Update Management API dependencies to address CVEs

CHANGELOG.md

@@ -10,6 +10,7 @@ Changelog for Management API, new PRs should update the `main / unreleased` sect
 ```
 
 ## unreleased
+* [CHANGE] [#556](https://github.com/k8ssandra/management-api-for-apache-cassandra/issues/556) Update Management API dependencies to address CVEs
 * [FEATURE] [#551](https://github.com/k8ssandra/management-api-for-apache-cassandra/issues/551) Add Cassandra 5.0.2 to the build matrix
 * [ENHANCEMENT] [#552](https://github.com/k8ssandra/management-api-for-apache-cassandra/issues/552) Improve "liveness" probe implementation
 * [BUGFIX] [#553](https://github.com/k8ssandra/management-api-for-apache-cassandra/issues/553) Fix CassandraTaskExports metric filtering to make it work with 5.0.x Major compactions

README.md

@@ -93,6 +93,13 @@ Cassandra 5.0 images are only RedHat UBI8 based.
 - All DSE 6.9.x RedHat UBI 8 based images come with only JDK 11
 - HCD images are not built within this repo. Only the Agent for HCD ois maintained within this repo
 
+### Java versions in DOcker images
+
+As of v0.1.88, all images produced from this repo will have Java 11 installed as the 
+Management API server code must now run with Java 11. For images where the Cassandra/DSE
+version runs with Java 8 (see above), Both Java 8 and Java 11 will be available, with
+Java 8 being the default and Java 8 used to run the Cassandra/DSE process.
+
 ### Docker coordinates for Cassandra OSS images
 
 #### Ubuntu based images (OSS)

cassandra/Dockerfile-3.11

@@ -123,7 +123,7 @@ RUN set -eux; \
   rm -fr /etc/apt/sources.list.d/*; \
   rm -rf /var/lib/apt/lists/*; \
   apt-get update; \
-  apt-get install -y --no-install-recommends wget iproute2; \
+  apt-get install -y --no-install-recommends openjdk-11-jdk wget iproute2; \
   rm -rf /var/lib/apt/lists/*
 
 # backwards compat with upstream ENTRYPOINT

cassandra/Dockerfile-3.11.ubi8

@@ -181,7 +181,7 @@ RUN microdnf install --nodocs shadow-utils \
     && useradd -m -d "$CASSANDRA_HOME" -r -g cassandra -G root --uid=999 cassandra \
     && microdnf update && rm -rf /var/cache/yum \
 # Install packages needed during install process
-    && microdnf install --nodocs java-1.8.0-openjdk-headless tzdata-java python2 python3 zlib findutils which hostname iproute procps util-linux glibc-langpack-en wget tar \
+    && microdnf install --nodocs java-1.8.0-openjdk-headless java-11-openjdk-headless tzdata-java python2 python3 zlib findutils which hostname iproute procps util-linux glibc-langpack-en wget tar \
     && microdnf clean all
 
 # Copy trimmed installation

cassandra/scripts/docker-entrypoint.sh

@@ -195,8 +195,24 @@ if [ "$1" = 'mgmtapi' ]; then
 
     # use default of 128m heap if env variable not set
     : "${MGMT_API_HEAP_SIZE:=128m}"
-    echo "Running" java ${MGMT_API_JAVA_OPTS} -Xms${MGMT_API_HEAP_SIZE} -Xmx${MGMT_API_HEAP_SIZE} -jar "$MGMT_API_JAR" $MGMT_API_ARGS
-    java ${MGMT_API_JAVA_OPTS} -Xms${MGMT_API_HEAP_SIZE} -Xmx${MGMT_API_HEAP_SIZE} -jar "$MGMT_API_JAR" $MGMT_API_ARGS
+
+    # locate Java 11 for running the server
+    if [ "$JAVA11_JAVA" = "" ]; then
+        # use default Java if it reports version 11
+        DEFAULT_JAVA_VERSION=$(java -version 2>&1|awk -F '"' '/version/ {print $2}')
+        echo "Default Java version: ${DEFAULT_JAVA_VERSION}"
+        if [[ $DEFAULT_JAVA_VERSION == 11* ]]; then
+            # Java version seems to be 11
+            JAVA11_JAVA=java
+        else
+            # find java 11
+            JAVA11_HOME=$(find /usr/lib/jvm -type d -name "*java-11*")
+            echo "Found JAVA11 HOME: ${JAVA11_HOME}"
+            JAVA11_JAVA=${JAVA11_HOME}/bin/java
+        fi
+    fi
+    echo "Running" ${JAVA11_JAVA} ${MGMT_API_JAVA_OPTS} -Xms${MGMT_API_HEAP_SIZE} -Xmx${MGMT_API_HEAP_SIZE} -jar "$MGMT_API_JAR" $MGMT_API_ARGS
+    ${JAVA11_JAVA} ${MGMT_API_JAVA_OPTS} -Xms${MGMT_API_HEAP_SIZE} -Xmx${MGMT_API_HEAP_SIZE} -jar "$MGMT_API_JAR" $MGMT_API_ARGS
 fi
 
 exec "$@"

dse/Dockerfile-dse6.8.jdk8

@@ -138,6 +138,7 @@ RUN mkdir -m 775 ${CDC_AGENT_PATH} && \
   chmod -R g+w ${CDC_AGENT_PATH}
 
 FROM datastax/${DS_BASE_DEBIAN}:${BASETAG} AS dse
+ARG TARGETARCH
 ARG DSE_VERSION
 ENV DSE_VERSION=${DSE_VERSION}
 
@@ -156,7 +157,15 @@ ENV MGMT_AGENT_JAR="${MAAC_PATH}/datastax-mgmtapi-agent.jar"
 RUN set -x \
 # Add DSE user
     && groupadd -r dse --gid=999 \
-    && useradd -m -d "$DSE_HOME" -r -g dse -G root --uid=999 dse
+    && useradd -m -d "$DSE_HOME" -r -g dse -G root --uid=999 dse \
+# Add JDK11 for Management API server
+    && rm -fr /etc/apt/sources.list.d/* \
+    && rm -rf /var/lib/apt/lists/* \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends openjdk-11-jdk \
+    && rm -rf /var/lib/apt/lists/* \
+# JDK8 should be the default for DSE
+    && update-java-alternatives -s /usr/lib/jvm/java-1.8.0-openjdk-${TARGETARCH}
 
 COPY --chown=dse:root dse/files /
 

dse/Dockerfile-dse6.8.ubi8

@@ -58,6 +58,7 @@ RUN mkdir -m 775 $MAAC_PATH \
 
 # Using UBI8 with Python 2 support, eventually we may switch to Python 3
 FROM registry.access.redhat.com/ubi${UBI_MAJOR}/ubi-minimal:${UBI_BASETAG} AS dse
+ARG TARGETARCH
 ARG DSE_VERSION
 ENV DSE_VERSION=${DSE_VERSION}
 
@@ -75,8 +76,8 @@ ENV HOME=$DSE_HOME
 ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
 
 # Install runtime dependencies and updates
-RUN microdnf update && rm -rf /var/cache/yum && \
-    microdnf install --nodocs -y java-1.8.0-openjdk-headless java-1.8.0-openjdk-devel python2 zlib libaio which findutils hostname iproute shadow-utils procps util-linux glibc-langpack-en wget tar && microdnf clean all
+RUN microdnf update && rm -rf /var/cache/yum \
+    && microdnf install --nodocs -y java-1.8.0-openjdk-headless java-1.8.0-openjdk-devel java-11-openjdk-headless python2 zlib libaio which findutils hostname iproute shadow-utils procps util-linux glibc-langpack-en wget tar && microdnf clean all
 
 WORKDIR $HOME
 

dse/files/entrypoint.sh

@@ -182,8 +182,23 @@ if [ "$USE_MGMT_API" = "true" ] && [ -d "$MAAC_PATH" ] ; then
     # use default of 128m heap if env variable not set
     : "${MGMT_API_HEAP_SIZE:=128m}"
 
-    echo "Running" java ${MGMT_API_JAVA_OPTS} -Xms${MGMT_API_HEAP_SIZE} -Xmx${MGMT_API_HEAP_SIZE} -jar "$MGMT_API_JAR" $MGMT_API_ARGS
-    java ${MGMT_API_JAVA_OPTS} -Xms${MGMT_API_HEAP_SIZE} -Xmx${MGMT_API_HEAP_SIZE} -jar "$MGMT_API_JAR" $MGMT_API_ARGS
+    # locate Java 11 for running the server
+    if [ "$JAVA11_JAVA" = "" ]; then
+        # use default Java if it reports version 11
+        DEFAULT_JAVA_VERSION=$(java -version 2>&1|awk -F '"' '/version/ {print $2}')
+        echo "Default Java version: ${DEFAULT_JAVA_VERSION}"
+        if [[ $DEFAULT_JAVA_VERSION == 11* ]]; then
+            # Java version seems to be 11
+            JAVA11_JAVA=java
+        else
+            # find java 11
+            JAVA11_HOME=$(find /usr/lib/jvm -type d -name "*java-11*")
+            echo "Found JAVA11 HOME: ${JAVA11_HOME}"
+            JAVA11_JAVA=${JAVA11_HOME}/bin/java
+        fi
+    fi
+    echo "Running" ${JAVA11_JAVA} ${MGMT_API_JAVA_OPTS} -Xms${MGMT_API_HEAP_SIZE} -Xmx${MGMT_API_HEAP_SIZE} -jar "$MGMT_API_JAR" $MGMT_API_ARGS
+    ${JAVA11_JAVA} ${MGMT_API_JAVA_OPTS} -Xms${MGMT_API_HEAP_SIZE} -Xmx${MGMT_API_HEAP_SIZE} -jar "$MGMT_API_JAR" $MGMT_API_ARGS
 else
     echo "Running $@"
     exec "$@"

management-api-server/doc/openapi.json

@@ -564,10 +564,7 @@
           "200" : {
             "content" : {
               "application/json" : {
-                "example" : {
-                  "class" : "org.apache.cassandra.locator.SimpleStrategy",
-                  "replication_factor" : "2"
-                },
+                "example" : "{\"class\":\"org.apache.cassandra.locator.SimpleStrategy\",\"replication_factor\":\"2\"}",
                 "schema" : {
                   "type" : "string"
                 }
@@ -747,31 +744,7 @@
           "200" : {
             "content" : {
               "application/json" : {
-                "example" : {
-                  "entity" : false,
-                  "variant" : {
-                    "language" : null,
-                    "mediaType" : {
-                      "type" : "application",
-                      "subtype" : "json",
-                      "parameters" : { },
-                      "wildcardType" : false,
-                      "wildcardSubtype" : false
-                    },
-                    "encoding" : null,
-                    "languageString" : null
-                  },
-                  "annotations" : [ ],
-                  "mediaType" : {
-                    "type" : "application",
-                    "subtype" : "json",
-                    "parameters" : { },
-                    "wildcardType" : false,
-                    "wildcardSubtype" : false
-                  },
-                  "language" : null,
-                  "encoding" : null
-                },
+                "example" : "{\"entity\":false,\"variant\":{\"language\":null,\"mediaType\":{\"type\":\"application\",\"subtype\":\"json\",\"parameters\":{},\"wildcardType\":false,\"wildcardSubtype\":false},\"encoding\":null,\"languageString\":null},\"annotations\":[],\"mediaType\":{\"type\":\"application\",\"subtype\":\"json\",\"parameters\":{},\"wildcardType\":false,\"wildcardSubtype\":false},\"language\":null,\"encoding\":null}",
                 "schema" : {
                   "type" : "string"
                 }
@@ -1936,7 +1909,7 @@
                 "example" : "keyspace must be specified",
                 "schema" : {
                   "type" : "string",
-                  "enum" : [ "OK", "Created", "Accepted", "No Content", "Reset Content", "Partial Content", "Moved Permanently", "Found", "See Other", "Not Modified", "Use Proxy", "Temporary Redirect", "Bad Request", "Unauthorized", "Payment Required", "Forbidden", "Not Found", "Method Not Allowed", "Not Acceptable", "Proxy Authentication Required", "Request Timeout", "Conflict", "Gone", "Length Required", "Precondition Failed", "Request Entity Too Large", "Request-URI Too Long", "Unsupported Media Type", "Requested Range Not Satisfiable", "Expectation Failed", "Precondition Required", "Too Many Requests", "Request Header Fields Too Large", "Internal Server Error", "Not Implemented", "Bad Gateway", "Service Unavailable", "Gateway Timeout", "HTTP Version Not Supported", "Network Authentication Required" ]
+                  "enum" : [ "OK", "Created", "Accepted", "No Content", "Reset Content", "Partial Content", "Multiple Choices", "Moved Permanently", "Found", "See Other", "Not Modified", "Use Proxy", "Temporary Redirect", "Permanent Redirect", "Bad Request", "Unauthorized", "Payment Required", "Forbidden", "Not Found", "Method Not Allowed", "Not Acceptable", "Proxy Authentication Required", "Request Timeout", "Conflict", "Gone", "Length Required", "Precondition Failed", "Request Entity Too Large", "Request-URI Too Long", "Unsupported Media Type", "Requested Range Not Satisfiable", "Expectation Failed", "Precondition Required", "Too Many Requests", "Request Header Fields Too Large", "Unavailable For Legal Reasons", "Internal Server Error", "Not Implemented", "Bad Gateway", "Service Unavailable", "Gateway Timeout", "HTTP Version Not Supported", "Network Authentication Required" ]
                 }
               }
             },
@@ -1948,7 +1921,7 @@
                 "example" : "internal error, we did not receive the expected repair ID from Cassandra.",
                 "schema" : {
                   "type" : "string",
-                  "enum" : [ "OK", "Created", "Accepted", "No Content", "Reset Content", "Partial Content", "Moved Permanently", "Found", "See Other", "Not Modified", "Use Proxy", "Temporary Redirect", "Bad Request", "Unauthorized", "Payment Required", "Forbidden", "Not Found", "Method Not Allowed", "Not Acceptable", "Proxy Authentication Required", "Request Timeout", "Conflict", "Gone", "Length Required", "Precondition Failed", "Request Entity Too Large", "Request-URI Too Long", "Unsupported Media Type", "Requested Range Not Satisfiable", "Expectation Failed", "Precondition Required", "Too Many Requests", "Request Header Fields Too Large", "Internal Server Error", "Not Implemented", "Bad Gateway", "Service Unavailable", "Gateway Timeout", "HTTP Version Not Supported", "Network Authentication Required" ]
+                  "enum" : [ "OK", "Created", "Accepted", "No Content", "Reset Content", "Partial Content", "Multiple Choices", "Moved Permanently", "Found", "See Other", "Not Modified", "Use Proxy", "Temporary Redirect", "Permanent Redirect", "Bad Request", "Unauthorized", "Payment Required", "Forbidden", "Not Found", "Method Not Allowed", "Not Acceptable", "Proxy Authentication Required", "Request Timeout", "Conflict", "Gone", "Length Required", "Precondition Failed", "Request Entity Too Large", "Request-URI Too Long", "Unsupported Media Type", "Requested Range Not Satisfiable", "Expectation Failed", "Precondition Required", "Too Many Requests", "Request Header Fields Too Large", "Unavailable For Legal Reasons", "Internal Server Error", "Not Implemented", "Bad Gateway", "Service Unavailable", "Gateway Timeout", "HTTP Version Not Supported", "Network Authentication Required" ]
                 }
               }
             },
@@ -2182,7 +2155,7 @@
             "type" : "array",
             "items" : {
               "type" : "string",
-              "enum" : [ "ASYNC_SSTABLE_TASKS", "FULL_QUERY_LOGGING", "REBUILD", "ASYNC_UPGRADE_SSTABLE_TASK", "ASYNC_COMPACTION_TASKS", "ASYNC_SCRUB_TASK", "ASYNC_MOVE_TASK", "ASYNC_GC_TASK", "RELOAD_INTERNODE_TRUSTSTORE", "ASYNC_FLUSH_TASK" ]
+              "enum" : [ "async_sstable_tasks", "full_query_logging", "rebuild", "async_upgrade_sstable_task", "async_compaction_task", "async_scrub_task", "async_move_task", "async_gc_task", "reload_internode_truststore", "async_flush_task" ]
             }
           },
           "mgmt_version" : {

management-api-server/pom.xml

@@ -16,14 +16,14 @@
   <version>${revision}</version>
   <artifactId>datastax-mgmtapi-server</artifactId>
   <properties>
-    <rsapi.version>2.1.1</rsapi.version>
     <guava.version>30.1.1-jre</guava.version>
     <airline.version>2.7.0</airline.version>
-    <jaxrs.version>2.1.6</jaxrs.version>
-    <resteasy.version>4.5.9.Final</resteasy.version>
+    <jaxrs.version>2.2.19</jaxrs.version>
+    <resteasy.version>6.2.10.Final</resteasy.version>
     <awaitility.version>4.0.3</awaitility.version>
     <assertj.version>3.17.2</assertj.version>
-    <servelet.version>3.1.0</servelet.version>
+    <servelet.version>6.1.0</servelet.version>
+    <commons.io.version>2.17.0</commons.io.version>
   </properties>
   <dependencies>
     <dependency>
@@ -47,9 +47,9 @@
       <version>${logback.version}</version>
     </dependency>
     <dependency>
-      <groupId>javax.ws.rs</groupId>
-      <artifactId>javax.ws.rs-api</artifactId>
-      <version>${rsapi.version}</version>
+      <groupId>commons-io</groupId>
+      <artifactId>commons-io</artifactId>
+      <version>${commons.io.version}</version>
     </dependency>
     <dependency>
       <groupId>com.google.guava</groupId>
@@ -63,7 +63,7 @@
     </dependency>
     <dependency>
       <groupId>io.swagger.core.v3</groupId>
-      <artifactId>swagger-jaxrs2</artifactId>
+      <artifactId>swagger-jaxrs2-jakarta</artifactId>
       <version>${jaxrs.version}</version>
     </dependency>
     <dependency>
@@ -87,8 +87,8 @@
       <version>${driver.version}</version>
     </dependency>
     <dependency>
-      <groupId>javax.servlet</groupId>
-      <artifactId>javax.servlet-api</artifactId>
+      <groupId>jakarta.servlet</groupId>
+      <artifactId>jakarta.servlet-api</artifactId>
       <version>${servelet.version}</version>
     </dependency>
     <dependency>
@@ -291,7 +291,7 @@
       </plugin>
       <plugin>
         <groupId>io.swagger.core.v3</groupId>
-        <artifactId>swagger-maven-plugin</artifactId>
+        <artifactId>swagger-maven-plugin-jakarta</artifactId>
         <version>${jaxrs.version}</version>
         <configuration>
           <outputFileName>openapi</outputFileName>

management-api-server/src/main/java/com/datastax/mgmtapi/ManagementApplication.java

@@ -17,13 +17,13 @@
 import com.google.common.collect.ImmutableSet;
 import io.swagger.v3.jaxrs2.SwaggerSerializers;
 import io.swagger.v3.jaxrs2.integration.resources.OpenApiResource;
+import jakarta.ws.rs.ApplicationPath;
+import jakarta.ws.rs.core.Application;
+import jakarta.ws.rs.core.Response;
 import java.io.File;
 import java.util.Collection;
 import java.util.Set;
 import java.util.concurrent.atomic.AtomicReference;
-import javax.ws.rs.ApplicationPath;
-import javax.ws.rs.core.Application;
-import javax.ws.rs.core.Response;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 

management-api-server/src/main/java/com/datastax/mgmtapi/resources/AuthResources.java

@@ -12,12 +12,12 @@
 import io.swagger.v3.oas.annotations.media.ExampleObject;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
-import javax.ws.rs.POST;
-import javax.ws.rs.Path;
-import javax.ws.rs.Produces;
-import javax.ws.rs.QueryParam;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
+import jakarta.ws.rs.POST;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.QueryParam;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.Response;
 import org.apache.commons.lang3.StringUtils;
 
 @Path("/api/v0/ops/auth")

management-api-server/src/main/java/com/datastax/mgmtapi/resources/K8OperatorResources.java

@@ -22,17 +22,17 @@
 import io.swagger.v3.oas.annotations.media.ExampleObject;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.POST;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.QueryParam;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.Response;
 import java.io.IOException;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
-import javax.ws.rs.GET;
-import javax.ws.rs.POST;
-import javax.ws.rs.Path;
-import javax.ws.rs.Produces;
-import javax.ws.rs.QueryParam;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 

management-api-server/src/main/java/com/datastax/mgmtapi/resources/KeyspaceOpsResources.java

@@ -20,18 +20,18 @@
 import io.swagger.v3.oas.annotations.media.ExampleObject;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import jakarta.ws.rs.Consumes;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.POST;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.QueryParam;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.Response;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 import java.util.stream.Collectors;
-import javax.ws.rs.Consumes;
-import javax.ws.rs.GET;
-import javax.ws.rs.POST;
-import javax.ws.rs.Path;
-import javax.ws.rs.Produces;
-import javax.ws.rs.QueryParam;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.http.HttpStatus;

management-api-server/src/main/java/com/datastax/mgmtapi/resources/LifecycleResources.java

@@ -28,6 +28,15 @@
 import io.swagger.v3.oas.annotations.media.ExampleObject;
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import jakarta.ws.rs.Consumes;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.POST;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.QueryParam;
+import jakarta.ws.rs.client.Entity;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.Response;
 import java.io.File;
 import java.io.IOException;
 import java.nio.file.Paths;
@@ -38,15 +47,6 @@
 import java.util.Optional;
 import java.util.concurrent.TimeUnit;
 import java.util.stream.Collectors;
-import javax.ws.rs.Consumes;
-import javax.ws.rs.GET;
-import javax.ws.rs.POST;
-import javax.ws.rs.Path;
-import javax.ws.rs.Produces;
-import javax.ws.rs.QueryParam;
-import javax.ws.rs.client.Entity;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.http.HttpStatus;