search

scylladb / scylla-jmx

Scylla JMX proxy
GNU Affero General Public License v3.0
28 stars 51 forks source link

Use newer hk2-locator in order to get rid of javassist (with a known vulnerable version or whatnot) #231

Closed mykaul closed 6 months ago

mykaul commented 6 months ago

See https://github.com/eclipse-ee4j/glassfish-hk2/issues/30 - it's fixed in 2.5.0, and indeed, when looking at the deps:

[INFO] 
[INFO] --- dependency:2.8:tree (default-cli) @ scylla-apiclient ---
[WARNING] Parameter 'localRepository' is deprecated core expression; Avoid use of ArtifactRepository type. If you need access to local repository, switch to '${repositorySystemSession}' expression and get LRM from it instead.
[INFO] com.scylladb.jmx:scylla-apiclient:jar:1.0
[INFO] +- org.yaml:snakeyaml:jar:2.2:compile
[INFO] +- org.glassfish.jersey.core:jersey-common:jar:2.22.1:compile
[INFO] |  +- (javax.ws.rs:javax.ws.rs-api:jar:2.0.1:compile - omitted for duplicate)
[INFO] |  +- javax.annotation:javax.annotation-api:jar:1.2:compile
[INFO] |  +- org.glassfish.jersey.bundles.repackaged:jersey-guava:jar:2.22.1:compile
[INFO] |  +- org.glassfish.hk2:hk2-api:jar:2.4.0-b31:compile
[INFO] |  |  +- (org.glassfish.hk2:hk2-utils:jar:2.4.0-b31:compile - omitted for conflict with 2.5.0)
[INFO] |  |  \- (org.glassfish.hk2.external:aopalliance-repackaged:jar:2.4.0-b31:compile - omitted for conflict with 2.5.0)
[INFO] |  +- org.glassfish.hk2.external:javax.inject:jar:2.4.0-b31:compile
[INFO] |  +- (org.glassfish.hk2:hk2-locator:jar:2.4.0-b31:compile - omitted for conflict with 2.5.0)
[INFO] |  \- org.glassfish.hk2:osgi-resource-locator:jar:1.0.1:compile
[INFO] +- javax.ws.rs:javax.ws.rs-api:jar:2.0.1:compile
[INFO] +- javax.ws.rs:jsr311-api:jar:1.1.1:compile
[INFO] +- org.glassfish.jersey.core:jersey-client:jar:2.22.1:compile
[INFO] |  +- (javax.ws.rs:javax.ws.rs-api:jar:2.0.1:compile - omitted for duplicate)
[INFO] |  +- (org.glassfish.jersey.core:jersey-common:jar:2.22.1:compile - omitted for duplicate)
[INFO] |  +- (org.glassfish.hk2:hk2-api:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] |  +- (org.glassfish.hk2.external:javax.inject:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] |  \- (org.glassfish.hk2:hk2-locator:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] +- org.glassfish.hk2:hk2-locator:jar:2.5.0:compile
[INFO] |  +- org.glassfish.hk2.external:jakarta.inject:jar:2.5.0:compile
[INFO] |  +- org.glassfish.hk2.external:aopalliance-repackaged:jar:2.5.0:compile
[INFO] |  +- (org.glassfish.hk2:hk2-api:jar:2.5.0:compile - omitted for conflict with 2.4.0-b31)
[INFO] |  +- org.glassfish.hk2:hk2-utils:jar:2.5.0:compile
[INFO] |  |  +- (jakarta.annotation:jakarta.annotation-api:jar:1.3.4:compile - omitted for duplicate)
[INFO] |  |  \- (org.glassfish.hk2.external:jakarta.inject:jar:2.5.0:compile - omitted for duplicate)
[INFO] |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.4:compile
[INFO] |  \- org.javassist:javassist:jar:3.22.0-CR2:compile
[INFO] +- org.glassfish:javax.json:jar:1.0.4:compile
[INFO] +- com.google.guava:guava:jar:32.1.3-jre:compile
[INFO] |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  +- org.checkerframework:checker-qual:jar:3.37.0:compile
[INFO] |  +- com.google.errorprone:error_prone_annotations:jar:2.21.1:compile
[INFO] |  \- com.google.j2objc:j2objc-annotations:jar:2.8:compile
[INFO] +- com.google.collections:google-collections:jar:1.0:compile
[INFO] +- javax.activation:activation:jar:1.1:compile
[INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.15.3:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.15.3:compile
[INFO] |  +- (com.fasterxml.jackson.core:jackson-annotations:jar:2.15.3:compile - omitted for duplicate)
[INFO] |  \- com.fasterxml.jackson.core:jackson-core:jar:2.15.3:compile
[INFO] \- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.15.3:compile
[INFO]    +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.15.3:compile
[INFO]    |  +- (com.fasterxml.jackson.core:jackson-core:jar:2.15.3:compile - omitted for duplicate)
[INFO]    |  \- (com.fasterxml.jackson.core:jackson-databind:jar:2.15.3:compile - omitted for duplicate)
[INFO]    \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.15.3:compile
[INFO]       +- (com.fasterxml.jackson.core:jackson-annotations:jar:2.15.3:compile - omitted for duplicate)
[INFO]       +- (com.fasterxml.jackson.core:jackson-core:jar:2.15.3:compile - omitted for duplicate)
[INFO]       +- (com.fasterxml.jackson.core:jackson-databind:jar:2.15.3:compile - omitted for duplicate)
[INFO]       +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
[INFO]       |  \- (jakarta.activation:jakarta.activation-api:jar:1.2.2:compile - omitted for duplicate)
[INFO]       \- jakarta.activation:jakarta.activation-api:jar:1.2.2:compile

Vs. original:

[ykaul@ykaul scylla-apiclient]$ !mv
mvn dependency:tree -Dverbose=true 
[INFO] Scanning for projects...
[INFO] 
[INFO] -----------------< com.scylladb.jmx:scylla-apiclient >------------------
[INFO] Building Scylla REST API client 1.0
[INFO]   from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- dependency:2.8:tree (default-cli) @ scylla-apiclient ---
[WARNING] Parameter 'localRepository' is deprecated core expression; Avoid use of ArtifactRepository type. If you need access to local repository, switch to '${repositorySystemSession}' expression and get LRM from it instead.
[INFO] com.scylladb.jmx:scylla-apiclient:jar:1.0
[INFO] +- org.yaml:snakeyaml:jar:2.2:compile
[INFO] +- org.glassfish.jersey.core:jersey-common:jar:2.22.1:compile
[INFO] |  +- (javax.ws.rs:javax.ws.rs-api:jar:2.0.1:compile - omitted for duplicate)
[INFO] |  +- javax.annotation:javax.annotation-api:jar:1.2:compile
[INFO] |  +- org.glassfish.jersey.bundles.repackaged:jersey-guava:jar:2.22.1:compile
[INFO] |  +- org.glassfish.hk2:hk2-api:jar:2.4.0-b31:compile
[INFO] |  |  +- org.glassfish.hk2:hk2-utils:jar:2.4.0-b31:compile
[INFO] |  |  \- org.glassfish.hk2.external:aopalliance-repackaged:jar:2.4.0-b31:compile
[INFO] |  +- org.glassfish.hk2.external:javax.inject:jar:2.4.0-b31:compile
[INFO] |  +- org.glassfish.hk2:hk2-locator:jar:2.4.0-b31:compile
[INFO] |  |  +- (org.glassfish.hk2.external:javax.inject:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] |  |  +- (org.glassfish.hk2.external:aopalliance-repackaged:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] |  |  +- (org.glassfish.hk2:hk2-api:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] |  |  +- (org.glassfish.hk2:hk2-utils:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] |  |  \- org.javassist:javassist:jar:3.18.1-GA:compile          <-------------------------------------------------------------- XXXXXXXXXXXXX
[INFO] |  \- org.glassfish.hk2:osgi-resource-locator:jar:1.0.1:compile
[INFO] +- javax.ws.rs:javax.ws.rs-api:jar:2.0.1:compile
[INFO] +- javax.ws.rs:jsr311-api:jar:1.1.1:compile
[INFO] +- org.glassfish.jersey.core:jersey-client:jar:2.22.1:compile
[INFO] |  +- (javax.ws.rs:javax.ws.rs-api:jar:2.0.1:compile - omitted for duplicate)
[INFO] |  +- (org.glassfish.jersey.core:jersey-common:jar:2.22.1:compile - omitted for duplicate)
[INFO] |  +- (org.glassfish.hk2:hk2-api:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] |  +- (org.glassfish.hk2.external:javax.inject:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] |  \- (org.glassfish.hk2:hk2-locator:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] +- org.glassfish:javax.json:jar:1.0.4:compile
[INFO] +- com.google.guava:guava:jar:32.1.3-jre:compile
[INFO] |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  +- org.checkerframework:checker-qual:jar:3.37.0:compile
[INFO] |  +- com.google.errorprone:error_prone_annotations:jar:2.21.1:compile
[INFO] |  \- com.google.j2objc:j2objc-annotations:jar:2.8:compile
[INFO] +- com.google.collections:google-collections:jar:1.0:compile
[INFO] +- javax.activation:activation:jar:1.1:compile
[INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.15.3:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.15.3:compile
[INFO] |  +- (com.fasterxml.jackson.core:jackson-annotations:jar:2.15.3:compile - omitted for duplicate)
[INFO] |  \- com.fasterxml.jackson.core:jackson-core:jar:2.15.3:compile
[INFO] \- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.15.3:compile
[INFO]    +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.15.3:compile
[INFO]    |  +- (com.fasterxml.jackson.core:jackson-core:jar:2.15.3:compile - omitted for duplicate)
[INFO]    |  \- (com.fasterxml.jackson.core:jackson-databind:jar:2.15.3:compile - omitted for duplicate)
[INFO]    \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.15.3:compile
[INFO]       +- (com.fasterxml.jackson.core:jackson-annotations:jar:2.15.3:compile - omitted for duplicate)
[INFO]       +- (com.fasterxml.jackson.core:jackson-core:jar:2.15.3:compile - omitted for duplicate)
[INFO]       +- (com.fasterxml.jackson.core:jackson-databind:jar:2.15.3:compile - omitted for duplicate)
[INFO]       +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
[INFO]       |  \- (jakarta.activation:jakarta.activation-api:jar:1.2.2:compile - omitted for duplicate)
[INFO]       \- jakarta.activation:jakarta.activation-api:jar:1.2.2:compile
[INFO] ------------------------------------------------------------------------

Untested patch:

[ykaul@ykaul scylla-apiclient]$ git diff
diff --git a/scylla-apiclient/pom.xml b/scylla-apiclient/pom.xml
index 7667afe..7a92cf6 100644
--- a/scylla-apiclient/pom.xml
+++ b/scylla-apiclient/pom.xml
@@ -42,6 +42,11 @@
             <artifactId>jersey-client</artifactId>
             <version>2.22.1</version>
         </dependency>
+       <dependency>
+            <groupId>org.glassfish.hk2</groupId>
+            <artifactId>hk2-locator</artifactId>
+            <version>2.5.0</version>
+        </dependency>
         <dependency>
             <groupId>org.glassfish</groupId>
             <artifactId>javax.json</artifactId>
mykaul commented 6 months ago

CC @roydahan , @yaronkaikov - one item out of the list that we need to get rid of. I hope it doesn't break compatibility.

roydahan commented 6 months ago

@yaronkaikov is it something that you guys can do or need @avelanarius?

yaronkaikov commented 6 months ago

We need @avelanarius for that.

mykaul commented 6 months ago

Thanks @denesb and @tchaikov . @scylladb/scylla-jmx-maint - let's get it backported ASAP (to 5.4 and more importantly, 5.2) so we can get it into Enterprise release.

denesb commented 6 months ago

I will backport it as soon as the submodule update is promoted (well, as soon as I notice, ping me if you notice sooner).

yaronkaikov commented 6 months ago

@scylladb/scylla-maint Please backport this

mykaul commented 6 months ago

@scylladb/scylla-jmx-maint is a different team of maintainers?

mykaul commented 6 months ago

@yaronkaikov - I thought it was backported (to 5.4 - https://github.com/scylladb/scylladb/commit/00f04e0f9462c39f90b5f15f8a575f2df5426556 ), 5.2 (https://github.com/scylladb/scylladb/commit/abb7ae4309bf92880ecbdfa32fe3c68bc70196a3 ) ?

yaronkaikov commented 6 months ago

@yaronkaikov - I thought it was backported (to 5.4 - scylladb/scylladb@00f04e0 ), 5.2 (scylladb/scylladb@abb7ae4 ) ?

Yes, it was.

denesb commented 6 months ago

@scylladb/scylla-jmx-maint is a different team of maintainers?

I think in practice it is the same as @scylladb/scylla-maint.