Merge branch 'cassandra-4.1' into cassandra-5.0

smiklosovic · smiklosovic · commit ed04f46b272a · 2025-09-26T16:08:54.000+02:00
diff --git a/.build/build-owasp.xml b/.build/build-owasp.xml
@@ -19,7 +19,7 @@
 <project basedir="." name="apache-cassandra-owasp-tasks"
          xmlns:unless="ant:unless"
          xmlns:if="ant:if">
-    <property name="dependency-check.version" value="12.1.0"/>
+    <property name="dependency-check.version" value="12.1.6"/>
     <property name="dependency-check.home" value="${tmp.dir}/dependency-check-ant-${dependency-check.version}"/>
     <property name="dependency-check.archive.dir" value="${local.repository}/org/owasp/dependency-check-ant/${dependency-check.version}"/>
     <property name="dependency-check.archive.name" value="dependency-check-ant-${dependency-check.version}-release.zip"/>
diff --git a/.build/owasp/dependency-check-suppressions.xml b/.build/owasp/dependency-check-suppressions.xml
@@ -21,15 +21,17 @@
 -->
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <!-- https://issues.apache.org/jira/browse/CASSANDRA-18943 -->
+    <!-- https://issues.apache.org/jira/browse/CASSANDRA-20924 -->
     <suppress>
         <packageUrl regex="true">^pkg:maven/io\.netty/netty\-.*@.*$</packageUrl>
-        <cve>CVE-2023-44487</cve>
-    </suppress>
-
-    <!-- https://issues.apache.org/jira/browse/CASSANDRA-20504 -->
-    <suppress>
-        <packageUrl regex="true">^pkg:maven/io\.netty/netty\-.*@.*$</packageUrl>
+        <cve>CVE-2025-24970</cve>
         <cve>CVE-2025-25193</cve>
+        <cve>CVE-2024-29025</cve>
+        <cve>CVE-2023-44487</cve>
+        <cve>CVE-2024-47535</cve>
+        <cve>CVE-2025-55163</cve>
+        <cve>CVE-2025-58056</cve>
+        <cve>CVE-2025-58057</cve>
     </suppress>
 
     <!-- https://issues.apache.org/jira/browse/CASSANDRA-19142 -->
diff --git a/.snyk b/.snyk
@@ -3,7 +3,7 @@
 version: v1.25.0
 ignore:
   CVE-2023-44487:
-    - reason: https://issues.apache.org/jira/browse/CASSANDRA-18943 -- ^pkg:maven/io\.netty/netty\-.*@.*$
+    - reason: https://issues.apache.org/jira/browse/CASSANDRA-20924 -- ^pkg:maven/io\.netty/netty\-.*@.*$
   CVE-2023-6378:
     - reason: Suppressed due to internal review, see project's .build/dependency-check-suppressions.xml
   CVE-2023-6481:
@@ -12,7 +12,19 @@ ignore:
     - reason: Suppressed due to internal review, see project's .build/dependency-check-suppressions.xml
   CVE-2024-12801:
     - reason: Suppressed due to internal review, see project's .build/dependency-check-suppressions.xml
+  CVE-2024-29025:
+    - reason: https://issues.apache.org/jira/browse/CASSANDRA-20924 -- ^pkg:maven/io\.netty/netty\-.*@.*$
   CVE-2024-45772:
     - reason: https://issues.apache.org/jira/browse/CASSANDRA-20024 -- ^pkg:maven/org\.apache\.lucene/lucene\-.*@9.7.0$
+  CVE-2024-47535:
+    - reason: https://issues.apache.org/jira/browse/CASSANDRA-20924 -- ^pkg:maven/io\.netty/netty\-.*@.*$
+  CVE-2025-24970:
+    - reason: https://issues.apache.org/jira/browse/CASSANDRA-20924 -- ^pkg:maven/io\.netty/netty\-.*@.*$
   CVE-2025-25193:
-    - reason: https://issues.apache.org/jira/browse/CASSANDRA-20504 -- ^pkg:maven/io\.netty/netty\-.*@.*$
+    - reason: https://issues.apache.org/jira/browse/CASSANDRA-20924 -- ^pkg:maven/io\.netty/netty\-.*@.*$
+  CVE-2025-55163:
+    - reason: https://issues.apache.org/jira/browse/CASSANDRA-20924 -- ^pkg:maven/io\.netty/netty\-.*@.*$
+  CVE-2025-58056:
+    - reason: https://issues.apache.org/jira/browse/CASSANDRA-20924 -- ^pkg:maven/io\.netty/netty\-.*@.*$
+  CVE-2025-58057:
+    - reason: https://issues.apache.org/jira/browse/CASSANDRA-20924 -- ^pkg:maven/io\.netty/netty\-.*@.*$
