lmsurpre
commented
2 years ago this is already marked as an experimental feature and the support for Cassandra is really coming from JanusGraph. our pom files now list more recent versions to help avoid the CVEs, but we're not performing additional QA on this at this time.
Describe the bug A clear and concise description of what the bug is.
Update Terminology to use Cassandra 4.0.0 Libraries. https://docs.janusgraph.org/storage-backend/cassandra/
This current dep has many CVEs. https://mvnrepository.com/artifact/com.datastax.cassandra/cassandra-driver-core/3.11.0
Environment Which version of IBM FHIR Server? main
To Reproduce Steps to reproduce the behavior:
Expected behavior A clear and concise description of what you expected to happen.
Additional context CVEs
fhir-term-graph: cassandra-driver-core-3.11.0.jar (pkg:maven/com.datastax.cassandra/cassandra-driver-core@3.11.0, cpe:2.3:a:apache:cassandra:3.11.0:::::::) : CVE-2018-8016, CVE-2020-13946, CVE-2020-17516 gremlin-core-3.5.1.jar (pkg:maven/org.apache.tinkerpop/gremlin-core@3.5.1, cpe:2.3:a:apache:tinkerpop:3.5.1:::::::) : CVE-2021-37136, CVE-2021-37137 hibernate-validator-4.3.0.Final.jar (pkg:maven/org.hibernate/hibernate-validator@4.3.0.Final, cpe:2.3:a:redhat:hibernate_validator:4.3.0:::::::) : CVE-2014-3558, CVE-2019-10219 janusgraph-es-0.6.0.jar (pkg:maven/org.janusgraph/janusgraph-es@0.6.0, cpe:2.3:a:elastic:elasticsearch:0.6.0:::::::, cpe:2.3:a:elasticsearch:elasticsearch:0.6.0:::::::) : CVE-2014-3120, CVE-2014-6439, CVE-2015-1427, CVE-2015-3337, CVE-2015-5377, CVE-2015-5531, CVE-2019-7611, CVE-2019-7614, CVE-2020-7019, CVE-2020-7020, CVE-2020-7021, CVE-2021-22135, CVE-2021-22137, CVE-2021-22144 je-18.3.12.jar (pkg:maven/com.sleepycat/je@18.3.12, cpe:2.3:a:oracle:database:18.3.12:::::::, cpe:2.3:a:oracle:nosql_database:18.3.12:::::::, cpe:2.3:a:oracle:oracle_database:18.3.12:::::::) : CVE-2018-1000873, CVE-2018-1320, CVE-2018-14718, CVE-2020-13956, CVE-2020-8908, CVE-2021-21290, CVE-2021-22883, CVE-2021-22884, CVE-2021-23840 libthrift-0.9.2.jar (pkg:maven/org.apache.thrift/libthrift@0.9.2, cpe:2.3:a:apache:thrift:0.9.2:::::::) : CVE-2015-3254, CVE-2016-5397, CVE-2018-11798, CVE-2018-1320, CVE-2019-0205 native-protocol-1.5.0.jar (pkg:maven/com.datastax.oss/native-protocol@1.5.0, cpe:2.3:a:apache:cassandra:1.5.0:::::::) : CVE-2020-13946 tinkergraph-gremlin-3.5.1.jar (pkg:maven/org.apache.tinkerpop/tinkergraph-gremlin@3.5.1, cpe:2.3:a:apache:tinkerpop:3.5.1:::::::*) : CVE-2021-37136, CVE-2021-37137
fhir-term-graph-loader: cassandra-driver-core-3.11.0.jar (pkg:maven/com.datastax.cassandra/cassandra-driver-core@3.11.0, cpe:2.3:a:apache:cassandra:3.11.0:::::::) : CVE-2018-8016, CVE-2020-13946, CVE-2020-17516 gremlin-core-3.5.1.jar (pkg:maven/org.apache.tinkerpop/gremlin-core@3.5.1, cpe:2.3:a:apache:tinkerpop:3.5.1:::::::) : CVE-2021-37136, CVE-2021-37137 janusgraph-es-0.6.0.jar (pkg:maven/org.janusgraph/janusgraph-es@0.6.0, cpe:2.3:a:elastic:elasticsearch:0.6.0:::::::, cpe:2.3:a:elasticsearch:elasticsearch:0.6.0:::::::) : CVE-2014-3120, CVE-2014-6439, CVE-2015-1427, CVE-2015-3337, CVE-2015-5377, CVE-2015-5531, CVE-2019-7611, CVE-2019-7614, CVE-2020-7019, CVE-2020-7020, CVE-2020-7021, CVE-2021-22135, CVE-2021-22137, CVE-2021-22144 je-18.3.12.jar (pkg:maven/com.sleepycat/je@18.3.12, cpe:2.3:a:oracle:database:18.3.12:::::::, cpe:2.3:a:oracle:nosql_database:18.3.12:::::::, cpe:2.3:a:oracle:oracle_database:18.3.12:::::::) : CVE-2018-1000873, CVE-2018-1320, CVE-2018-14718, CVE-2020-13956, CVE-2020-8908, CVE-2021-21290, CVE-2021-22883, CVE-2021-22884, CVE-2021-23840 native-protocol-1.5.0.jar (pkg:maven/com.datastax.oss/native-protocol@1.5.0, cpe:2.3:a:apache:cassandra:1.5.0:::::::) : CVE-2020-13946 tinkergraph-gremlin-3.5.1.jar (pkg:maven/org.apache.tinkerpop/tinkergraph-gremlin@3.5.1, cpe:2.3:a:apache:tinkerpop:3.5.1:::::::*) : CVE-2021-37136, CVE-2021-37137
Not all are applicable.