New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Old version of Netty
dependencies
#363
Comments
This PR updates several dependencies in scylla-tools-java: Netty , Guava and Logback. Before the change, security scanners (such as Trivy and the one we have in the docker hub) reported that those dependencies were vulnerable to several "HIGH", "MEDIUM" and "LOW" severity CVEs. Those issues are fixed in newer versions of those libraries and after this PR the security scanner doesn't report any problems related to the updated dependencies. Fixes: #363 Fixes: #364 Fixes: #365 Closes: #366 * github.com:scylladb/scylla-tools-java: build: update `netty` dependency build: update logback dependency build: update `guava` dependency
* tools/java 29fe44da...c4aa826a (3): > build: update `netty` dependency > build: update logback dependency > build: update `guava` dependency Fixes: scylladb/scylla-tools-java#363 Fixes: scylladb/scylla-tools-java#364 Fixes: scylladb/scylla-tools-java#365
* tools/java 29fe44da84...3963c3abf7 (2): > Revert "build: update `guava` dependency" > Merge "Update Netty , Guava and Logback dependencies" from Yaron Kaikov Ref scylladb/scylla-tools-java#363 Ref scylladb/scylla-tools-java#364
* tools/java 29fe44da...c4aa826a (3): > build: update `netty` dependency > build: update logback dependency > build: update `guava` dependency Fixes: scylladb/scylla-tools-java#363 Fixes: scylladb/scylla-tools-java#364 Fixes: scylladb/scylla-tools-java#365
Update the version of `netty` dependency to `4.1.100-Final`. Before the change, security scanners (such as docker hub) reported that `netty` used in the project was vulnerable to CVE-2023-4586, CVE-2023-44487, CVE-2022-41881, CVE-2021-37136 (all "HIGH" severity) as well as CVE-2023-34462 and CVE-2021-21409 (both "MEDIUM" severity) The issues are fixed in netty `4.1.100-Final` and after this commit the security scanner doesn't report any problems related to this dependency. Fixes: #363 (cherry picked from commit f52a780)
* tools/java f9cce789...9387ac10 (2): > build: update logback dependency > build: update `netty` dependency Fixes: scylladb/scylla-tools-java#363 Fixes: scylladb/scylla-tools-java#364
Update the version of `netty` dependency to `4.1.100-Final`. Before the change, security scanners (such as docker hub) reported that `netty` used in the project was vulnerable to CVE-2023-4586, CVE-2023-44487, CVE-2022-41881, CVE-2021-37136 (all "HIGH" severity) as well as CVE-2023-34462 and CVE-2021-21409 (both "MEDIUM" severity) The issues are fixed in netty `4.1.100-Final` and after this commit the security scanner doesn't report any problems related to this dependency. Fixes: #363 (cherry picked from commit f52a780)
* tools/java 80701efa8d...e2aad6e3a0 (2): > build: update logback dependency > build: update `netty` dependency Fixes: scylladb/scylla-tools-java#363 Fixes: scylladb/scylla-tools-java#364
* tools/java f9cce789...9387ac10 (2): > build: update logback dependency > build: update `netty` dependency Fixes: scylladb/scylla-tools-java#363 Fixes: scylladb/scylla-tools-java#364 Closes #16442
* tools/java 80701efa8d...e2aad6e3a0 (2): > build: update logback dependency > build: update `netty` dependency Fixes: scylladb/scylla-tools-java#363 Fixes: scylladb/scylla-tools-java#364 Closes #16444
* tools/java 80701efa8d...e2aad6e3a0 (2): > build: update logback dependency > build: update `netty` dependency Fixes: scylladb/scylla-tools-java#363 Fixes: scylladb/scylla-tools-java#364 Closes #16444
@scylladb/Scylla-maint Please backport this to |
2022.2 backport PR: https://github.com/scylladb/scylla-enterprise/pull/3768 |
https://github.com/scylladb/scylla-enterprise-tools-java/pull/39 |
* tools/java 29fe44da84...3963c3abf7 (2): > Revert "build: update `guava` dependency" > Merge "Update Netty , Guava and Logback dependencies" from Yaron Kaikov Ref scylladb/scylla-tools-java#363 Ref scylladb/scylla-tools-java#364
Scylla-tools-java uses
netty
version4.1.58.Final
. Those dependencies are flagged by security scanners and should be updated.The text was updated successfully, but these errors were encountered: