cassandra-5.0/5.0.6-r2: cve remediation

[octo-sts]

cassandra-5.0/5.0.6-r2: fix GHSA-25qh-j22f-pwp8

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/cassandra-5.0.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/apache/[email protected]

[octo-sts]

🛑 Build Failed: Compilation

cannot find symbol
import ch.qos.logback.core.hook.DelayingShutdownHook;
^
symbol: class DelayingShutdownHook
location: package ch.qos.logback.core.hook

Build Details

Category	Details
Build System	ant
Failure Point	javac compilation of source files to /home/build/build/classes/main

Root Cause Analysis 🔍

Missing class DelayingShutdownHook in the ch.qos.logback.core.hook package. This indicates either a missing dependency, incompatible logback version, or the class has been removed/renamed in the logback library version being used.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: pombump-deps.yaml

• add at line N/A (dependencies section)
  Original:

N/A - new addition

Replacement:

- groupId: ch.qos.logback
  artifactId: logback-core
  version: 1.3.14
- groupId: ch.qos.logback
  artifactId: logback-classic
  version: 1.3.14

Content:

Add logback dependency version constraint to ensure compatibility with DelayingShutdownHook class

File: build.xml or equivalent Ant configuration

• modify at line N/A (dependency management section)
  Original:

Existing dependency resolution

Replacement:

Add explicit logback-core and logback-classic JAR dependencies to compile classpath

Content:

Ensure logback dependencies are explicitly included in classpath

Click to expand fix analysis

Analysis

No similar build failures were found in the past records, so pattern analysis is not possible. However, the error indicates a missing DelayingShutdownHook class from the ch.qos.logback.core.hook package during Cassandra 5.0.6 compilation. This suggests either an incompatible logback version dependency or the class was removed/renamed in newer logback versions. The issue likely stems from dependency version mismatches in the Maven/Ant build configuration.

Click to expand fix explanation

Explanation

The DelayingShutdownHook class is part of logback-core and was introduced in logback version 1.3.x. Cassandra 5.0.6 likely depends on this specific logback version but the build environment may be resolving to an incompatible older version where this class doesn't exist. By explicitly constraining the logback-core and logback-classic versions to 1.3.14 (a stable release that contains DelayingShutdownHook), we ensure the required class is available during compilation. The pombump-deps.yaml file is used by the maven/pombump pipeline step to modify dependency versions, making this the appropriate place to add version constraints.

Click to expand alternative approaches

Alternative Approaches

• Upgrade to a newer Cassandra version that has updated logback dependencies
• Patch the Cassandra source code to use alternative shutdown hook mechanisms if DelayingShutdownHook is not critical
• Manually download and include the correct logback JAR files in the build environment
• Check if the issue is caused by transitive dependency conflicts and exclude conflicting logback versions

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.