Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Old version of Netty dependencies #363

Closed
yaronkaikov opened this issue Dec 12, 2023 · 3 comments · Fixed by #366
Closed

Old version of Netty dependencies #363

yaronkaikov opened this issue Dec 12, 2023 · 3 comments · Fixed by #366
Assignees
@yaronkaikov

Comments

@yaronkaikov
Copy link
Contributor

yaronkaikov commented Dec 12, 2023
edited

Scylla-tools-java uses netty version 4.1.58.Final. Those dependencies are flagged by security scanners and should be updated.

image
@yaronkaikov yaronkaikov self-assigned this Dec 12, 2023
@yaronkaikov yaronkaikov mentioned this issue Dec 12, 2023
Merged
@denesb denesb closed this as completed in f52a780 Dec 12, 2023
denesb added a commit that referenced this issue Dec 12, 2023
@denesb
Merge "Update Netty , Guava and Logback dependencies" from Yaron Kaikov
c4aa826 
This PR updates several dependencies in scylla-tools-java: Netty , Guava and Logback.
Before the change, security scanners (such as Trivy and the one we have in the docker hub) reported that those dependencies were vulnerable to several "HIGH", "MEDIUM" and "LOW" severity CVEs. Those issues are fixed in newer versions of those libraries and after this PR the security scanner doesn't report any problems related to the updated dependencies.

Fixes: #363
Fixes: #364
Fixes: #365

Closes: #366

* github.com:scylladb/scylla-tools-java:
  build: update `netty` dependency
  build: update logback dependency
  build: update `guava` dependency
denesb added a commit to scylladb/scylladb that referenced this issue Dec 12, 2023
@denesb
Update tools/java submodule
a11144c 
* tools/java 29fe44da...c4aa826a (3):
  > build: update `netty` dependency
  > build: update logback dependency
  > build: update `guava` dependency

Fixes: scylladb/scylla-tools-java#363
Fixes: scylladb/scylla-tools-java#364
Fixes: scylladb/scylla-tools-java#365
avikivity added a commit to scylladb/scylladb that referenced this issue Dec 12, 2023
@avikivity
Update tools/java submodule (minor security fixes)
1f7c049 
* tools/java 29fe44da84...3963c3abf7 (2):
  > Revert "build: update `guava` dependency"
  > Merge "Update Netty , Guava and Logback dependencies" from Yaron Kaikov

    Ref scylladb/scylla-tools-java#363
    Ref scylladb/scylla-tools-java#364
yaronkaikov pushed a commit to yaronkaikov/scylla that referenced this issue Dec 12, 2023
@denesb @yaronkaikov
Update tools/java submodule
8daf204 
* tools/java 29fe44da...c4aa826a (3):
  > build: update `netty` dependency
  > build: update logback dependency
  > build: update `guava` dependency

Fixes: scylladb/scylla-tools-java#363
Fixes: scylladb/scylla-tools-java#364
Fixes: scylladb/scylla-tools-java#365
denesb pushed a commit that referenced this issue Dec 18, 2023
@yaronkaikov @denesb
build: update netty dependency
668b14d 
Update the version of `netty` dependency to `4.1.100-Final`. Before the change,
security scanners (such as docker hub) reported that `netty` used
in the project was vulnerable to CVE-2023-4586, CVE-2023-44487,
CVE-2022-41881, CVE-2021-37136 (all "HIGH" severity) as well as  CVE-2023-34462 and CVE-2021-21409 (both "MEDIUM" severity)

The issues are fixed in netty `4.1.100-Final` and after this commit the security
scanner doesn't report any problems related to this dependency.

Fixes: #363
(cherry picked from commit f52a780)
denesb added a commit to denesb/scylla that referenced this issue Dec 18, 2023
@denesb
Update tools/java submodule
6d954a7 
* tools/java f9cce789...9387ac10 (2):
  > build: update logback dependency
  > build: update `netty` dependency

Fixes: scylladb/scylla-tools-java#363
Fixes: scylladb/scylla-tools-java#364
@denesb denesb mentioned this issue Dec 18, 2023
Closed
denesb pushed a commit that referenced this issue Dec 18, 2023
@yaronkaikov @denesb
build: update netty dependency
a90792e 
Update the version of `netty` dependency to `4.1.100-Final`. Before the change,
security scanners (such as docker hub) reported that `netty` used
in the project was vulnerable to CVE-2023-4586, CVE-2023-44487,
CVE-2022-41881, CVE-2021-37136 (all "HIGH" severity) as well as  CVE-2023-34462 and CVE-2021-21409 (both "MEDIUM" severity)

The issues are fixed in netty `4.1.100-Final` and after this commit the security
scanner doesn't report any problems related to this dependency.

Fixes: #363
(cherry picked from commit f52a780)
denesb added a commit to denesb/scylla that referenced this issue Dec 18, 2023
@denesb
Update tools/java submodule
9e09857 
* tools/java 80701efa8d...e2aad6e3a0 (2):
  > build: update logback dependency
  > build: update `netty` dependency

Fixes: scylladb/scylla-tools-java#363
Fixes: scylladb/scylla-tools-java#364
@denesb denesb mentioned this issue Dec 18, 2023
Closed
denesb added a commit to scylladb/scylladb that referenced this issue Dec 18, 2023
@denesb
Update tools/java submodule
2cef52a 
* tools/java f9cce789...9387ac10 (2):
  > build: update logback dependency
  > build: update `netty` dependency

Fixes: scylladb/scylla-tools-java#363
Fixes: scylladb/scylla-tools-java#364

Closes #16442
denesb added a commit to scylladb/scylladb that referenced this issue Dec 18, 2023
@denesb
Update tools/java submodule
1a4caed 
* tools/java 80701efa8d...e2aad6e3a0 (2):
  > build: update logback dependency
  > build: update `netty` dependency

Fixes: scylladb/scylla-tools-java#363
Fixes: scylladb/scylla-tools-java#364

Closes #16444
denesb added a commit to scylladb/scylladb that referenced this issue Dec 18, 2023
@denesb
Update tools/java submodule
1cf499c 
* tools/java 80701efa8d...e2aad6e3a0 (2):
  > build: update logback dependency
  > build: update `netty` dependency

Fixes: scylladb/scylla-tools-java#363
Fixes: scylladb/scylla-tools-java#364

Closes #16444
@yaronkaikov
Copy link
Contributor Author

@scylladb/Scylla-maint Please backport this to 2022.2 and 2022.1

@denesb
Copy link
Contributor

denesb commented Jan 5, 2024

2022.2 backport PR: https://github.com/scylladb/scylla-enterprise/pull/3768
Doesn't apply to 2022.1, I will need a backport PR.
The backport PR should also include #364 and optionally #352.

@yaronkaikov
Copy link
Contributor Author

2022.2 backport PR: scylladb/scylla-enterprise#3768 Doesn't apply to 2022.1, I will need a backport PR. The backport PR should also include #364 and optionally #352.

https://github.com/scylladb/scylla-enterprise-tools-java/pull/39

dgarcia360 pushed a commit to dgarcia360/scylla that referenced this issue Apr 30, 2024
@avikivity @dgarcia360
Update tools/java submodule (minor security fixes)
2f8f244 
* tools/java 29fe44da84...3963c3abf7 (2):
  > Revert "build: update `guava` dependency"
  > Merge "Update Netty , Guava and Logback dependencies" from Yaron Kaikov

    Ref scylladb/scylla-tools-java#363
    Ref scylladb/scylla-tools-java#364
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yaronkaikov yaronkaikov

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update Netty , Guava and Logback dependencies yaronkaikov/scylla-tools-java
2 participants
@denesb @yaronkaikov