New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use newer hk2-locator in order to get rid of javassist (with a known vulnerable version or whatnot) #231
Comments
CC @roydahan , @yaronkaikov - one item out of the list that we need to get rid of. I hope it doesn't break compatibility. |
@yaronkaikov is it something that you guys can do or need @avelanarius? |
We need @avelanarius for that. |
(with a known vulnerable version or whatnot) Fixes: scylladb#231
Drop the dependency of hk2-locator, in order to get rid of javaassist and other 3rd party dependencies of it. there are two ways to address this problem: 1. bump up the dependencies which depend on hk2-locator to a version which depend on hk2-locator 2.5.0. because hk2-locator 2.5.0 contains a change to drop the unnecessary dependencies which made their way into the BOM. but they should have not. 2. bump up the dependencies which depend on hk2-locator to a version which does not depend on hk2-locator at all. before this change, per the output of `mvn dependency:tree -Dverbose=true`, we indirectly depend on hk2-locator 2.4.0. after this change, hk2-locator dependency is dropped by bumping up org.glassfish.jersey.core to the oldest stable version which was released (see https://mvnrepository.com/artifact/org.glassfish.jersey.core/jersey-common/2.27) after hk2-locator 2.5.0 was released (see https://mvnrepository.com/artifact/org.glassfish.hk2/hk2-locator/2.5.0-b42), otherwise we still depend on hk2-locator 2.4.0 indirectly. verified by running ```shell mvn dependency:tree -Dverbose=true | grep hk2-locator ``` nothing shows up with this change. Fixes scylladb#231 Signed-off-by: Kefu Chai <kefu.chai@scylladb.com>
Drop the dependency of hk2-locator, in order to get rid of javaassist and other 3rd party dependencies of it. there are two ways to address this problem: 1. bump up the dependencies which depend on hk2-locator to a version which depend on hk2-locator 2.5.0. because hk2-locator 2.5.0 contains a change to drop the unnecessary dependencies which made their way into the BOM. but they should have not. 2. bump up the dependencies which depend on hk2-locator to a version which does not depend on hk2-locator at all. before this change, per the output of `mvn dependency:tree -Dverbose=true`, we indirectly depend on hk2-locator 2.4.0. after this change, hk2-locator dependency is dropped by bumping up org.glassfish.jersey.core to the oldest stable version which was released (see https://mvnrepository.com/artifact/org.glassfish.jersey.core/jersey-common/2.27) after hk2-locator 2.5.0 was released (see https://mvnrepository.com/artifact/org.glassfish.hk2/hk2-locator/2.5.0-b42), otherwise we still depend on hk2-locator 2.4.0 indirectly. javax.ws.rs-api is bumped up to address the conflict reported by `mvn dependency:tree`, like ``` [INFO] | +- org.glassfish.jersey.core:jersey-client:jar:2.27:compile [INFO] | | +- (javax.ws.rs:javax.ws.rs-api:jar:2.1:compile - omitted for conflict with 2.0.1) ``` verified by running ```shell mvn dependency:tree -Dverbose=true | grep hk2-locator ``` nothing shows up with this change. Fixes scylladb#231 Signed-off-by: Kefu Chai <kefu.chai@scylladb.com>
Drop the dependency of hk2-locator, in order to get rid of javaassist and other 3rd party dependencies of it. there are two ways to address this problem: 1. bump up the dependencies which depend on hk2-locator to a version which depend on hk2-locator 2.5.0. because hk2-locator 2.5.0 contains a change to drop the unnecessary dependencies which made their way into the BOM. but they should have not. 2. bump up the dependencies which depend on hk2-locator to a version which does not depend on hk2-locator at all. before this change, per the output of `mvn dependency:tree -Dverbose=true`, we indirectly depend on hk2-locator 2.4.0. after this change, hk2-locator dependency is dropped by bumping up org.glassfish.jersey.core to the oldest stable version which was released (see https://mvnrepository.com/artifact/org.glassfish.jersey.core/jersey-common/2.27) after hk2-locator 2.5.0 was released (see https://mvnrepository.com/artifact/org.glassfish.hk2/hk2-locator/2.5.0-b42), otherwise we still depend on hk2-locator 2.4.0 indirectly. javax.ws.rs-api is bumped up to address the conflict reported by `mvn dependency:tree`, like ``` [INFO] | +- org.glassfish.jersey.core:jersey-client:jar:2.27:compile [INFO] | | +- (javax.ws.rs:javax.ws.rs-api:jar:2.1:compile - omitted for conflict with 2.0.1) ``` add jersey-hk2 to dependencies, to include the missing `InjectionManagerFactory` class, otherwise nodetools fails like: ``` > raise NodetoolError(" ".join(nodetool), exit_status, stdout, stderr) E ccmlib.node.ToolError: Subprocess /jenkins/workspace/scylla-master/gating-dtest-release/scylla/.ccm/scylla-repository/16680/share/cassandra/bin/nodetool -h 127.0.7.3 -p 7199 -Dcom.sun.jndi.rmiURLParsing=legacy drain exited with non-zero status; exit status: 1; E stdout: nodetool: InjectionManagerFactory not found. E See 'nodetool help' or 'nodetool help <command>'.` ``` verified by running ```shell mvn dependency:tree -Dverbose=true | grep hk2-locator ``` nothing shows up with this change. Fixes scylladb#231 Signed-off-by: Kefu Chai <kefu.chai@scylladb.com>
I will backport it as soon as the submodule update is promoted (well, as soon as I notice, ping me if you notice sooner). |
Drop the dependency of hk2-locator, in order to get rid of javaassist and other 3rd party dependencies of it. there are two ways to address this problem: 1. bump up the dependencies which depend on hk2-locator to a version which depend on hk2-locator 2.5.0. because hk2-locator 2.5.0 contains a change to drop the unnecessary dependencies which made their way into the BOM. but they should have not. 2. bump up the dependencies which depend on hk2-locator to a version which does not depend on hk2-locator at all. before this change, per the output of `mvn dependency:tree -Dverbose=true`, we indirectly depend on hk2-locator 2.4.0. after this change, hk2-locator dependency is dropped by bumping up org.glassfish.jersey.core to the oldest stable version which was released (see https://mvnrepository.com/artifact/org.glassfish.jersey.core/jersey-common/2.27) after hk2-locator 2.5.0 was released (see https://mvnrepository.com/artifact/org.glassfish.hk2/hk2-locator/2.5.0-b42), otherwise we still depend on hk2-locator 2.4.0 indirectly. javax.ws.rs-api is bumped up to address the conflict reported by `mvn dependency:tree`, like ``` [INFO] | +- org.glassfish.jersey.core:jersey-client:jar:2.27:compile [INFO] | | +- (javax.ws.rs:javax.ws.rs-api:jar:2.1:compile - omitted for conflict with 2.0.1) ``` add jersey-hk2 to dependencies, to include the missing `InjectionManagerFactory` class, otherwise nodetools fails like: ``` > raise NodetoolError(" ".join(nodetool), exit_status, stdout, stderr) E ccmlib.node.ToolError: Subprocess /jenkins/workspace/scylla-master/gating-dtest-release/scylla/.ccm/scylla-repository/16680/share/cassandra/bin/nodetool -h 127.0.7.3 -p 7199 -Dcom.sun.jndi.rmiURLParsing=legacy drain exited with non-zero status; exit status: 1; E stdout: nodetool: InjectionManagerFactory not found. E See 'nodetool help' or 'nodetool help <command>'.` ``` verified by running ```shell mvn dependency:tree -Dverbose=true | grep hk2-locator ``` nothing shows up with this change. Fixes #231 Closes #234 Signed-off-by: Kefu Chai <kefu.chai@scylladb.com> (cherry picked from commit 3257897)
* tools/jmx f45067f7...2f290059 (1): > scylla-apiclient: drop hk2-locator dependency Fixes: scylladb/scylla-jmx#231
Drop the dependency of hk2-locator, in order to get rid of javaassist and other 3rd party dependencies of it. there are two ways to address this problem: 1. bump up the dependencies which depend on hk2-locator to a version which depend on hk2-locator 2.5.0. because hk2-locator 2.5.0 contains a change to drop the unnecessary dependencies which made their way into the BOM. but they should have not. 2. bump up the dependencies which depend on hk2-locator to a version which does not depend on hk2-locator at all. before this change, per the output of `mvn dependency:tree -Dverbose=true`, we indirectly depend on hk2-locator 2.4.0. after this change, hk2-locator dependency is dropped by bumping up org.glassfish.jersey.core to the oldest stable version which was released (see https://mvnrepository.com/artifact/org.glassfish.jersey.core/jersey-common/2.27) after hk2-locator 2.5.0 was released (see https://mvnrepository.com/artifact/org.glassfish.hk2/hk2-locator/2.5.0-b42), otherwise we still depend on hk2-locator 2.4.0 indirectly. javax.ws.rs-api is bumped up to address the conflict reported by `mvn dependency:tree`, like ``` [INFO] | +- org.glassfish.jersey.core:jersey-client:jar:2.27:compile [INFO] | | +- (javax.ws.rs:javax.ws.rs-api:jar:2.1:compile - omitted for conflict with 2.0.1) ``` add jersey-hk2 to dependencies, to include the missing `InjectionManagerFactory` class, otherwise nodetools fails like: ``` > raise NodetoolError(" ".join(nodetool), exit_status, stdout, stderr) E ccmlib.node.ToolError: Subprocess /jenkins/workspace/scylla-master/gating-dtest-release/scylla/.ccm/scylla-repository/16680/share/cassandra/bin/nodetool -h 127.0.7.3 -p 7199 -Dcom.sun.jndi.rmiURLParsing=legacy drain exited with non-zero status; exit status: 1; E stdout: nodetool: InjectionManagerFactory not found. E See 'nodetool help' or 'nodetool help <command>'.` ``` verified by running ```shell mvn dependency:tree -Dverbose=true | grep hk2-locator ``` nothing shows up with this change. Fixes #231 Closes #234 Signed-off-by: Kefu Chai <kefu.chai@scylladb.com> (cherry picked from commit 3257897)
* tools/jmx f21550e...50909d6 (1): > scylla-apiclient: drop hk2-locator dependency Fixes: scylladb/scylla-jmx#231
@scylladb/scylla-maint Please backport this |
@scylladb/scylla-jmx-maint is a different team of maintainers? |
@yaronkaikov - I thought it was backported (to 5.4 - scylladb/scylladb@00f04e0 ), 5.2 (scylladb/scylladb@abb7ae4 ) ? |
Yes, it was. |
I think in practice it is the same as @scylladb/scylla-maint. |
See eclipse-ee4j/glassfish-hk2#30 - it's fixed in 2.5.0, and indeed, when looking at the deps:
Vs. original:
Untested patch:
The text was updated successfully, but these errors were encountered: