cassandra-5.0/5.0.2-r1: cve remediation

[octo-sts]

cassandra-5.0/5.0.2-r1: fix GHSA-pr98-23f8-jwxv

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/cassandra-5.0.advisories.yaml

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the error output, I'll analyze and provide specific fixes:

• Detected Error: "Error: failed to parse the pom file: open pom.xml: no such file or directory"

• Error Category: Build Configuration

• Failure Point: maven/pombump step in the pipeline

• Root Cause Analysis: The build is failing because the pombump tool cannot find pom.xml in the repository root directory. This is because Cassandra uses Ant as its primary build tool, not Maven, so there isn't a pom.xml file to modify.

• Suggested Fix:
Remove the maven/pombump step from the pipeline since it's not needed:

pipeline:
  - uses: git-checkout
    with:
      repository: https://github.com/apache/cassandra
      expected-commit: f278f6774fc76465c182041e081982105c3e7dbb
      tag: cassandra-${{package.version}}

  # Remove this line
  # - uses: maven/pombump

  - runs: |
      ant artifacts -Dversion=${{package.version}}
      # ... rest of the pipeline

• Explanation:
Apache Cassandra uses Apache Ant for its build system, not Maven. The pombump step is unnecessary since there's no Maven POM file to modify. Removing this step will allow the build to proceed directly to the Ant build step which is the correct build tool for Cassandra.

• Additional Notes:

• Cassandra's build system is Ant-based
• The version information is passed directly to Ant via -Dversion parameter
• No Maven dependency management is needed for this package

• References:

• Apache Cassandra Building and Development: https://cassandra.apache.org/doc/latest/development/building.html
• Apache Cassandra GitHub build instructions: https://github.com/apache/cassandra/blob/trunk/BUILDING.md

[octo-sts]

Gen AI suggestions to solve the build error:

Based on the build error output, I'll analyze and provide a solution:

• Detected Error:

[javac] cannot find symbol
[javac] import ch.qos.logback.core.hook.DelayingShutdownHook;
[javac]   symbol:   class DelayingShutdownHook
[javac]   location: package ch.qos.logback.core.hook

• Error Category: Dependency/Build

• Failure Point: Java compilation step during ant build, specifically in LogbackLoggingSupport.java

• Root Cause Analysis:
The build is failing because it cannot find the Logback dependency that contains the DelayingShutdownHook class. This class is part of the logback-core library which appears to be missing from the build dependencies.

• Suggested Fix:
Add logback dependencies to the environment section of the melange YAML:

environment:
  contents:
    packages:
      - ant
      - bash
      - build-base
      - busybox
      - ca-certificates-bundle
      - openjdk-11-default-jvm
      - openssf-compiler-options
      - py${{vars.pyver}}-build
      - py${{vars.pyver}}-cython-bin
      - py${{vars.pyver}}-pip
      - py${{vars.pyver}}-setuptools
      - python-${{vars.pyver}}-dev
      - logback-classic # Add this
      - logback-core    # Add this

• Explanation:
The compilation is failing because it's missing required Logback libraries that Cassandra uses for logging. By adding the logback dependencies to the build environment, the Java compiler will be able to find the required DelayingShutdownHook class during compilation.

• Additional Notes:

• Logback is a common logging framework for Java applications
• Cassandra uses Logback for its logging implementation
• The DelayingShutdownHook class is specifically used for graceful shutdown handling

• References:

• Logback documentation: https://logback.qos.ch/
• Cassandra logging documentation: https://cassandra.apache.org/doc/latest/cassandra/operating/logging.html
• DelayingShutdownHook JavaDoc: https://logback.qos.ch/apidocs/ch/qos/logback/core/hook/DelayingShutdownHook.html

[Dentrax]

Advisory submitted: wolfi-dev/advisories#11040