cassandra-reaper/4.1.0-r0: cve remediation

[octo-sts]

cassandra-reaper/4.1.0-r0: fix GHSA-qh8g-58pp-2wxh

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/cassandra-reaper.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/thelastpickle/[email protected]

[octo-sts]

🔢 Build Failed: Dependency Version Mismatch

error: cannot access HttpStatus
bad class file: /root/.m2/repository/org/eclipse/jetty/jetty-http/12.0.12/jetty-http-12.0.12.jar(/org/eclipse/jetty/http/HttpStatus.class)
class file has wrong version 61.0, should be 55.0
Please remove or make sure it appears in the correct subdirectory of the classpath.

Build Details

Category	Details
Build System	Maven
Failure Point	maven-compiler-plugin:3.10.0:testCompile phase during test compilation

Root Cause Analysis 🔍

The Jetty HTTP library jar file (jetty-http-12.0.12.jar) was compiled with Java 17 (version 61.0) but the current build environment is using Java 11 (version 55.0). This creates an incompatible class file version mismatch where the JVM cannot load the newer bytecode format.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: cassandra-reaper.yaml

• replacement (environment.contents.packages)
  Original:

- openjdk-11-default-jdk

Replacement:

- openjdk-17-default-jdk

Content:

Update JDK version from 11 to 17 to match Jetty library requirements

• replacement (package.dependencies.runtime)
  Original:

- openjdk-11-default-jvm

Replacement:

- openjdk-17-default-jvm

Content:

Update runtime JVM version from 11 to 17 to match build environment

• replacement (test.environment.contents.packages section (if exists))
  Original:

Any openjdk-11 references

Replacement:

openjdk-17 equivalents

Content:

Ensure test environment also uses Java 17 for consistency

Click to expand fix analysis

Analysis

No similar build failures were provided to analyze patterns from past fixes. However, the current error indicates a Java version compatibility issue where Jetty HTTP library jar (compiled with Java 17, version 61.0) is incompatible with the current build environment using Java 11 (version 55.0). This is a classic bytecode version mismatch problem in Java builds.

Click to expand fix explanation

Explanation

The build failure occurs because the Jetty HTTP library (jetty-http-12.0.12.jar) was compiled with Java 17 (bytecode version 61.0) but the build environment is using Java 11 (bytecode version 55.0). Java bytecode is forward-compatible but not backward-compatible, meaning code compiled with a newer Java version cannot run on an older JVM. The fix involves upgrading the build environment from Java 11 to Java 17 to match the Jetty library requirements. This change needs to be made in both the build environment packages and runtime dependencies to ensure consistency across build and runtime environments. Since Wolfi's guiding principle is to use the latest versions where possible, upgrading to Java 17 aligns with this philosophy and resolves the compatibility issue.

Click to expand alternative approaches

Alternative Approaches

• Downgrade Jetty dependencies to versions compiled with Java 11, though this may introduce security vulnerabilities or missing features
• Use Maven dependency exclusions and force specific Jetty versions, but this could create inconsistent dependency versions
• Modify the Maven build to use a different HTTP client library entirely, but this would require significant code changes

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.