[ https://issues.apache.org/jira/browse/CASSANDRA-19739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17862399#comment-17862399 ]
Stefan Miklosovic edited comment on CASSANDRA-19739 at 7/2/24 10:59 AM: ------------------------------------------------------------------------ what is interesting is that we have this dep in parent-pom-template.xml {code} <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcpkix-jdk18on</artifactId> <version>1.76</version> </dependency> {code} When I manually remove ~/.m2/repository/org/bouncycastle/bc* and I do ant realclean && ant jar again, I see that it pulls {code} [resolver:resolve] Downloading https://repo1.maven.org/maven2/org/bouncycastle/bcpkix-jdk18on/1.76/bcpkix-jdk18on-1.76.pom [resolver:resolve] Downloaded https://repo1.maven.org/maven2/org/bouncycastle/bcpkix-jdk18on/1.76/bcpkix-jdk18on-1.76.pom (2 KB at 8.1 KB/sec) [resolver:resolve] Downloading https://repo1.maven.org/maven2/org/bouncycastle/bcprov-jdk18on/1.76/bcprov-jdk18on-1.76.pom [resolver:resolve] Downloaded https://repo1.maven.org/maven2/org/bouncycastle/bcprov-jdk18on/1.76/bcprov-jdk18on-1.76.pom (2 KB at 65.5 KB/sec) [resolver:resolve] Downloading https://repo1.maven.org/maven2/org/bouncycastle/bcutil-jdk18on/1.76/bcutil-jdk18on-1.76.pom [resolver:resolve] Downloaded https://repo1.maven.org/maven2/org/bouncycastle/bcutil-jdk18on/1.76/bcutil-jdk18on-1.76.pom (2 KB at 80.6 KB/sec) {code} so it pulls two more - bcprov-jdk18on (where CVEs are) bcutil-jdk18on We should probably enumerate them explicitly, these two are transitive deps and CVEs are found in one of them. was (Author: smiklosovic): what is interesting is that we have this dep in parent-pom-template.xml {code} <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcpkix-jdk18on</artifactId> <version>1.76</version> </dependency> {code} When I manually remove ~/.m2/repository/org/bouncycastle/bc* and I do ant realclean && ant jar again, I see that it pulls {code} [resolver:resolve] Downloading https://repo1.maven.org/maven2/org/bouncycastle/bcpkix-jdk18on/1.78/bcpkix-jdk18on-1.76.pom [resolver:resolve] Downloaded https://repo1.maven.org/maven2/org/bouncycastle/bcpkix-jdk18on/1.78/bcpkix-jdk18on-1.76.pom (2 KB at 8.1 KB/sec) [resolver:resolve] Downloading https://repo1.maven.org/maven2/org/bouncycastle/bcprov-jdk18on/1.78/bcprov-jdk18on-1.76.pom [resolver:resolve] Downloaded https://repo1.maven.org/maven2/org/bouncycastle/bcprov-jdk18on/1.78/bcprov-jdk18on-1.76.pom (2 KB at 65.5 KB/sec) [resolver:resolve] Downloading https://repo1.maven.org/maven2/org/bouncycastle/bcutil-jdk18on/1.78/bcutil-jdk18on-1.76.pom [resolver:resolve] Downloaded https://repo1.maven.org/maven2/org/bouncycastle/bcutil-jdk18on/1.78/bcutil-jdk18on-1.76.pom (2 KB at 80.6 KB/sec) {code} so it pulls two more - bcprov-jdk18on (where CVEs are) bcutil-jdk18on We should probably enumerate them explicitly, these two are transitive deps and CVEs are found in one of them. > Investigate bcprov-jdk18on-1.76.jar: CVE-2024-30172, CVE-2024-30171, > CVE-2024-29857, CVE-2024-34447 > --------------------------------------------------------------------------------------------------- > > Key: CASSANDRA-19739 > URL: https://issues.apache.org/jira/browse/CASSANDRA-19739 > Project: Cassandra > Issue Type: Task > Components: Build > Reporter: Stefan Miklosovic > Assignee: Stefan Miklosovic > Priority: Normal > Fix For: 5.0-rc, 5.x > > > This came up after I bumped dependency-check version to 10.0.0 as suggested > in CASSANDRA-19738. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org