[ https://issues.apache.org/jira/browse/CASSANDRA-18875?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17792125#comment-17792125 ]
Brandon Williams edited comment on CASSANDRA-18875 at 12/1/23 4:29 PM: ----------------------------------------------------------------------- Unfortunately, this broke OWASP: {quote} BUILD FAILED /home/user/cassandra/trunk/.build/build-owasp.xml:82: One or more exceptions occurred during analysis: org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during analysis: UpdateException: Unable to find the CISA Known Exploited Vulnerabilities file to parse caused by InvalidFormatException: Cannot deserialize value of type `java.util.Date` from String "2023-12-01T15:09:26..642Z": not a valid representation (error: Failed to parse Date value '2023-12-01T15:09:26..642Z': Cannot parse date "2023-12-01T15:09:26..642Z": while it seems to fit format 'yyyy-MM-dd'T'HH:mm:ss.SSSX', parsing fails (leniency? null)) at [Source: (InputStreamReader); line: 4, column: 21] (through reference chain: org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema["dateReleased"]) NoDataException: No documents exist at org.owasp.dependencycheck.Engine.throwFatalExceptionCollection(Engine.java:1175) at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:637) at org.owasp.dependencycheck.taskdefs.Check.callExecuteAnalysis(Check.java:2084) at org.owasp.dependencycheck.taskdefs.Check.executeWithContextClassloader(Check.java:2041) at org.owasp.dependencycheck.taskdefs.Purge.execute(Purge.java:151) at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292) at jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:99) at org.apache.tools.ant.Task.perform(Task.java:350) at org.apache.tools.ant.Target.execute(Target.java:449) at org.apache.tools.ant.Target.performTasks(Target.java:470) at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1401) at org.apache.tools.ant.Project.executeTarget(Project.java:1374) at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41) at org.apache.tools.ant.Project.executeTargets(Project.java:1264) at org.apache.tools.ant.Main.runBuild(Main.java:827) at org.apache.tools.ant.Main.startAnt(Main.java:223) at org.apache.tools.ant.launch.Launcher.run(Launcher.java:284) at org.apache.tools.ant.launch.Launcher.main(Launcher.java:101) Next Exception: org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to find the CISA Known Exploited Vulnerabilities file to parse at org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser.parse(KnownExploitedVulnerabilityParser.java:84) at org.owasp.dependencycheck.data.update.KnownExploitedDataSource.update(KnownExploitedDataSource.java:82) at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:900) at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:705) at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:631) at org.owasp.dependencycheck.taskdefs.Check.callExecuteAnalysis(Check.java:2084) at org.owasp.dependencycheck.taskdefs.Check.executeWithContextClassloader(Check.java:2041) at org.owasp.dependencycheck.taskdefs.Purge.execute(Purge.java:151) at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292) at jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:99) at org.apache.tools.ant.Task.perform(Task.java:350) at org.apache.tools.ant.Target.execute(Target.java:449) at org.apache.tools.ant.Target.performTasks(Target.java:470) at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1401) at org.apache.tools.ant.Project.executeTarget(Project.java:1374) at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41) at org.apache.tools.ant.Project.executeTargets(Project.java:1264) at org.apache.tools.ant.Main.runBuild(Main.java:827) at org.apache.tools.ant.Main.startAnt(Main.java:223) at org.apache.tools.ant.launch.Launcher.run(Launcher.java:284) at org.apache.tools.ant.launch.Launcher.main(Launcher.java:101) Caused by: com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot deserialize value of type `java.util.Date` from String "2023-12-01T15:09:26..642Z": not a valid representation (error: Failed to parse Date value '2023-12-01T15:09:26..642Z': Cannot parse date "2023-12-01T15:09:26..642Z": while it seems to fit format 'yyyy-MM-dd'T'HH:mm:ss.SSSX', parsing fails (leniency? null)) at [Source: (InputStreamReader); line: 4, column: 21] (through reference chain: org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema["dateReleased"]) at com.fasterxml.jackson.databind.exc.InvalidFormatException.from(InvalidFormatException.java:67) at com.fasterxml.jackson.databind.DeserializationContext.weirdStringException(DeserializationContext.java:2002) at com.fasterxml.jackson.databind.DeserializationContext.handleWeirdStringValue(DeserializationContext.java:1230) at com.fasterxml.jackson.databind.deser.std.StdDeserializer._parseDate(StdDeserializer.java:1362) at com.fasterxml.jackson.databind.deser.std.StdDeserializer._parseDate(StdDeserializer.java:1304) at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateBasedDeserializer._parseDate(DateDeserializers.java:201) at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateDeserializer.deserialize(DateDeserializers.java:303) at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateDeserializer.deserialize(DateDeserializers.java:281) at com.fasterxml.jackson.module.blackbird.deser.SettableObjectProperty.deserializeAndSet(SettableObjectProperty.java:44) at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:278) at com.fasterxml.jackson.module.blackbird.deser.SuperSonicBeanDeserializer.deserialize(SuperSonicBeanDeserializer.java:155) at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:323) at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:2079) at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:1229) at org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser.parse(KnownExploitedVulnerabilityParser.java:77) ... 23 more Next Exception: org.owasp.dependencycheck.exception.NoDataException: No documents exist at org.owasp.dependencycheck.Engine.ensureDataExists(Engine.java:1157) at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:635) at org.owasp.dependencycheck.taskdefs.Check.callExecuteAnalysis(Check.java:2084) at org.owasp.dependencycheck.taskdefs.Check.executeWithContextClassloader(Check.java:2041) at org.owasp.dependencycheck.taskdefs.Purge.execute(Purge.java:151) at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292) at jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:99) at org.apache.tools.ant.Task.perform(Task.java:350) at org.apache.tools.ant.Target.execute(Target.java:449) at org.apache.tools.ant.Target.performTasks(Target.java:470) at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1401) at org.apache.tools.ant.Project.executeTarget(Project.java:1374) at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41) at org.apache.tools.ant.Project.executeTargets(Project.java:1264) at org.apache.tools.ant.Main.runBuild(Main.java:827) at org.apache.tools.ant.Main.startAnt(Main.java:223) at org.apache.tools.ant.launch.Launcher.run(Launcher.java:284) at org.apache.tools.ant.launch.Launcher.main(Launcher.java:101) Total time: 2 seconds {quote} Upgrading OWASP to 9.0.2 may fix it, but "cveValidForHours" is no longer valid and says: {quote} [dependency-check] An NVD API Key was not provided - it is highly recommended to use an NVD API key as the update can take a VERY long time without an API Key [dependency-check] NVD API has 231,947 records in this update {quote} and then proceeds to take longer than I have patience to find out how long it can take. I think we need to revert this ticket and make it depend on a new ticket upgrading OWASP, unless we can find some workaround to have the newer jackson parse the date format it's now complaining about. was (Author: brandon.williams): Unfortunately, this broke OWASP: {quote} BUILD FAILED /home/user/cassandra/trunk/.build/build-owasp.xml:82: One or more exceptions occurred during analysis: org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during analysis: UpdateException: Unable to find the CISA Known Exploited Vulnerabilities file to parse caused by InvalidFormatException: Cannot deserialize value of type `java.util.Date` from String "2023-12-01T15:09:26..642Z": not a valid representation (error: Failed to parse Date value '2023-12-01T15:09:26..642Z': Cannot parse date "2023-12-01T15:09:26..642Z": while it seems to fit format 'yyyy-MM-dd'T'HH:mm:ss.SSSX', parsing fails (leniency? null)) at [Source: (InputStreamReader); line: 4, column: 21] (through reference chain: org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema["dateReleased"]) NoDataException: No documents exist at org.owasp.dependencycheck.Engine.throwFatalExceptionCollection(Engine.java:1175) at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:637) at org.owasp.dependencycheck.taskdefs.Check.callExecuteAnalysis(Check.java:2084) at org.owasp.dependencycheck.taskdefs.Check.executeWithContextClassloader(Check.java:2041) at org.owasp.dependencycheck.taskdefs.Purge.execute(Purge.java:151) at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292) at jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:99) at org.apache.tools.ant.Task.perform(Task.java:350) at org.apache.tools.ant.Target.execute(Target.java:449) at org.apache.tools.ant.Target.performTasks(Target.java:470) at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1401) at org.apache.tools.ant.Project.executeTarget(Project.java:1374) at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41) at org.apache.tools.ant.Project.executeTargets(Project.java:1264) at org.apache.tools.ant.Main.runBuild(Main.java:827) at org.apache.tools.ant.Main.startAnt(Main.java:223) at org.apache.tools.ant.launch.Launcher.run(Launcher.java:284) at org.apache.tools.ant.launch.Launcher.main(Launcher.java:101) Next Exception: org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to find the CISA Known Exploited Vulnerabilities file to parse at org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser.parse(KnownExploitedVulnerabilityParser.java:84) at org.owasp.dependencycheck.data.update.KnownExploitedDataSource.update(KnownExploitedDataSource.java:82) at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:900) at org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:705) at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:631) at org.owasp.dependencycheck.taskdefs.Check.callExecuteAnalysis(Check.java:2084) at org.owasp.dependencycheck.taskdefs.Check.executeWithContextClassloader(Check.java:2041) at org.owasp.dependencycheck.taskdefs.Purge.execute(Purge.java:151) at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292) at jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:99) at org.apache.tools.ant.Task.perform(Task.java:350) at org.apache.tools.ant.Target.execute(Target.java:449) at org.apache.tools.ant.Target.performTasks(Target.java:470) at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1401) at org.apache.tools.ant.Project.executeTarget(Project.java:1374) at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41) at org.apache.tools.ant.Project.executeTargets(Project.java:1264) at org.apache.tools.ant.Main.runBuild(Main.java:827) at org.apache.tools.ant.Main.startAnt(Main.java:223) at org.apache.tools.ant.launch.Launcher.run(Launcher.java:284) at org.apache.tools.ant.launch.Launcher.main(Launcher.java:101) Caused by: com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot deserialize value of type `java.util.Date` from String "2023-12-01T15:09:26..642Z": not a valid representation (error: Failed to parse Date value '2023-12-01T15:09:26..642Z': Cannot parse date "2023-12-01T15:09:26..642Z": while it seems to fit format 'yyyy-MM-dd'T'HH:mm:ss.SSSX', parsing fails (leniency? null)) at [Source: (InputStreamReader); line: 4, column: 21] (through reference chain: org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema["dateReleased"]) at com.fasterxml.jackson.databind.exc.InvalidFormatException.from(InvalidFormatException.java:67) at com.fasterxml.jackson.databind.DeserializationContext.weirdStringException(DeserializationContext.java:2002) at com.fasterxml.jackson.databind.DeserializationContext.handleWeirdStringValue(DeserializationContext.java:1230) at com.fasterxml.jackson.databind.deser.std.StdDeserializer._parseDate(StdDeserializer.java:1362) at com.fasterxml.jackson.databind.deser.std.StdDeserializer._parseDate(StdDeserializer.java:1304) at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateBasedDeserializer._parseDate(DateDeserializers.java:201) at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateDeserializer.deserialize(DateDeserializers.java:303) at com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateDeserializer.deserialize(DateDeserializers.java:281) at com.fasterxml.jackson.module.blackbird.deser.SettableObjectProperty.deserializeAndSet(SettableObjectProperty.java:44) at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:278) at com.fasterxml.jackson.module.blackbird.deser.SuperSonicBeanDeserializer.deserialize(SuperSonicBeanDeserializer.java:155) at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:323) at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:2079) at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:1229) at org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser.parse(KnownExploitedVulnerabilityParser.java:77) ... 23 more Next Exception: org.owasp.dependencycheck.exception.NoDataException: No documents exist at org.owasp.dependencycheck.Engine.ensureDataExists(Engine.java:1157) at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:635) at org.owasp.dependencycheck.taskdefs.Check.callExecuteAnalysis(Check.java:2084) at org.owasp.dependencycheck.taskdefs.Check.executeWithContextClassloader(Check.java:2041) at org.owasp.dependencycheck.taskdefs.Purge.execute(Purge.java:151) at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292) at jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:99) at org.apache.tools.ant.Task.perform(Task.java:350) at org.apache.tools.ant.Target.execute(Target.java:449) at org.apache.tools.ant.Target.performTasks(Target.java:470) at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1401) at org.apache.tools.ant.Project.executeTarget(Project.java:1374) at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41) at org.apache.tools.ant.Project.executeTargets(Project.java:1264) at org.apache.tools.ant.Main.runBuild(Main.java:827) at org.apache.tools.ant.Main.startAnt(Main.java:223) at org.apache.tools.ant.launch.Launcher.run(Launcher.java:284) at org.apache.tools.ant.launch.Launcher.main(Launcher.java:101) Total time: 2 seconds {quote} Upgrading OWASP to 9.0.2 may fix it, but "cveValidForHours" is no longer valid and says: {quote} [dependency-check] An NVD API Key was not provided - it is highly recommended to use an NVD API key as the update can take a VERY long time without an API Key [dependency-check] NVD API has 231,947 records in this update {quote} and the proceeds to take longer than I have patience to find out. I think we need to revert this ticket and make it depend on a new ticket upgrading OWASP, unless we can find some workaround to have the newer jackson parse the date format it's now complaining about. > Upgrade the snakeyaml library version > ------------------------------------- > > Key: CASSANDRA-18875 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18875 > Project: Cassandra > Issue Type: Task > Components: Local/Config > Reporter: Jai Bheemsen Rao Dhanwada > Assignee: Raymond Huffman > Priority: Normal > Fix For: 5.1-alpha1 > > Time Spent: 10m > Remaining Estimate: 0h > > Apache cassandra uses 1.26 version of snakeyaml dependency and there are > several > [vulnerabilities|https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.26#] > in this version that can be fixed by upgrading to 2.x version. I understand > that this is not security issue as cassandra already uses SafeConstructor and > is not a vulnerability under OWASP, so there are no plans to fix it as per > CASSANDRA-18122 > > Cassandra as a open source used and distributed by many enterprise customers > and also when downloading cassandra as tar and using it external scanners are > not aware of the implementation of SafeConstructor have no idea if it's > vulnerable or not. > Can we consider upgrading the version to 2.x in the next releases as > snakeyaml is not something that has a large dependency between the major and > minor versions. I am happy to open a PR for this. Please let me know your > thoughts on this. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org