fixed GHSA-4g8c-wm8x-jfhw

management-api-for-apache-cassandra-5.0.yaml

@@ -1,7 +1,7 @@
 package:
   name: management-api-for-apache-cassandra-5.0
-  version: "0.1.96"
-  epoch: 1
+  version: "0.1.97"
+  epoch: 0
   description: RESTful / Secure Management Sidecar for Apache Cassandra
   copyright:
     - license: Apache-2.0
@@ -25,17 +25,16 @@ pipeline:
   - uses: git-checkout
     with:
       repository: https://github.com/k8ssandra/management-api-for-apache-cassandra
-      expected-commit: 6ecf51489dca5e348cb36ba225ca214e236b9e14
+      expected-commit: fa025a0ba0495ee85ab2ebbbf0b463a975f31d47
       tag: v${{package.version}}
 
   # We can't (currently), use pombump, as this repo places license info as
   # code comments, embedded in the pom.xml files. pombump currently isn't able
   # to handle this. Internal issue create to track.
   - uses: patch
     with:
-      patches: pom-xml.patch mgmt-api-server-pom-xml.patch mgmt-api-agent-5.0.x-pom-xml.patch
-
-  - uses: maven/pombump
+      patches: |
+        20250221-consolidated-cve-patches.patch
 
   - runs: |
       echo "Running build..."

management-api-for-apache-cassandra-5.0/20250221-consolidated-cve-patches.patch

@@ -0,0 +1,160 @@
+From 0709dae3a8f8d930ecd3472a28584d4dba141405 Mon Sep 17 00:00:00 2001
+From: Kyle Steere <[email protected]>
+Date: Fri, 21 Feb 2025 10:53:39 -0600
+Subject: [PATCH] consolidated cve patches
+
+Signed-off-by: Kyle Steere <[email protected]>
+---
+ management-api-agent-4.1.x/pom.xml  | 10 ++++++++++
+ management-api-agent-4.x/pom.xml    | 10 ++++++++++
+ management-api-agent-5.0.x/pom.xml  | 12 +++++++++++-
+ management-api-agent-common/pom.xml | 10 ++++++++++
+ management-api-server/pom.xml       | 12 +++++++++++-
+ pom.xml                             |  8 ++++----
+ 6 files changed, 56 insertions(+), 6 deletions(-)
+
+diff --git a/management-api-agent-4.1.x/pom.xml b/management-api-agent-4.1.x/pom.xml
+index 3ffe2dd..a0bb29d 100644
+--- a/management-api-agent-4.1.x/pom.xml
++++ b/management-api-agent-4.1.x/pom.xml
+@@ -19,6 +19,16 @@
+     <cassandra4.version>4.1.8</cassandra4.version>
+   </properties>
+   <dependencies>
++    <dependency>
++      <groupId>io.netty</groupId>
++      <artifactId>netty-common</artifactId>
++      <version>${netty.version}</version>
++    </dependency>
++    <dependency>
++      <groupId>io.netty</groupId>
++      <artifactId>netty-handler</artifactId>
++      <version>${netty.version}</version>
++    </dependency>
+     <!-- Need to explicitly declare SLF4J as "provided" to avoid it being bundled into the resulting agent jarfile -->
+     <dependency>
+       <groupId>org.slf4j</groupId>
+diff --git a/management-api-agent-4.x/pom.xml b/management-api-agent-4.x/pom.xml
+index d0deb5d..5d87d29 100644
+--- a/management-api-agent-4.x/pom.xml
++++ b/management-api-agent-4.x/pom.xml
+@@ -16,6 +16,16 @@
+   <version>${revision}</version>
+   <artifactId>datastax-mgmtapi-agent-4.x</artifactId>
+   <dependencies>
++    <dependency>
++      <groupId>io.netty</groupId>
++      <artifactId>netty-common</artifactId>
++      <version>${netty.version}</version>
++    </dependency>
++    <dependency>
++      <groupId>io.netty</groupId>
++      <artifactId>netty-handler</artifactId>
++      <version>${netty.version}</version>
++    </dependency>
+     <!-- Need to explicitly declare SLF4J as "provided" to avoid it being bundled into the resulting agent jarfile -->
+     <dependency>
+       <groupId>org.slf4j</groupId>
+diff --git a/management-api-agent-5.0.x/pom.xml b/management-api-agent-5.0.x/pom.xml
+index 63f9330..2c81dcb 100644
+--- a/management-api-agent-5.0.x/pom.xml
++++ b/management-api-agent-5.0.x/pom.xml
+@@ -17,9 +17,19 @@
+   <artifactId>datastax-mgmtapi-agent-5.0.x</artifactId>
+   <properties>
+     <cassandra5.version>5.0.3</cassandra5.version>
+-    <netty.http.codec.version>4.1.96.Final</netty.http.codec.version>
++    <netty.http.codec.version>4.1.108.Final</netty.http.codec.version>
+   </properties>
+   <dependencies>
++    <dependency>
++      <groupId>io.netty</groupId>
++      <artifactId>netty-common</artifactId>
++      <version>${netty.version}</version>
++    </dependency>
++    <dependency>
++      <groupId>io.netty</groupId>
++      <artifactId>netty-handler</artifactId>
++      <version>${netty.version}</version>
++    </dependency>
+     <!-- Need to explicitly declare SLF4J as "provided" to avoid it being bundled into the resulting agent jarfile -->
+     <dependency>
+       <groupId>org.slf4j</groupId>
+diff --git a/management-api-agent-common/pom.xml b/management-api-agent-common/pom.xml
+index b08c09a..907171f 100644
+--- a/management-api-agent-common/pom.xml
++++ b/management-api-agent-common/pom.xml
+@@ -22,6 +22,16 @@
+         <activeByDefault>true</activeByDefault>
+       </activation>
+       <dependencies>
++        <dependency>
++          <groupId>io.netty</groupId>
++          <artifactId>netty-common</artifactId>
++          <version>${netty.version}</version>
++        </dependency>
++        <dependency>
++          <groupId>io.netty</groupId>
++          <artifactId>netty-handler</artifactId>
++          <version>${netty.version}</version>
++        </dependency>
+         <dependency>
+           <groupId>io.k8ssandra</groupId>
+           <artifactId>datastax-mgmtapi-common</artifactId>
+diff --git a/management-api-server/pom.xml b/management-api-server/pom.xml
+index e740a9e..bb63cb0 100644
+--- a/management-api-server/pom.xml
++++ b/management-api-server/pom.xml
+@@ -16,7 +16,7 @@
+   <version>${revision}</version>
+   <artifactId>datastax-mgmtapi-server</artifactId>
+   <properties>
+-    <guava.version>30.1.1-jre</guava.version>
++    <guava.version>32.1.3-jre</guava.version>
+     <airline.version>2.7.0</airline.version>
+     <jaxrs.version>2.2.19</jaxrs.version>
+     <resteasy.version>6.2.10.Final</resteasy.version>
+@@ -26,6 +26,16 @@
+     <commons.io.version>2.17.0</commons.io.version>
+   </properties>
+   <dependencies>
++    <dependency>
++      <groupId>io.netty</groupId>
++      <artifactId>netty-common</artifactId>
++      <version>${netty.version}</version>
++    </dependency>
++    <dependency>
++      <groupId>io.netty</groupId>
++      <artifactId>netty-handler</artifactId>
++      <version>${netty.version}</version>
++    </dependency>
+     <dependency>
+       <groupId>io.k8ssandra</groupId>
+       <artifactId>datastax-mgmtapi-common</artifactId>
+diff --git a/pom.xml b/pom.xml
+index 7006a29..0e1568d 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -16,16 +16,16 @@
+   <properties>
+     <build.version.file>build_version.sh</build.version.file>
+     <revision>0.1.0-SNAPSHOT</revision>
+-    <driver.version>4.15.0</driver.version>
++    <driver.version>4.17.0</driver.version>
+     <cassandra4.version>4.0.17</cassandra4.version>
+     <docker.java.version>3.3.6</docker.java.version>
+     <junit.version>4.13.2</junit.version>
+     <assertj.version>3.17.2</assertj.version>
+     <bytebuddy.version>1.12.19</bytebuddy.version>
+     <build.version.file>build_version.sh</build.version.file>
+-    <slf4j.version>2.0.9</slf4j.version>
+-    <logback.version>1.4.14</logback.version>
+-    <netty.version>4.1.112.Final</netty.version>
++    <slf4j.version>2.0.16</slf4j.version>
++    <logback.version>1.5.16</logback.version>
++    <netty.version>4.1.118.Final</netty.version>
+     <mockito.version>3.5.13</mockito.version>
+     <prometheus.version>0.16.0</prometheus.version>
+     <!-- This old version is used by Cassandra 4.x -->
+--
+2.43.0