search

scylladb / scylla-jmx

Scylla JMX proxy
GNU Affero General Public License v3.0
28 stars 51 forks source link

Use newer hk2-locator in order to get rid of javassist #233

Closed yaronkaikov closed 6 months ago

yaronkaikov commented 6 months ago

(with a known vulnerable version or whatnot)

Fixes: scylladb#231

yaronkaikov commented 6 months ago

I have complied it locally and it worked, we should run it through CI before updating the submodule

mykaul commented 6 months ago

What do you get when you run mvn dependency:tree -Dverbose=true ?

yaronkaikov commented 6 months ago 
[INFO] com.scylladb.jmx:scylla-jmx:jar:1.0
[INFO] +- com.scylladb.jmx:scylla-apiclient:jar:1.0:compile
[INFO] |  +- org.yaml:snakeyaml:jar:2.2:compile
[INFO] |  +- org.glassfish.jersey.core:jersey-common:jar:2.22.1:compile
[INFO] |  |  +- (javax.ws.rs:javax.ws.rs-api:jar:2.0.1:compile - omitted for duplicate)
[INFO] |  |  +- javax.annotation:javax.annotation-api:jar:1.2:compile
[INFO] |  |  +- org.glassfish.jersey.bundles.repackaged:jersey-guava:jar:2.22.1:compile
[INFO] |  |  +- org.glassfish.hk2:hk2-api:jar:2.4.0-b31:compile
[INFO] |  |  |  +- (org.glassfish.hk2:hk2-utils:jar:2.4.0-b31:compile - omitted for conflict with 2.5.0)
[INFO] |  |  |  \- (org.glassfish.hk2.external:aopalliance-repackaged:jar:2.4.0-b31:compile - omitted for conflict with 2.5.0)
[INFO] |  |  +- org.glassfish.hk2.external:javax.inject:jar:2.4.0-b31:compile
[INFO] |  |  +- (org.glassfish.hk2:hk2-locator:jar:2.4.0-b31:compile - omitted for conflict with 2.5.0)
[INFO] |  |  \- org.glassfish.hk2:osgi-resource-locator:jar:1.0.1:compile
[INFO] |  +- javax.ws.rs:javax.ws.rs-api:jar:2.0.1:compile
[INFO] |  +- javax.ws.rs:jsr311-api:jar:1.1.1:compile
[INFO] |  +- org.glassfish.jersey.core:jersey-client:jar:2.22.1:compile
[INFO] |  |  +- (javax.ws.rs:javax.ws.rs-api:jar:2.0.1:compile - omitted for duplicate)
[INFO] |  |  +- (org.glassfish.jersey.core:jersey-common:jar:2.22.1:compile - omitted for duplicate)
[INFO] |  |  +- (org.glassfish.hk2:hk2-api:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] |  |  +- (org.glassfish.hk2.external:javax.inject:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] |  |  \- (org.glassfish.hk2:hk2-locator:jar:2.4.0-b31:compile - omitted for duplicate)
[INFO] |  +- org.glassfish.hk2:hk2-locator:jar:2.5.0:compile
[INFO] |  |  +- org.glassfish.hk2.external:jakarta.inject:jar:2.5.0:compile
[INFO] |  |  +- org.glassfish.hk2.external:aopalliance-repackaged:jar:2.5.0:compile
[INFO] |  |  +- (org.glassfish.hk2:hk2-api:jar:2.5.0:compile - omitted for conflict with 2.4.0-b31)
[INFO] |  |  +- org.glassfish.hk2:hk2-utils:jar:2.5.0:compile
[INFO] |  |  |  +- (jakarta.annotation:jakarta.annotation-api:jar:1.3.4:compile - omitted for duplicate)
[INFO] |  |  |  \- (org.glassfish.hk2.external:jakarta.inject:jar:2.5.0:compile - omitted for duplicate)
[INFO] |  |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.4:compile
[INFO] |  |  \- org.javassist:javassist:jar:3.22.0-CR2:compile
[INFO] |  +- org.glassfish:javax.json:jar:1.0.4:compile
[INFO] |  +- com.google.guava:guava:jar:32.1.3-jre:compile
[INFO] |  |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  |  +- org.checkerframework:checker-qual:jar:3.37.0:compile
[INFO] |  |  +- com.google.errorprone:error_prone_annotations:jar:2.21.1:compile
[INFO] |  |  \- com.google.j2objc:j2objc-annotations:jar:2.8:compile
[INFO] |  +- com.google.collections:google-collections:jar:1.0:compile
[INFO] |  +- javax.activation:activation:jar:1.1:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.15.3:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.15.3:compile
[INFO] |  |  +- (com.fasterxml.jackson.core:jackson-annotations:jar:2.15.3:compile - omitted for duplicate)
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.15.3:compile
[INFO] |  \- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.15.3:compile
[INFO] |     +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.15.3:compile
[INFO] |     |  +- (com.fasterxml.jackson.core:jackson-core:jar:2.15.3:compile - omitted for duplicate)
[INFO] |     |  \- (com.fasterxml.jackson.core:jackson-databind:jar:2.15.3:compile - omitted for duplicate)
[INFO] |     \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.15.3:compile
[INFO] |        +- (com.fasterxml.jackson.core:jackson-annotations:jar:2.15.3:compile - omitted for duplicate)
[INFO] |        +- (com.fasterxml.jackson.core:jackson-core:jar:2.15.3:compile - omitted for duplicate)
[INFO] |        +- (com.fasterxml.jackson.core:jackson-databind:jar:2.15.3:compile - omitted for duplicate)
[INFO] |        +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
[INFO] |        |  \- (jakarta.activation:jakarta.activation-api:jar:1.2.2:compile - omitted for duplicate)
[INFO] |        \- jakarta.activation:jakarta.activation-api:jar:1.2.2:compile
[INFO] \- junit:junit:jar:4.13.1:test
[INFO]    \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  8.224 s
[INFO] Finished at: 2024-01-08T08:59:30+02:00
[INFO] ------------------------------------------------------------------------
denesb commented 6 months ago

I have complied it locally and it worked, we should run it through CI before updating the submodule

If you think this is possibly a risky upgrade, you can create a PR in scylla.git, where you update tools/java to point to this branch in your fork. This way, we can get CI, without committing this to scylla-tools-java.git master (and potentially blocking submodule updates).

mykaul commented 6 months ago 
[INFO] |  |  +- org.glassfish.hk2:hk2-api:jar:2.4.0-b31:compile
[INFO] |  |  |  +- (org.glassfish.hk2:hk2-utils:jar:2.4.0-b31:compile - omitted for conflict with 2.5.0)
[INFO] |  |  |  \- (org.glassfish.hk2.external:aopalliance-repackaged:jar:2.4.0-b31:compile - omitted for conflict with 2.5.0)
[INFO] |  |  +- org.glassfish.hk2.external:javax.inject:jar:2.4.0-b31:compile
[INFO] |  |  +- (org.glassfish.hk2:hk2-locator:jar:2.4.0-b31:compile - omitted for conflict with 2.5.0)

I think might be problematic. Meaning that you may need to also update hk2-api ... :-( it's a never ending story, which starts from the fact we have deps from 2016 or so...

yaronkaikov commented 6 months ago

Closing this in favor of https://github.com/scylladb/scylla-jmx/pull/234