[
https://issues.apache.org/jira/browse/CASSANDRA-18875?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17792125#comment-17792125
]
Brandon Williams edited comment on CASSANDRA-18875 at 12/1/23 4:29 PM:
-----------------------------------------------------------------------
Unfortunately, this broke OWASP:
{quote}
BUILD FAILED
/home/user/cassandra/trunk/.build/build-owasp.xml:82: One or more exceptions
occurred during analysis:
org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions
occurred during analysis:
UpdateException: Unable to find the CISA Known Exploited
Vulnerabilities file to parse
caused by InvalidFormatException: Cannot deserialize value of
type `java.util.Date` from String "2023-12-01T15:09:26..642Z": not a valid
representation (error: Failed to parse Date value '2023-12-01T15:09:26..642Z':
Cannot parse date "2023-12-01T15:09:26..642Z": while it seems to fit format
'yyyy-MM-dd'T'HH:mm:ss.SSSX', parsing fails (leniency? null))
at [Source: (InputStreamReader); line: 4, column: 21] (through reference
chain:
org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema["dateReleased"])
NoDataException: No documents exist
at
org.owasp.dependencycheck.Engine.throwFatalExceptionCollection(Engine.java:1175)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:637)
at
org.owasp.dependencycheck.taskdefs.Check.callExecuteAnalysis(Check.java:2084)
at
org.owasp.dependencycheck.taskdefs.Check.executeWithContextClassloader(Check.java:2041)
at org.owasp.dependencycheck.taskdefs.Purge.execute(Purge.java:151)
at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292)
at jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at
org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:99)
at org.apache.tools.ant.Task.perform(Task.java:350)
at org.apache.tools.ant.Target.execute(Target.java:449)
at org.apache.tools.ant.Target.performTasks(Target.java:470)
at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1401)
at org.apache.tools.ant.Project.executeTarget(Project.java:1374)
at
org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
at org.apache.tools.ant.Project.executeTargets(Project.java:1264)
at org.apache.tools.ant.Main.runBuild(Main.java:827)
at org.apache.tools.ant.Main.startAnt(Main.java:223)
at org.apache.tools.ant.launch.Launcher.run(Launcher.java:284)
at org.apache.tools.ant.launch.Launcher.main(Launcher.java:101)
Next Exception:
org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to find
the CISA Known Exploited Vulnerabilities file to parse
at
org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser.parse(KnownExploitedVulnerabilityParser.java:84)
at
org.owasp.dependencycheck.data.update.KnownExploitedDataSource.update(KnownExploitedDataSource.java:82)
at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:900)
at
org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:705)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:631)
at
org.owasp.dependencycheck.taskdefs.Check.callExecuteAnalysis(Check.java:2084)
at
org.owasp.dependencycheck.taskdefs.Check.executeWithContextClassloader(Check.java:2041)
at org.owasp.dependencycheck.taskdefs.Purge.execute(Purge.java:151)
at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292)
at jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at
org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:99)
at org.apache.tools.ant.Task.perform(Task.java:350)
at org.apache.tools.ant.Target.execute(Target.java:449)
at org.apache.tools.ant.Target.performTasks(Target.java:470)
at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1401)
at org.apache.tools.ant.Project.executeTarget(Project.java:1374)
at
org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
at org.apache.tools.ant.Project.executeTargets(Project.java:1264)
at org.apache.tools.ant.Main.runBuild(Main.java:827)
at org.apache.tools.ant.Main.startAnt(Main.java:223)
at org.apache.tools.ant.launch.Launcher.run(Launcher.java:284)
at org.apache.tools.ant.launch.Launcher.main(Launcher.java:101)
Caused by: com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot
deserialize value of type `java.util.Date` from String
"2023-12-01T15:09:26..642Z": not a valid representation (error: Failed to parse
Date value '2023-12-01T15:09:26..642Z': Cannot parse date
"2023-12-01T15:09:26..642Z": while it seems to fit format
'yyyy-MM-dd'T'HH:mm:ss.SSSX', parsing fails (leniency? null))
at [Source: (InputStreamReader); line: 4, column: 21] (through reference
chain:
org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema["dateReleased"])
at
com.fasterxml.jackson.databind.exc.InvalidFormatException.from(InvalidFormatException.java:67)
at
com.fasterxml.jackson.databind.DeserializationContext.weirdStringException(DeserializationContext.java:2002)
at
com.fasterxml.jackson.databind.DeserializationContext.handleWeirdStringValue(DeserializationContext.java:1230)
at
com.fasterxml.jackson.databind.deser.std.StdDeserializer._parseDate(StdDeserializer.java:1362)
at
com.fasterxml.jackson.databind.deser.std.StdDeserializer._parseDate(StdDeserializer.java:1304)
at
com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateBasedDeserializer._parseDate(DateDeserializers.java:201)
at
com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateDeserializer.deserialize(DateDeserializers.java:303)
at
com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateDeserializer.deserialize(DateDeserializers.java:281)
at
com.fasterxml.jackson.module.blackbird.deser.SettableObjectProperty.deserializeAndSet(SettableObjectProperty.java:44)
at
com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:278)
at
com.fasterxml.jackson.module.blackbird.deser.SuperSonicBeanDeserializer.deserialize(SuperSonicBeanDeserializer.java:155)
at
com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:323)
at
com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:2079)
at
com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:1229)
at
org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser.parse(KnownExploitedVulnerabilityParser.java:77)
... 23 more
Next Exception:
org.owasp.dependencycheck.exception.NoDataException: No documents exist
at org.owasp.dependencycheck.Engine.ensureDataExists(Engine.java:1157)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:635)
at
org.owasp.dependencycheck.taskdefs.Check.callExecuteAnalysis(Check.java:2084)
at
org.owasp.dependencycheck.taskdefs.Check.executeWithContextClassloader(Check.java:2041)
at org.owasp.dependencycheck.taskdefs.Purge.execute(Purge.java:151)
at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292)
at jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at
org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:99)
at org.apache.tools.ant.Task.perform(Task.java:350)
at org.apache.tools.ant.Target.execute(Target.java:449)
at org.apache.tools.ant.Target.performTasks(Target.java:470)
at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1401)
at org.apache.tools.ant.Project.executeTarget(Project.java:1374)
at
org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
at org.apache.tools.ant.Project.executeTargets(Project.java:1264)
at org.apache.tools.ant.Main.runBuild(Main.java:827)
at org.apache.tools.ant.Main.startAnt(Main.java:223)
at org.apache.tools.ant.launch.Launcher.run(Launcher.java:284)
at org.apache.tools.ant.launch.Launcher.main(Launcher.java:101)
Total time: 2 seconds
{quote}
Upgrading OWASP to 9.0.2 may fix it, but "cveValidForHours" is no longer valid
and says:
{quote}
[dependency-check] An NVD API Key was not provided - it is highly recommended
to use an NVD API key as the update can take a VERY long time without an API Key
[dependency-check] NVD API has 231,947 records in this update
{quote}
and then proceeds to take longer than I have patience to find out how long it
can take. I think we need to revert this ticket and make it depend on a new
ticket upgrading OWASP, unless we can find some workaround to have the newer
jackson parse the date format it's now complaining about.
was (Author: brandon.williams):
Unfortunately, this broke OWASP:
{quote}
BUILD FAILED
/home/user/cassandra/trunk/.build/build-owasp.xml:82: One or more exceptions
occurred during analysis:
org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions
occurred during analysis:
UpdateException: Unable to find the CISA Known Exploited
Vulnerabilities file to parse
caused by InvalidFormatException: Cannot deserialize value of
type `java.util.Date` from String "2023-12-01T15:09:26..642Z": not a valid
representation (error: Failed to parse Date value '2023-12-01T15:09:26..642Z':
Cannot parse date "2023-12-01T15:09:26..642Z": while it seems to fit format
'yyyy-MM-dd'T'HH:mm:ss.SSSX', parsing fails (leniency? null))
at [Source: (InputStreamReader); line: 4, column: 21] (through reference
chain:
org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema["dateReleased"])
NoDataException: No documents exist
at
org.owasp.dependencycheck.Engine.throwFatalExceptionCollection(Engine.java:1175)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:637)
at
org.owasp.dependencycheck.taskdefs.Check.callExecuteAnalysis(Check.java:2084)
at
org.owasp.dependencycheck.taskdefs.Check.executeWithContextClassloader(Check.java:2041)
at org.owasp.dependencycheck.taskdefs.Purge.execute(Purge.java:151)
at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292)
at jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at
org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:99)
at org.apache.tools.ant.Task.perform(Task.java:350)
at org.apache.tools.ant.Target.execute(Target.java:449)
at org.apache.tools.ant.Target.performTasks(Target.java:470)
at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1401)
at org.apache.tools.ant.Project.executeTarget(Project.java:1374)
at
org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
at org.apache.tools.ant.Project.executeTargets(Project.java:1264)
at org.apache.tools.ant.Main.runBuild(Main.java:827)
at org.apache.tools.ant.Main.startAnt(Main.java:223)
at org.apache.tools.ant.launch.Launcher.run(Launcher.java:284)
at org.apache.tools.ant.launch.Launcher.main(Launcher.java:101)
Next Exception:
org.owasp.dependencycheck.data.update.exception.UpdateException: Unable to find
the CISA Known Exploited Vulnerabilities file to parse
at
org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser.parse(KnownExploitedVulnerabilityParser.java:84)
at
org.owasp.dependencycheck.data.update.KnownExploitedDataSource.update(KnownExploitedDataSource.java:82)
at org.owasp.dependencycheck.Engine.doUpdates(Engine.java:900)
at
org.owasp.dependencycheck.Engine.initializeAndUpdateDatabase(Engine.java:705)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:631)
at
org.owasp.dependencycheck.taskdefs.Check.callExecuteAnalysis(Check.java:2084)
at
org.owasp.dependencycheck.taskdefs.Check.executeWithContextClassloader(Check.java:2041)
at org.owasp.dependencycheck.taskdefs.Purge.execute(Purge.java:151)
at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292)
at jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at
org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:99)
at org.apache.tools.ant.Task.perform(Task.java:350)
at org.apache.tools.ant.Target.execute(Target.java:449)
at org.apache.tools.ant.Target.performTasks(Target.java:470)
at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1401)
at org.apache.tools.ant.Project.executeTarget(Project.java:1374)
at
org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
at org.apache.tools.ant.Project.executeTargets(Project.java:1264)
at org.apache.tools.ant.Main.runBuild(Main.java:827)
at org.apache.tools.ant.Main.startAnt(Main.java:223)
at org.apache.tools.ant.launch.Launcher.run(Launcher.java:284)
at org.apache.tools.ant.launch.Launcher.main(Launcher.java:101)
Caused by: com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot
deserialize value of type `java.util.Date` from String
"2023-12-01T15:09:26..642Z": not a valid representation (error: Failed to parse
Date value '2023-12-01T15:09:26..642Z': Cannot parse date
"2023-12-01T15:09:26..642Z": while it seems to fit format
'yyyy-MM-dd'T'HH:mm:ss.SSSX', parsing fails (leniency? null))
at [Source: (InputStreamReader); line: 4, column: 21] (through reference
chain:
org.owasp.dependencycheck.data.knownexploited.json.KnownExploitedVulnerabilitiesSchema["dateReleased"])
at
com.fasterxml.jackson.databind.exc.InvalidFormatException.from(InvalidFormatException.java:67)
at
com.fasterxml.jackson.databind.DeserializationContext.weirdStringException(DeserializationContext.java:2002)
at
com.fasterxml.jackson.databind.DeserializationContext.handleWeirdStringValue(DeserializationContext.java:1230)
at
com.fasterxml.jackson.databind.deser.std.StdDeserializer._parseDate(StdDeserializer.java:1362)
at
com.fasterxml.jackson.databind.deser.std.StdDeserializer._parseDate(StdDeserializer.java:1304)
at
com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateBasedDeserializer._parseDate(DateDeserializers.java:201)
at
com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateDeserializer.deserialize(DateDeserializers.java:303)
at
com.fasterxml.jackson.databind.deser.std.DateDeserializers$DateDeserializer.deserialize(DateDeserializers.java:281)
at
com.fasterxml.jackson.module.blackbird.deser.SettableObjectProperty.deserializeAndSet(SettableObjectProperty.java:44)
at
com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:278)
at
com.fasterxml.jackson.module.blackbird.deser.SuperSonicBeanDeserializer.deserialize(SuperSonicBeanDeserializer.java:155)
at
com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:323)
at
com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:2079)
at
com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:1229)
at
org.owasp.dependencycheck.data.update.cisa.KnownExploitedVulnerabilityParser.parse(KnownExploitedVulnerabilityParser.java:77)
... 23 more
Next Exception:
org.owasp.dependencycheck.exception.NoDataException: No documents exist
at org.owasp.dependencycheck.Engine.ensureDataExists(Engine.java:1157)
at org.owasp.dependencycheck.Engine.analyzeDependencies(Engine.java:635)
at
org.owasp.dependencycheck.taskdefs.Check.callExecuteAnalysis(Check.java:2084)
at
org.owasp.dependencycheck.taskdefs.Check.executeWithContextClassloader(Check.java:2041)
at org.owasp.dependencycheck.taskdefs.Purge.execute(Purge.java:151)
at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292)
at jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at
org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:99)
at org.apache.tools.ant.Task.perform(Task.java:350)
at org.apache.tools.ant.Target.execute(Target.java:449)
at org.apache.tools.ant.Target.performTasks(Target.java:470)
at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1401)
at org.apache.tools.ant.Project.executeTarget(Project.java:1374)
at
org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
at org.apache.tools.ant.Project.executeTargets(Project.java:1264)
at org.apache.tools.ant.Main.runBuild(Main.java:827)
at org.apache.tools.ant.Main.startAnt(Main.java:223)
at org.apache.tools.ant.launch.Launcher.run(Launcher.java:284)
at org.apache.tools.ant.launch.Launcher.main(Launcher.java:101)
Total time: 2 seconds
{quote}
Upgrading OWASP to 9.0.2 may fix it, but "cveValidForHours" is no longer valid
and says:
{quote}
[dependency-check] An NVD API Key was not provided - it is highly recommended
to use an NVD API key as the update can take a VERY long time without an API Key
[dependency-check] NVD API has 231,947 records in this update
{quote}
and the proceeds to take longer than I have patience to find out. I think we
need to revert this ticket and make it depend on a new ticket upgrading OWASP,
unless we can find some workaround to have the newer jackson parse the date
format it's now complaining about.
> Upgrade the snakeyaml library version
> -------------------------------------
>
> Key: CASSANDRA-18875
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18875
> Project: Cassandra
> Issue Type: Task
> Components: Local/Config
> Reporter: Jai Bheemsen Rao Dhanwada
> Assignee: Raymond Huffman
> Priority: Normal
> Fix For: 5.1-alpha1
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Apache cassandra uses 1.26 version of snakeyaml dependency and there are
> several
> [vulnerabilities|https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.26#]
> in this version that can be fixed by upgrading to 2.x version. I understand
> that this is not security issue as cassandra already uses SafeConstructor and
> is not a vulnerability under OWASP, so there are no plans to fix it as per
> CASSANDRA-18122
>
> Cassandra as a open source used and distributed by many enterprise customers
> and also when downloading cassandra as tar and using it external scanners are
> not aware of the implementation of SafeConstructor have no idea if it's
> vulnerable or not.
> Can we consider upgrading the version to 2.x in the next releases as
> snakeyaml is not something that has a large dependency between the major and
> minor versions. I am happy to open a PR for this. Please let me know your
> thoughts on this.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
