Closed avelanarius closed 8 months ago
@avikivity , @denesb - can you please review? It fixes deps which have known vulnerabilities.
I have no objection to this PR. That said, next is in shambles currently, so I cannot merge.
I have no objection to this PR. That said, next is in shambles currently, so I cannot merge.
But that's a different repo - until we update the submodule, we are fine, no?
I have no objection to this PR. That said, next is in shambles currently, so I cannot merge.
But that's a different repo - until we update the submodule, we are fine, no?
Merging this just into scylla-jmx
has no effect, until the submodule is updated. Also, this PR requires regenerating the dbuild container, merging this just into scylla-jmx
, will possibly result in a maintainer later accidentally including this change as well when updating the submodule, and breaking the build.
I will give a go at merging this. Note that I only merged into scylla-jmx's master yet, I will now need to regenerate the scylla-toolchain.
Merge to scylladb/master here: https://github.com/scylladb/scylladb/pull/15907
@denesb / @avikivity what's need to be done in order to backport to previous releases? We need it eventually in 2022.1.
@denesb / @avikivity what's need to be done in order to backport to previous releases? We need it eventually in 2022.1.
All the work that @avelanarius did, into relevant branches and update the submodule(s) in Scylla.
Mostly it needs somebody to do the chore of backporting it. I will try to do it today. @avelanarius I remember there was some problem around snakeyaml. Did you encorporate the fix for that into this PR, or will I have to backport another fix too? Or was that in https://github.com/scylladb/scylla-tools-java/pull/351?
Backport PR for 2022.1: https://github.com/scylladb/scylla-enterprise/pull/3620
This PR updates several dependencies which were flagged by security scanners. In particular:
com.fasterxml.jackson.core:jackson-databind
used in the project was vulnerable to CVE-2022-42003 and CVE-2022-42004 ("HIGH" severity)org.yaml:snakeyaml
used in the project was vulnerable to CVE-2022-1471 ("CRITICAL" severity), CVE-2022-25857, CVE-2022-38749, CVE-2022-38750, CVE-2022-38751, CVE-2022-38752, CVE-2022-41854com.google.guava
used in the project was vulnerable to CVE-2023-2976 ("HIGH" severity) and CVE-2020-8908Please note that at the moment there is no reason to believe that those dependency issues could have affected scylla-jmx itself.
This version of JMX was successfully tested through ScyllaDB CI: https://github.com/scylladb/scylladb/pull/15783#issuecomment-1772830026
Fixes #221 Fixes #222 Fixes #223