cassandra-5.0/5.0.6-r2: cve remediation

[octo-sts]

cassandra-5.0/5.0.6-r2: fix GHSA-pr98-23f8-jwxv

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/cassandra-5.0.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/apache/[email protected]

[octo-sts]

🛑 Build Failed: Compilation

cannot find symbol: class DelayingShutdownHook in package ch.qos.logback.core.hook

Build Details

Category	Details
Build System	ant
Failure Point	javac compilation of LogbackLoggingSupport.java

Root Cause Analysis 🔍

Missing or incompatible dependency - the DelayingShutdownHook class from logback-core is not available in the classpath, likely due to a version mismatch or missing logback dependency

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: pombump-deps.yaml

• addition (dependencies section)
  Replacement:

# Add this dependency mapping to ensure logback-core is available
ch.qos.logback:logback-core: "1.4.14"
# or alternatively, if a different version is needed:
# ch.qos.logback:logback-core: "1.5.6"

Content:

Add logback-core dependency to ensure DelayingShutdownHook class is available during compilation

Click to expand fix analysis

Analysis

No similar build failures were provided for analysis. However, based on the error message indicating a missing DelayingShutdownHook class from ch.qos.logback.core.hook package, this is a classic Java classpath dependency issue. The compilation is failing because the logback-core library containing this class is either missing from the classpath or is an incompatible version. This type of issue typically requires adding the missing dependency or updating to a compatible version.

Click to expand fix explanation

Explanation

The compilation failure occurs because the Java compiler cannot find the DelayingShutdownHook class from the ch.qos.logback.core.hook package. This class is part of the logback-core library, which provides logging infrastructure for Java applications. Since Cassandra uses logback for logging (as evidenced by the LogbackLoggingSupport.java file being compiled), the logback-core dependency must be present in the classpath during compilation. The pombump-deps.yaml file is used by the maven/pombump pipeline step to manage dependency versions, so adding the logback-core dependency there will ensure it's available when the ant build process compiles the Java sources. The suggested version 1.4.14 is a stable recent version, but the exact version should be verified against Cassandra 5.0.6's requirements.

Click to expand alternative approaches

Alternative Approaches

• Check if logback-core is already included as a transitive dependency and update the parent dependency that should bring it in
• Add logback-core directly to the environment packages section in the Melange YAML if a system package is available
• Verify if Cassandra's build.xml or ivy.xml already specifies logback dependencies and ensure they're being resolved correctly
• Check if the issue is caused by conflicting logback versions and exclude older versions while specifying the correct one

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.