Skip to content

HCD-62 Upgrade of several libraries #1563

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 25, 2025
Merged

HCD-62 Upgrade of several libraries #1563

merged 1 commit into from
Mar 25, 2025

Conversation

@bereng
Copy link
Collaborator

@bereng bereng commented Feb 12, 2025
edited
Loading

What is the issue

The customer requested an upgrade for some libraries (CVEs)

What does this PR fix and why was it fixed

This PR upgrades to latest stable versions

@github-actions
Copy link

github-actions bot commented Feb 12, 2025
edited by bereng
Loading

Checklist before you submit for review

  • Make sure there is a PR in the CNDB project updating the Converged Cassandra version
  • Use NoSpamLogger for log lines that may appear frequently in the logs
  • Verify test results on Butler
  • Test coverage for new/modified code is > 80%
  • Proper code formatting
  • Proper title for each commit staring with the project-issue number, like CNDB-1234
  • Each commit has a meaningful description
  • Each commit is not very long and contains related changes
  • Renames, moves and reformatting are in distinct commits

@bereng bereng changed the title Upgrade of the jackson library to 2.18.0 Upgrade of several libraries Feb 13, 2025
@bereng bereng changed the title Upgrade of several libraries HCD-62 Upgrade of several libraries Feb 13, 2025
@bereng
Copy link
Collaborator Author

bereng commented Feb 17, 2025
edited
Loading

The only CI failure seems to be https://datastax.jira.com/browse/CNDB-4763

Perf reports look good or even a bit better (ran against Szymon's run from a few days ago to save $):

@bereng
Copy link
Collaborator Author

bereng commented Feb 18, 2025

Note to self: The commit message will have to be amended before merge to reflect Guava stays at v29

@bereng
Copy link
Collaborator Author

bereng commented Feb 20, 2025

CI LGTM. Perf tests LGTM even with slightly better numbers:

jakubzytka
jakubzytka reviewed Feb 24, 2025
View reviewed changes
@JeremiahDJordan
Copy link
Member

Please update the commit messages and pr description to list all the CVEs being fixed here.

@bereng bereng force-pushed the HCD-62-HCD-1.1 branch 2 times, most recently from f56bcca to 229cab9 Compare March 10, 2025 12:20
@szymon-miezal
Copy link

@bereng could you rebase the PR to trigger the CI on the updated branch?

szymon-miezal
szymon-miezal reviewed Mar 18, 2025
View reviewed changes
Copy link

@szymon-miezal szymon-miezal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall it looks good to me, I have left a few questions/comments.

@bereng
HCD-62 Upgrade of several libraries
937f79e 
This commit contains the following upgrades
* snappy to 1.1.10.7 fixing CVE-2023-43642
* guava to 33.4.0-jre fixing CVE-2023-2976 and CVE-2020-8908
* jackson to 2.18.0 fixing CWE-400
* snakeyaml to 2.4 fixing CVE-2022-1471
@sonarqubecloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@cassci-bot
Copy link

❌ Build ds-cassandra-pr-gate/PR-1563 rejected by Butler

1 new test failure(s) in 10 builds
See build details here

Found 1 new test failures

Test Explanation Branch history Upstream history
o.a.c.u.b.BinLogTest.testTruncationReleasesLogS... regression 🔴🔴🔵🔴🔴🔵🔴 🔵🔵🔵🔵🔵🔵🔵

Found 18 known test failures

@bereng bereng merged commit f38360e into main Mar 25, 2025
474 of 479 checks passed
@bereng bereng deleted the HCD-62-HCD-1.1 branch March 25, 2025 06:36
@jkni jkni mentioned this pull request Apr 7, 2025
Merged
jkni added a commit that referenced this pull request Apr 8, 2025
@jkni
CNDB-13624: Silence snakeyaml warnings in test-cdc by removing duplic…
18fe538 
…ate cdc_enabled key in base yaml (#1680)

### What is the issue
#1563 upgraded our version of snakeyaml. This new version logs when
duplicate keys are found. The test-cdc target concatenates a
CDC-specific yaml to the base yaml. Both contain entries for the
cdc_enabled key, causing tests that load this yaml to log the warning.
This causes CDC CI failures.

### What does this PR fix and why was it fixed
This PR removes the cdc_enabled entry in the base yaml, as it's the same
as the default. This is consistent with how we handle other default keys
that might be duplicated across multiple yaml fragments in the test
commands.
djatnieks pushed a commit that referenced this pull request Apr 14, 2025
@bereng @djatnieks
HCD-62 Upgrade of several libraries (#1563)
cc6b95d 
The customer requested an upgrade for some libraries (CVEs)

This PR upgrades to latest stable versions

- snappy to 1.1.10.7 fixing CVE-2023-43642
- guava to 33.4.0-jre fixing CVE-2023-2976 and CVE-2020-8908
- jackson to 2.18.0 fixing CWE-400
- snakeyaml to 2.4 fixing CVE-2022-1471
djatnieks pushed a commit that referenced this pull request Apr 14, 2025
@jkni @djatnieks
CNDB-13624: Silence snakeyaml warnings in test-cdc by removing duplic…
40a9392 
…ate cdc_enabled key in base yaml (#1680)

### What is the issue
#1563 upgraded our version of snakeyaml. This new version logs when
duplicate keys are found. The test-cdc target concatenates a
CDC-specific yaml to the base yaml. Both contain entries for the
cdc_enabled key, causing tests that load this yaml to log the warning.
This causes CDC CI failures.

### What does this PR fix and why was it fixed
This PR removes the cdc_enabled entry in the base yaml, as it's the same
as the default. This is consistent with how we handle other default keys
that might be duplicated across multiple yaml fragments in the test
commands.
djatnieks pushed a commit that referenced this pull request May 18, 2025
@bereng @djatnieks
HCD-62 Upgrade of several libraries (#1563)
4816dc0 
The customer requested an upgrade for some libraries (CVEs)

This PR upgrades to latest stable versions

- snappy to 1.1.10.7 fixing CVE-2023-43642
- guava to 33.4.0-jre fixing CVE-2023-2976 and CVE-2020-8908
- jackson to 2.18.0 fixing CWE-400
- snakeyaml to 2.4 fixing CVE-2022-1471
djatnieks pushed a commit that referenced this pull request May 18, 2025
@jkni @djatnieks
CNDB-13624: Silence snakeyaml warnings in test-cdc by removing duplic…
f889e22 
…ate cdc_enabled key in base yaml (#1680)

### What is the issue
#1563 upgraded our version of snakeyaml. This new version logs when
duplicate keys are found. The test-cdc target concatenates a
CDC-specific yaml to the base yaml. Both contain entries for the
cdc_enabled key, causing tests that load this yaml to log the warning.
This causes CDC CI failures.

### What does this PR fix and why was it fixed
This PR removes the cdc_enabled entry in the base yaml, as it's the same
as the default. This is consistent with how we handle other default keys
that might be duplicated across multiple yaml fragments in the test
commands.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@szymon-miezal szymon-miezal szymon-miezal approved these changes

+1 more reviewer

@jakubzytka jakubzytka jakubzytka left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@bereng @JeremiahDJordan @szymon-miezal @cassci-bot @jakubzytka