Skip to content

Fix: Upgrade cassandra-all from version 2.1.12 to 3.11.17, Upgrade OKIO from 3.0.0 to 3.4.0, Upgrade netty-all to 4.1.116 #1552

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Fix: Upgrade cassandra-all from version 2.1.12 to 3.11.17, Upgrade OKIO from 3.0.0 to 3.4.0, Upgrade netty-all to 4.1.116 #1552

wants to merge 4 commits into from

Conversation

@sumit1997sri
Copy link

@sumit1997sri sumit1997sri commented Mar 21, 2025

As part of our security assessment, we conducted a Black Duck scan to identify vulnerabilities in various dependencies. The scan detected multiple CVE (Common Vulnerabilities and Exposures) in the following libraries, which have now been upgraded to more secure versions:
Identified CVEs and Respective Upgrades:
Cassandra-all (v2.2.12 → v3.11.17)
Fixes: GHSA-pqr6-cmr2-h8hf, GHSA-fjpj-2g6w-x25r, GHSA-qcwq-55hx-v3vh, GHSA-x59f-cpgf-vmmv, GHSA-24ww-mc5x-xc43, GHSA-2vxm-vp4c-fjfw, GHSA-8ffc-79xg-29w8, GHSA-php4-mj74-f79r, GHSA-55g7-9cwv-5qfv
Okio (v3.0.0 → v3.4.0)
Fixes: GHSA-w33c-445m-f8w7
Netty-All (v4.1.94 → v4.1.116)
Fixes: GHSA-qppj-fm5r-hxr3
Apache Shiro (already at v1.13.0 in Reaper 3.7.0)
Fixes: GHSA-pmhc-2g4f-85cg, GHSA-jc7h-c423-mpjc, GHSA-hhw5-c326-822h
Major Code Changes:
pom.xml: Updated dependencies (../cassandra-reaper/src/server/pom.xml).
JmxCassandraManagementProxy.java: Modified (./cassandra-reaper/src/server/src/main/java/io/cassandrareaper/management/jmx/JmxCassandraManagementProxy.java).
Added a dummy cassandra.yaml file: Required to resolve test case failures.

@sumit26sri
Fix: Upgrade cassandra-all from version 2.1.12 to 3.11.17, Upgrade OK…
de12f18 
…IO from 3.0.0 to 3.4.0, Upgrade netty-all to 4.1.116
@github-actions
Copy link

github-actions bot commented Mar 21, 2025

No linked issues found. Please add the corresponding issues in the pull request description.
Use GitHub automation to close the issue when a PR is merged

sumit26sri and others added 3 commits March 21, 2025 12:35
@adejanovski
Copy link
Contributor

adejanovski commented Mar 31, 2025

Hi @sumit1997sri,

you have a couple issues that need solving here:

  • You haven't built the project locally and didn't spot that you had some checkstyle errors. I've pushed a commit to solve these.
  • The build fails because the new cassandra-all dependency (I think) breaks the streaming tests:
[ERROR] io.cassandrareaper.service.StreamFactoryTest.testCountProgressPerTableWithMultipleTables -- Time elapsed: 0.001 s <<< ERROR!
java.lang.NoClassDefFoundError: Could not initialize class org.apache.cassandra.db.Directories
        at org.apache.cassandra.io.sstable.Descriptor.fromFilename(Descriptor.java:298)
        at org.apache.cassandra.io.sstable.Descriptor.fromFilename(Descriptor.java:228)
        at org.apache.cassandra.io.sstable.Descriptor.fromFilename(Descriptor.java:217)
        at io.cassandrareaper.service.StreamFactory.getTableProgressFromFile(StreamFactory.java:91)
        at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
        at java.base/java.util.concurrent.ConcurrentHashMap$ValueSpliterator.forEachRemaining(ConcurrentHashMap.java:3605)
        at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
        at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
        at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
        at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
        at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578)
        at io.cassandrareaper.service.StreamFactory.countProgressPerTable(StreamFactory.java:78)
        at io.cassandrareaper.service.StreamFactory.newStream(StreamFactory.java:55)
        at io.cassandrareaper.service.StreamSessionFactory.lambda$fromStreamState$0(StreamSessionFactory.java:47)
        at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
        at java.base/java.util.Iterator.forEachRemaining(Iterator.java:133)
        at java.base/java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801)
        ...

I'd recommend to run mvn clean install to check that everything builds and that the unit tests are passing before pushing commits to a PR.
Also, you'll need jdk11, maven 3.x, nodejs v10 and npm 6.14 to build Reaper.
For nodejs, I recommend using nvm to install multiple versions of nodejs and switch between them.
Thanks!

@sumit1997sri
Copy link
Author

sumit1997sri commented May 2, 2025
edited
Loading

Hello @adejanovski at my end I am able to build reaper 3.7.0 successfully, I don't know why it is failing here.
I simply execute "mvn clean install" command over path : ({InstallDir}/cassandra-reaper/src/server)
Screenshot 2025-05-02 132338

I am using below version of Java, Maven, and Node
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sumit1997sri @adejanovski @sumit26sri