search

scylladb / scylla-jmx

Scylla JMX proxy
GNU Affero General Public License v3.0
28 stars 51 forks source link

scylla-apiclient: update several Java dependencies #220

Closed avelanarius closed 8 months ago

avelanarius commented 9 months ago

This PR updates several dependencies which were flagged by security scanners. In particular:

  1. Jackson dependencies: com.fasterxml.jackson.core:jackson-databind used in the project was vulnerable to CVE-2022-42003 and CVE-2022-42004 ("HIGH" severity)
  2. snakeyaml dependency: org.yaml:snakeyaml used in the project was vulnerable to CVE-2022-1471 ("CRITICAL" severity), CVE-2022-25857, CVE-2022-38749, CVE-2022-38750, CVE-2022-38751, CVE-2022-38752, CVE-2022-41854
  3. Guava dependency: com.google.guava used in the project was vulnerable to CVE-2023-2976 ("HIGH" severity) and CVE-2020-8908

Please note that at the moment there is no reason to believe that those dependency issues could have affected scylla-jmx itself.

This version of JMX was successfully tested through ScyllaDB CI: https://github.com/scylladb/scylladb/pull/15783#issuecomment-1772830026

Fixes #221 Fixes #222 Fixes #223

mykaul commented 8 months ago

@avikivity , @denesb - can you please review? It fixes deps which have known vulnerabilities.

denesb commented 8 months ago

I have no objection to this PR. That said, next is in shambles currently, so I cannot merge.

mykaul commented 8 months ago

I have no objection to this PR. That said, next is in shambles currently, so I cannot merge.

But that's a different repo - until we update the submodule, we are fine, no?

denesb commented 8 months ago

I have no objection to this PR. That said, next is in shambles currently, so I cannot merge.

But that's a different repo - until we update the submodule, we are fine, no?

Merging this just into scylla-jmx has no effect, until the submodule is updated. Also, this PR requires regenerating the dbuild container, merging this just into scylla-jmx, will possibly result in a maintainer later accidentally including this change as well when updating the submodule, and breaking the build.

denesb commented 8 months ago

I will give a go at merging this. Note that I only merged into scylla-jmx's master yet, I will now need to regenerate the scylla-toolchain.

denesb commented 8 months ago

Merge to scylladb/master here: https://github.com/scylladb/scylladb/pull/15907

roydahan commented 7 months ago

@denesb / @avikivity what's need to be done in order to backport to previous releases? We need it eventually in 2022.1.

mykaul commented 7 months ago

@denesb / @avikivity what's need to be done in order to backport to previous releases? We need it eventually in 2022.1.

All the work that @avelanarius did, into relevant branches and update the submodule(s) in Scylla.

denesb commented 7 months ago

Mostly it needs somebody to do the chore of backporting it. I will try to do it today. @avelanarius I remember there was some problem around snakeyaml. Did you encorporate the fix for that into this PR, or will I have to backport another fix too? Or was that in https://github.com/scylladb/scylla-tools-java/pull/351?

denesb commented 7 months ago

Backport PRs:

denesb commented 7 months ago

Backport PR for 2022.1: https://github.com/scylladb/scylla-enterprise/pull/3620