cassandra-5.0/5.0.6-r2: cve remediation

[octo-sts]

cassandra-5.0/5.0.6-r2: fix GHSA-6v67-2wr5-gvf4

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/cassandra-5.0.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories: https://github.com/apache/cassandra@cassandra-5.0.6

[octo-sts]

🛑 Build Failed: Compilation

cannot find symbol: class DelayingShutdownHook

Build Details

Category	Details
Build System	Apache Ant
Failure Point	javac compilation task in build-project target

Root Cause Analysis 🔍

Missing class DelayingShutdownHook from ch.qos.logback.core.hook package. This indicates a dependency version mismatch where the Logback library version being used does not contain the DelayingShutdownHook class that the Cassandra source code is trying to import.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: pombump-deps.yaml

• add (dependency version update section)
  Original:

Current logback dependency version (if any)

Replacement:

ch.qos.logback:logback-core: 1.4.14
ch.qos.logback:logback-classic: 1.4.14

Content:

Add or update Logback dependency version to align with Cassandra 5.0.6 requirements

File: cassandra-5.0.yaml

• modify at line around line 35-50 (environment.contents.packages section)
  Original:

Current package list without explicit logback dependencies

Replacement:

Add to packages list:
      - logback
      - logback-classic

Content:

Add specific logback dependencies to build environment

Click to expand fix analysis

Analysis

No similar build failures were provided for analysis. However, the error indicates a missing DelayingShutdownHook class from ch.qos.logback.core.hook package, which suggests a dependency version mismatch. The Cassandra source code is expecting a newer version of Logback that includes this class, but the current build environment has an older version that lacks it.

Click to expand fix explanation

Explanation

The DelayingShutdownHook class was introduced in Logback 1.3.0+ as part of enhanced shutdown handling. Cassandra 5.0.6 requires this newer Logback version, but the current build environment likely has an older version. The fix involves updating the Logback dependency to version 1.4.14 (latest stable) in the pombump-deps.yaml file, which is used by the maven/pombump step to update Maven dependencies. Additionally, adding explicit logback packages to the build environment ensures the correct version is available during compilation. This addresses the root cause by providing the missing DelayingShutdownHook class that Cassandra's source code expects to import.

Click to expand alternative approaches

Alternative Approaches

• Patch the Cassandra source code to remove or conditionally use the DelayingShutdownHook class, though this is not recommended as it could affect functionality
• Pin to a specific Cassandra commit that doesn't require the DelayingShutdownHook class, but this would mean using an older version
• Use a different logging framework configuration that doesn't require the newer Logback features, but this could impact logging capabilities

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.