Merge branch 'cassandra-4.0' into cassandra-4.1

Author: smiklosovic

.build/dependency-check-suppressions.xml

@@ -52,13 +52,6 @@
         <cve>CVE-2023-44487</cve>
         <cve>CVE-2025-25193</cve>
     </suppress>
-    <!-- https://issues.apache.org/jira/browse/CASSANDRA-17966 -->
-    <suppress>
-        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
-        <cve>CVE-2022-42003</cve>
-        <cve>CVE-2022-42004</cve>
-        <cve>CVE-2023-35116</cve>
-    </suppress>
 
     <!-- https://issues.apache.org/jira/browse/CASSANDRA-19142 -->
     <!-- https://issues.apache.org/jira/browse/CASSANDRA-20412 -->

.snyk

@@ -34,16 +34,10 @@ ignore:
     - reason: https://issues.apache.org/jira/browse/CASSANDRA-17907 -- ^pkg:maven/org\.yaml/snakeyaml@.*$
   CVE-2022-41881:
     - reason: netty's http stuff is not applicable here -- ^pkg:maven/io\.netty/netty\-all@.*$
-  CVE-2022-42003:
-    - reason: https://issues.apache.org/jira/browse/CASSANDRA-17966 -- ^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$
-  CVE-2022-42004:
-    - reason: https://issues.apache.org/jira/browse/CASSANDRA-17966 -- ^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$
   CVE-2023-2976:
     - reason: not applicable https://nvd.nist.gov/vuln/detail/CVE-2020-8908 -- ^pkg:maven/com\.google\.guava/guava@.*$
   CVE-2023-34462:
     - reason: netty's http stuff is not applicable here -- ^pkg:maven/io\.netty/netty\-all@.*$
-  CVE-2023-35116:
-    - reason: https://issues.apache.org/jira/browse/CASSANDRA-17966 -- ^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$
   CVE-2023-44487:
     - reason: netty's http stuff is not applicable here -- ^pkg:maven/io\.netty/netty\-all@.*$
   CVE-2023-6378:

CHANGES.txt

@@ -5,6 +5,7 @@
  * IntrusiveStack.accumulate is not accumulating correctly (CASSANDRA-20670)
  * Add nodetool get/setguardrailsconfig commands (CASSANDRA-19552)
 Merged from 4.0:
+ * Update Jackson to 2.19.2 (CASSANDRA-20848)
  * Update commons-lang3 to 3.18.0 (CASSANDRA-20849)
  * Add NativeTransportMaxConcurrentConnectionsPerIp to StorageProxyMBean (CASSANDRA-20642)
  * Make secondary index implementations notified about rows in fully expired SSTables in compaction (CASSANDRA-20829)

build.xml

@@ -591,11 +591,12 @@
           <dependency groupId="org.slf4j" artifactId="jcl-over-slf4j" version="1.7.25" />
           <dependency groupId="ch.qos.logback" artifactId="logback-core" version="1.2.9"/>
           <dependency groupId="ch.qos.logback" artifactId="logback-classic" version="1.2.9"/>
-          <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-core" version="2.13.2"/>
-          <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-databind" version="2.13.2.2"/>
-          <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-annotations" version="2.13.2"/>
-          <dependency groupId="com.fasterxml.jackson.datatype" artifactId="jackson-datatype-jsr310" version="2.13.2"/>
+          <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-core" version="2.19.2"/>
+          <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-databind" version="2.19.2"/>
+          <dependency groupId="com.fasterxml.jackson.core" artifactId="jackson-annotations" version="2.19.2"/>
+          <dependency groupId="com.fasterxml.jackson.datatype" artifactId="jackson-datatype-jsr310" version="2.19.2"/>
           <dependency groupId="com.fasterxml.jackson.dataformat" artifactId="jackson-dataformat-yaml" version="2.13.2"  scope="test">
+            <!-- CASSANDRA-20848 2.19.x would bring snakeyaml 2.4 which is for now incompatible with rest of the codebase -->
             <exclusion groupId="org.yaml" artifactId="snakeyaml"/>
           </dependency>
           <dependency groupId="com.googlecode.json-simple" artifactId="json-simple" version="1.1"/>