[
https://issues.apache.org/jira/browse/CASSANDRA-19484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17829629#comment-17829629
]
Ariel Weisberg edited comment on CASSANDRA-19484 at 3/21/24 5:43 PM:
---------------------------------------------------------------------
*edit* Removed a bunch of incorrectly generated dependencies with CVEs to
shorten the comment thread.
was (Author: aweisberg):
3.0
{noformat}
cassandra-client-4.0.35.jar/META-INF/maven/com.apple.pie.cassandra/pie-cassandra-driver-core/pom.xml:
CVE-2010-0538
cassandra-client-4.0.35.jar/META-INF/maven/com.apple.pie.cassandra/pie-cassandra-driver-mapping/pom.xml:
CVE-2010-0538
jackson-databind-2.13.2.2.jar: CVE-2023-35116, CVE-2022-42003, CVE-2022-42004
snappy-java-1.1.8.4.jar: CVE-2023-34455, CVE-2023-34454, CVE-2023-34453,
CVE-2023-43642
{noformat}
3.11
{noformat}
cassandra-client-4.0.35.jar/META-INF/maven/com.apple.pie.cassandra/pie-cassandra-driver-core/pom.xml:
CVE-2010-0538
cassandra-client-4.0.35.jar/META-INF/maven/com.apple.pie.cassandra/pie-cassandra-driver-mapping/pom.xml:
CVE-2010-0538
jackson-mapper-asl-1.9.2.jar: CVE-2017-7525, CVE-2019-10172
snakeyaml-1.11.jar: CVE-2017-18640
snappy-java-1.1.8.4.jar: CVE-2023-34455, CVE-2023-34454, CVE-2023-34453,
CVE-2023-43642
{noformat}
4.0
{noformat}
cassandra-client-4.0.35.jar/META-INF/maven/com.apple.pie.cassandra/pie-cassandra-driver-core/pom.xml:
CVE-2010-0538
cassandra-client-4.0.35.jar/META-INF/maven/com.apple.pie.cassandra/pie-cassandra-driver-mapping/pom.xml:
CVE-2010-0538
guava-18.0.jar: CVE-2018-10237
jackson-mapper-asl-1.9.2.jar: CVE-2017-7525, CVE-2019-10172
libthrift-0.9.2.jar: CVE-2016-5397, CVE-2018-1320, CVE-2015-3254,
CVE-2018-11798, CVE-2019-0205
netty-all-4.0.44.Final.jar: CVE-2019-16869, CVE-2019-20445, CVE-2019-20444,
CVE-2020-7238
snakeyaml-1.11.jar: CVE-2017-18640
snappy-java-1.1.8.4.jar: CVE-2023-34455, CVE-2023-34454, CVE-2023-34453,
CVE-2023-43642
thrift-server-0.3.7.jar: CVE-2016-5397, CVE-2015-3254, CVE-2019-0205
{noformat}
4.1
{noformat}
cassandra-client-4.0.35.jar/META-INF/maven/com.apple.pie.cassandra/pie-cassandra-driver-core/pom.xml:
CVE-2010-0538
cassandra-client-4.0.35.jar/META-INF/maven/com.apple.pie.cassandra/pie-cassandra-driver-mapping/pom.xml:
CVE-2010-0538
guava-18.0.jar: CVE-2018-10237
jackson-mapper-asl-1.9.2.jar: CVE-2017-7525, CVE-2019-10172
libthrift-0.9.2.jar: CVE-2016-5397, CVE-2018-1320, CVE-2015-3254,
CVE-2018-11798, CVE-2019-0205
netty-all-4.0.44.Final.jar: CVE-2019-16869, CVE-2019-20445, CVE-2019-20444,
CVE-2020-7238
snakeyaml-1.11.jar: CVE-2017-18640
snappy-java-1.1.8.4.jar: CVE-2023-34455, CVE-2023-34454, CVE-2023-34453,
CVE-2023-43642
thrift-server-0.3.7.jar: CVE-2016-5397, CVE-2015-3254, CVE-2019-0205
{noformat}
5.0
{noformat}
guava-18.0.jar: CVE-2020-8908, CVE-2018-10237, CVE-2023-2976
guava-27.0-jre.jar: CVE-2020-8908, CVE-2023-2976
jackson-mapper-asl-1.9.2.jar: CVE-2017-7525, CVE-2019-10172
libthrift-0.9.2.jar: CVE-2016-5397, CVE-2018-1320, CVE-2015-3254,
CVE-2018-11798, CVE-2019-0205
netty-all-4.0.44.Final.jar: CVE-2021-43797, CVE-2019-16869, CVE-2021-37136,
CVE-2021-37137, CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2023-34462,
CVE-2021-21290, CVE-2022-24823, CVE-2022-41881, CVE-2021-21409, CVE-2020-7238
netty-all-4.1.58.Final.jar: CVE-2021-43797, CVE-2021-37136, CVE-2021-37137,
CVE-2022-24823, CVE-2022-41881, CVE-2021-21295, CVE-2021-21409, CVE-2023-34462,
CVE-2021-21290
snakeyaml-1.11.jar: CVE-2017-18640
snappy-java-1.1.8.4.jar: CVE-2023-34455, CVE-2023-34454, CVE-2023-34453,
CVE-2023-43642
thrift-server-0.3.7.jar: CVE-2016-5397, CVE-2015-3254, CVE-2019-0205
{noformat}
trunk
{noformat}
cassandra-client-4.0.35.jar/META-INF/maven/com.apple.pie.cassandra/pie-cassandra-driver-core/pom.xml:
CVE-2010-0538
cassandra-client-4.0.35.jar/META-INF/maven/com.apple.pie.cassandra/pie-cassandra-driver-mapping/pom.xml:
CVE-2010-0538
guava-18.0.jar: CVE-2020-8908, CVE-2018-10237, CVE-2023-2976
guava-27.0-jre.jar: CVE-2020-8908, CVE-2023-2976
jackson-databind-2.13.2.2.jar: CVE-2022-42003, CVE-2022-42004
jackson-mapper-asl-1.9.2.jar: CVE-2017-7525, CVE-2019-10172
libthrift-0.9.2.jar: CVE-2016-5397, CVE-2018-1320, CVE-2015-3254,
CVE-2018-11798, CVE-2019-0205
netty-all-4.0.44.Final.jar: CVE-2021-43797, CVE-2019-16869, CVE-2021-37136,
CVE-2021-37137, CVE-2019-20445, CVE-2019-20444, CVE-2021-21295, CVE-2023-34462,
CVE-2021-21290, CVE-2022-24823, CVE-2022-41881, CVE-2021-21409, CVE-2020-7238
netty-all-4.1.58.Final.jar: CVE-2021-43797, CVE-2021-37136, CVE-2021-37137,
CVE-2022-24823, CVE-2022-41881, CVE-2021-21295, CVE-2021-21409, CVE-2023-34462,
CVE-2021-21290
snakeyaml-1.11.jar: CVE-2017-18640, CVE-2022-38752, CVE-2022-38751,
CVE-2022-38750, CVE-2022-41854, CVE-2022-25857, CVE-2022-38749, CVE-2022-1471
snakeyaml-1.26.jar: CVE-2022-38752, CVE-2022-38751, CVE-2022-38750,
CVE-2022-41854, CVE-2022-25857, CVE-2022-38749, CVE-2022-1471
snappy-java-1.1.8.4.jar: CVE-2023-34455, CVE-2023-34454, CVE-2023-34453,
CVE-2023-43642
thrift-server-0.3.7.jar: CVE-2016-5397, CVE-2015-3254, CVE-2019-0205
{noformat}
> Add support for providing nvdDatafeedUrl to OWASP
> -------------------------------------------------
>
> Key: CASSANDRA-19484
> URL: https://issues.apache.org/jira/browse/CASSANDRA-19484
> Project: Cassandra
> Issue Type: Improvement
> Components: Build
> Reporter: Ariel Weisberg
> Assignee: Ariel Weisberg
> Priority: Normal
> Fix For: 3.0.x, 3.11.x, 4.0.x, 4.1.x, 5.0.x, 5.x
>
>
> This allows you to point to a mirror that is faster and doesn’t require an
> API key.
> This is kind of painful to make work in {{ant}} because you can't specify the
> property at all if you want to use the API and I couldn't find a way to get
> {{ant}} to conditionally supply the property without having a dedicated
> invocation of the {{dependency-check}} task with/without the parameter
> {{nvdDataFeedUrl}} specified.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
