HCD-62 Upgrade of several libraries (#1563)

bereng · djatnieks · commit 4816dc0d8bd5 · 2025-05-17T12:04:31.000-07:00
The customer requested an upgrade for some libraries (CVEs) This PR upgrades to latest stable versions - snappy to 1.1.10.7 fixing CVE-2023-43642 - guava to 33.4.0-jre fixing CVE-2023-2976 and CVE-2020-8908 - jackson to 2.18.0 fixing CWE-400 - snakeyaml to 2.4 fixing CVE-2022-1471
diff --git a/.build/parent-pom-template.xml b/.build/parent-pom-template.xml
@@ -291,7 +291,7 @@
       <dependency>
         <groupId>org.xerial.snappy</groupId>
         <artifactId>snappy-java</artifactId>
-        <version>1.1.10.4</version>
+        <version>1.1.10.7</version>
       </dependency>
       <dependency>
         <groupId>org.lz4</groupId>
@@ -306,7 +306,7 @@
       <dependency>
         <groupId>com.google.guava</groupId>
         <artifactId>guava</artifactId>
-        <version>32.0.1-jre</version>
+        <version>33.4.0-jre</version>
         <exclusions>
           <exclusion>
             <artifactId>jsr305</artifactId>
@@ -422,17 +422,17 @@
       <dependency>
         <groupId>com.fasterxml.jackson.core</groupId>
         <artifactId>jackson-core</artifactId>
-        <version>2.13.2</version>
+        <version>2.18.3</version>
       </dependency>
       <dependency>
         <groupId>com.fasterxml.jackson.core</groupId>
         <artifactId>jackson-databind</artifactId>
-        <version>2.13.2.2</version>
+        <version>2.18.3</version>
       </dependency>
       <dependency>
         <groupId>com.fasterxml.jackson.core</groupId>
         <artifactId>jackson-annotations</artifactId>
-        <version>2.13.2</version>
+        <version>2.18.3</version>
       </dependency>
       <dependency>
         <groupId>com.googlecode.json-simple</groupId>
@@ -442,12 +442,12 @@
       <dependency>
         <groupId>com.fasterxml.jackson.datatype</groupId>
         <artifactId>jackson-datatype-jsr310</artifactId>
-        <version>2.13.2</version>
+        <version>2.18.3</version>
       </dependency>
       <dependency>
         <groupId>com.fasterxml.jackson.dataformat</groupId>
         <artifactId>jackson-dataformat-yaml</artifactId>
-        <version>2.13.2</version>
+        <version>2.18.3</version>
         <scope>test</scope>
         <exclusions>
           <exclusion>
@@ -469,7 +469,7 @@
       <dependency>
         <groupId>org.yaml</groupId>
         <artifactId>snakeyaml</artifactId>
-        <version>1.33</version>
+        <version>2.4</version>
       </dependency>
       <dependency>
         <groupId>junit</groupId>
diff --git a/src/java/org/apache/cassandra/config/YamlConfigurationLoader.java b/src/java/org/apache/cassandra/config/YamlConfigurationLoader.java
@@ -52,6 +52,8 @@
 import org.yaml.snakeyaml.introspector.Property;
 import org.yaml.snakeyaml.introspector.PropertyUtils;
 import org.yaml.snakeyaml.nodes.Node;
+import org.yaml.snakeyaml.parser.ParserImpl;
+import org.yaml.snakeyaml.resolver.Resolver;
 
 import static org.apache.cassandra.config.CassandraRelevantProperties.ALLOW_DUPLICATE_CONFIG_KEYS;
 import static org.apache.cassandra.config.CassandraRelevantProperties.ALLOW_NEW_OLD_CONFIG_KEYS;
@@ -222,7 +224,7 @@ public static <T> T fromMap(Map<String,Object> map, boolean shouldCheck, Class<T
         constructor.setPropertyUtils(propertiesChecker);
         Yaml yaml = new Yaml(constructor);
         Node node = yaml.represent(map);
-        constructor.setComposer(new Composer(null, null)
+        constructor.setComposer(new Composer(new ParserImpl(null), new Resolver(), new LoaderOptions())
         {
             @Override
             public Node getSingleNode()
@@ -256,7 +258,7 @@ protected Object newInstance(Node node)
         constructor.setPropertyUtils(propertiesChecker);
         Yaml yaml = new Yaml(constructor);
         Node node = yaml.represent(map);
-        constructor.setComposer(new Composer(null, null)
+        constructor.setComposer(new Composer(new ParserImpl(null), new Resolver(), new LoaderOptions())
         {
             @Override
             public Node getSingleNode()
@@ -275,7 +277,7 @@ static class CustomConstructor extends CustomClassLoaderConstructor
     {
         CustomConstructor(Class<?> theRoot, ClassLoader classLoader)
         {
-            super(theRoot, classLoader);
+            super(theRoot, classLoader, new LoaderOptions());
 
             TypeDescription seedDesc = new TypeDescription(ParameterizedClass.class);
             seedDesc.putMapPropertyType("parameters", String.class, String.class);
diff --git a/src/java/org/apache/cassandra/tools/JMXTool.java b/src/java/org/apache/cassandra/tools/JMXTool.java
@@ -164,7 +164,7 @@ void dump(OutputStream output, Map<String, Info> map) throws IOException
             {
                 void dump(OutputStream output, Map<String, Info> map) throws IOException
                 {
-                    Representer representer = new Representer();
+                    Representer representer = new Representer(new DumperOptions());
                     representer.addClassTag(Info.class, Tag.MAP); // avoid the auto added tag
                     Yaml yaml = new Yaml(representer);
                     yaml.dump(map, new OutputStreamWriter(output));
@@ -386,7 +386,8 @@ Map<String, Info> load(InputStream input) throws IOException
             {
                 Map<String, Info> load(InputStream input) throws IOException
                 {
-                    Yaml yaml = new Yaml(new CustomConstructor(), new Representer(), new DumperOptions(), LOADER_CONFIG);
+                    DumperOptions dOpts = new DumperOptions();
+                    Yaml yaml = new Yaml(new CustomConstructor(), new Representer(dOpts), dOpts, LOADER_CONFIG);
                     return (Map<String, Info>) yaml.load(input);
                 }
             };
diff --git a/test/distributed/org/apache/cassandra/distributed/test/FailingRepairTest.java b/test/distributed/org/apache/cassandra/distributed/test/FailingRepairTest.java
@@ -150,7 +150,11 @@ public static void setupCluster() throws IOException
                               .start());
         CLUSTER.setUncaughtExceptionsFilter((throwable) -> {
             if (throwable.getClass().toString().contains("InstanceShutdown") || // can't check instanceof as it is thrown by a different classloader
-                throwable.getMessage() != null && throwable.getMessage().contains("Parent repair session with id"))
+                (throwable.getMessage() != null && throwable.getMessage().contains("Parent repair session with id")) ||
+                (throwable.getClass().toString().contains("RepairException") &&
+                 throwable.getMessage() != null &&
+                 throwable.getMessage().contains("Validation failed"))
+                )
                 return true;
             return false;
         });
diff --git a/test/distributed/org/apache/cassandra/distributed/test/PreviewRepairTest.java b/test/distributed/org/apache/cassandra/distributed/test/PreviewRepairTest.java
@@ -210,6 +210,9 @@ public void testConcurrentIncRepairDuringPreview() throws IOException, Interrupt
                                                                 config.with(GOSSIP)
                                                                       .with(NETWORK)).start()))
         {
+            cluster.setUncaughtExceptionsFilter(t -> t.getClass().toString().contains("RepairException") &&
+                                                     t.getMessage() != null &&
+                                                     t.getMessage().contains("Validation failed"));
             cluster.schemaChange("create table " + KEYSPACE + ".tbl (id int primary key, t int)");
             insert(cluster.coordinator(1), 0, 100);
             cluster.forEach((node) -> node.flush(KEYSPACE));
diff --git a/tools/stress/src/org/apache/cassandra/stress/StressProfile.java b/tools/stress/src/org/apache/cassandra/stress/StressProfile.java
@@ -56,6 +56,7 @@
 import org.apache.cassandra.stress.settings.*;
 import org.apache.cassandra.stress.util.JavaDriverClient;
 import org.apache.cassandra.stress.util.ResultLogger;
+import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
 import org.yaml.snakeyaml.constructor.Constructor;
 import org.yaml.snakeyaml.error.YAMLException;
@@ -809,7 +810,7 @@ public static StressProfile load(URI file) throws IOError
     {
         try
         {
-            Constructor constructor = new Constructor(StressYaml.class);
+            Constructor constructor = new Constructor(StressYaml.class, new LoaderOptions());
 
             Yaml yaml = new Yaml(constructor);
 

Original file line number	Diff line number	Diff line change
`@@ -164,7 +164,7 @@ void dump(OutputStream output, Map<String, Info> map) throws IOException`
`164`	`164`	`{`
`165`	`165`	`void dump(OutputStream output, Map<String, Info> map) throws IOException`
`166`	`166`	`{`
`167`		`- Representer representer = new Representer();`
	`167`	`+ Representer representer = new Representer(new DumperOptions());`
`168`	`168`	`representer.addClassTag(Info.class, Tag.MAP); // avoid the auto added tag`
`169`	`169`	`Yaml yaml = new Yaml(representer);`
`170`	`170`	`yaml.dump(map, new OutputStreamWriter(output));`
`@@ -386,7 +386,8 @@ Map<String, Info> load(InputStream input) throws IOException`
`386`	`386`	`{`
`387`	`387`	`Map<String, Info> load(InputStream input) throws IOException`
`388`	`388`	`{`
`389`		`- Yaml yaml = new Yaml(new CustomConstructor(), new Representer(), new DumperOptions(), LOADER_CONFIG);`
	`389`	`+ DumperOptions dOpts = new DumperOptions();`
	`390`	`+ Yaml yaml = new Yaml(new CustomConstructor(), new Representer(dOpts), dOpts, LOADER_CONFIG);`
`390`	`391`	`return (Map<String, Info>) yaml.load(input);`
`391`	`392`	`}`
`392`	`393`	`};`
Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,7 @@`
`56`	`56`	`import org.apache.cassandra.stress.settings.*;`
`57`	`57`	`import org.apache.cassandra.stress.util.JavaDriverClient;`
`58`	`58`	`import org.apache.cassandra.stress.util.ResultLogger;`
	`59`	`+import org.yaml.snakeyaml.LoaderOptions;`
`59`	`60`	`import org.yaml.snakeyaml.Yaml;`
`60`	`61`	`import org.yaml.snakeyaml.constructor.Constructor;`
`61`	`62`	`import org.yaml.snakeyaml.error.YAMLException;`
`@@ -809,7 +810,7 @@ public static StressProfile load(URI file) throws IOError`
`809`	`810`	`{`
`810`	`811`	`try`
`811`	`812`	`{`
`812`		`- Constructor constructor = new Constructor(StressYaml.class);`
	`813`	`+ Constructor constructor = new Constructor(StressYaml.class, new LoaderOptions());`
`813`	`814`
`814`	`815`	`Yaml yaml = new Yaml(constructor);`
`815`	`816`