothing shows up with this change. Fixes #231 Closes #234 Signed-off-by: Kefu Chai <kefu.chai@scylladb.com> (cherry picked from commit 3257897)

* tools/jmx f21550e...50909d6 (1): > scylla-apiclient: drop hk2-locator dependency Fixes: scylladb/scylla-jmx#231

yaronkaikov · 2024-01-14T11:53:46Z

@scylladb/scylla-maint Please backport this

mykaul · 2024-01-14T12:24:36Z

@scylladb/scylla-jmx-maint is a different team of maintainers?

mykaul · 2024-01-14T12:25:46Z

@yaronkaikov - I thought it was backported (to 5.4 - scylladb/scylladb@00f04e0 ), 5.2 (scylladb/scylladb@abb7ae4 ) ?

yaronkaikov · 2024-01-14T12:30:36Z

@yaronkaikov - I thought it was backported (to 5.4 - scylladb/scylladb@00f04e0 ), 5.2 (scylladb/scylladb@abb7ae4 ) ?

Yes, it was.

denesb · 2024-01-15T13:47:41Z

@scylladb/scylla-jmx-maint is a different team of maintainers?

I think in practice it is the same as @scylladb/scylla-maint.

mykaul assigned avelanarius Jan 4, 2024

yaronkaikov assigned yaronkaikov and unassigned avelanarius Jan 7, 2024

yaronkaikov added a commit to yaronkaikov/scylla-jmx that referenced this issue Jan 7, 2024

Use newer hk2-locator in order to get rid of javassist

a602294

(with a known vulnerable version or whatnot) Fixes: scylladb#231

yaronkaikov mentioned this issue Jan 7, 2024

Use newer hk2-locator in order to get rid of javassist #233

Closed

tchaikov mentioned this issue Jan 8, 2024

scylla-apiclient: drop hk2-locator dependency #234

Closed

denesb closed this as completed in 3257897 Jan 10, 2024

denesb added a commit to scylladb/scylladb that referenced this issue Jan 10, 2024

Update tools/jmx submodule

00f04e0

* tools/jmx f45067f7...2f290059 (1): > scylla-apiclient: drop hk2-locator dependency Fixes: scylladb/scylla-jmx#231

denesb added a commit to scylladb/scylladb that referenced this issue Jan 10, 2024

Update ./tools/jmx submodule

abb7ae4

* tools/jmx f21550e...50909d6 (1): > scylla-apiclient: drop hk2-locator dependency Fixes: scylladb/scylla-jmx#231

yaronkaikov added backport 5.2 backport 5.4 labels Jan 14, 2024

yaronkaikov removed backport 5.2 backport 5.4 labels Jan 14, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use newer hk2-locator in order to get rid of javassist (with a known vulnerable version or whatnot) #231

Use newer hk2-locator in order to get rid of javassist (with a known vulnerable version or whatnot) #231

mykaul commented Jan 4, 2024

mykaul commented Jan 4, 2024

roydahan commented Jan 7, 2024

yaronkaikov commented Jan 7, 2024

mykaul commented Jan 10, 2024

denesb commented Jan 10, 2024

yaronkaikov commented Jan 14, 2024

mykaul commented Jan 14, 2024

mykaul commented Jan 14, 2024

yaronkaikov commented Jan 14, 2024

denesb commented Jan 15, 2024

Use newer hk2-locator in order to get rid of javassist (with a known vulnerable version or whatnot) #231

Use newer hk2-locator in order to get rid of javassist (with a known vulnerable version or whatnot) #231

Comments

mykaul commented Jan 4, 2024

mykaul commented Jan 4, 2024

roydahan commented Jan 7, 2024

yaronkaikov commented Jan 7, 2024

mykaul commented Jan 10, 2024

denesb commented Jan 10, 2024

yaronkaikov commented Jan 14, 2024

mykaul commented Jan 14, 2024

mykaul commented Jan 14, 2024

yaronkaikov commented Jan 14, 2024

denesb commented Jan 15, 2024