[
https://issues.apache.org/jira/browse/CASSANDRA-19739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17862399#comment-17862399
]
Stefan Miklosovic edited comment on CASSANDRA-19739 at 7/2/24 10:59 AM:
------------------------------------------------------------------------
what is interesting is that we have this dep in parent-pom-template.xml
{code}
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk18on</artifactId>
<version>1.76</version>
</dependency>
{code}
When I manually remove ~/.m2/repository/org/bouncycastle/bc* and I do ant
realclean && ant jar again, I see that it pulls
{code}
[resolver:resolve] Downloading
https://repo1.maven.org/maven2/org/bouncycastle/bcpkix-jdk18on/1.76/bcpkix-jdk18on-1.76.pom
[resolver:resolve] Downloaded
https://repo1.maven.org/maven2/org/bouncycastle/bcpkix-jdk18on/1.76/bcpkix-jdk18on-1.76.pom
(2 KB at 8.1 KB/sec)
[resolver:resolve] Downloading
https://repo1.maven.org/maven2/org/bouncycastle/bcprov-jdk18on/1.76/bcprov-jdk18on-1.76.pom
[resolver:resolve] Downloaded
https://repo1.maven.org/maven2/org/bouncycastle/bcprov-jdk18on/1.76/bcprov-jdk18on-1.76.pom
(2 KB at 65.5 KB/sec)
[resolver:resolve] Downloading
https://repo1.maven.org/maven2/org/bouncycastle/bcutil-jdk18on/1.76/bcutil-jdk18on-1.76.pom
[resolver:resolve] Downloaded
https://repo1.maven.org/maven2/org/bouncycastle/bcutil-jdk18on/1.76/bcutil-jdk18on-1.76.pom
(2 KB at 80.6 KB/sec)
{code}
so it pulls two more -
bcprov-jdk18on (where CVEs are)
bcutil-jdk18on
We should probably enumerate them explicitly, these two are transitive deps and
CVEs are found in one of them.
was (Author: smiklosovic):
what is interesting is that we have this dep in parent-pom-template.xml
{code}
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk18on</artifactId>
<version>1.76</version>
</dependency>
{code}
When I manually remove ~/.m2/repository/org/bouncycastle/bc* and I do ant
realclean && ant jar again, I see that it pulls
{code}
[resolver:resolve] Downloading
https://repo1.maven.org/maven2/org/bouncycastle/bcpkix-jdk18on/1.78/bcpkix-jdk18on-1.76.pom
[resolver:resolve] Downloaded
https://repo1.maven.org/maven2/org/bouncycastle/bcpkix-jdk18on/1.78/bcpkix-jdk18on-1.76.pom
(2 KB at 8.1 KB/sec)
[resolver:resolve] Downloading
https://repo1.maven.org/maven2/org/bouncycastle/bcprov-jdk18on/1.78/bcprov-jdk18on-1.76.pom
[resolver:resolve] Downloaded
https://repo1.maven.org/maven2/org/bouncycastle/bcprov-jdk18on/1.78/bcprov-jdk18on-1.76.pom
(2 KB at 65.5 KB/sec)
[resolver:resolve] Downloading
https://repo1.maven.org/maven2/org/bouncycastle/bcutil-jdk18on/1.78/bcutil-jdk18on-1.76.pom
[resolver:resolve] Downloaded
https://repo1.maven.org/maven2/org/bouncycastle/bcutil-jdk18on/1.78/bcutil-jdk18on-1.76.pom
(2 KB at 80.6 KB/sec)
{code}
so it pulls two more -
bcprov-jdk18on (where CVEs are)
bcutil-jdk18on
We should probably enumerate them explicitly, these two are transitive deps and
CVEs are found in one of them.
> Investigate bcprov-jdk18on-1.76.jar: CVE-2024-30172, CVE-2024-30171,
> CVE-2024-29857, CVE-2024-34447
> ---------------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-19739
> URL: https://issues.apache.org/jira/browse/CASSANDRA-19739
> Project: Cassandra
> Issue Type: Task
> Components: Build
> Reporter: Stefan Miklosovic
> Assignee: Stefan Miklosovic
> Priority: Normal
> Fix For: 5.0-rc, 5.x
>
>
> This came up after I bumped dependency-check version to 10.0.0 as suggested
> in CASSANDRA-19738.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
