FIREFLY-1982 Fix high and critical CVEs in Firefly container image#1942
Merged
FIREFLY-1982 Fix high and critical CVEs in Firefly container image#1942
Conversation
- Reduce Ubuntu vulnerabilities from 206 to 23 (medium and low only). - Reduce Java (LOW: 8, MEDIUM: 25, HIGH: 20, CRITICAL: 2) to (LOW: 6, MEDIUM: 22, HIGH: 16, CRITICAL: 1)
- no ehcache.xml. many code changes - The old ehcache bundled older versions of Jackson library that has CVE update jackson library to 2.21 update msgpack to 0.9.11 remove ‘magic’ extension from duckdb add log4j-slf support Results: ipac/firefly:loi (ubuntu 24.04) =============================== Total: 23 (UNKNOWN: 0, LOW: 13, MEDIUM: 10, HIGH: 0, CRITICAL: 0) Total: 11 (UNKNOWN: 0, LOW: 3, MEDIUM: 8, HIGH: 0, CRITICAL: 0) Java (jar) ========== Total: 45 (UNKNOWN: 0, LOW: 6, MEDIUM: 22, HIGH: 16, CRITICAL: 1) Total: 25 (UNKNOWN: 0, LOW: 2, MEDIUM: 14, HIGH: 8, CRITICAL: 1)
- This remove dependency from com.google.guava:guava, which has 2 medium and 1 low CVE Results: Java (jar) ========== Total: 25 (UNKNOWN: 0, LOW: 2, MEDIUM: 14, HIGH: 8, CRITICAL: 1) Total: 22 (UNKNOWN: 0, LOW: 1, MEDIUM: 12, HIGH: 8, CRITICAL: 1)
nimbus-jose-jwt:9.37.2 -> nimbus-jose-jwt:9.37.4
jakarta.mail:2.0.2 -> jakarta.mail:2.0.4
commons-fileupload2-jakarta:2.0.0-M1 -> commons-fileupload2-jakarta-servlet6:2.0.0-M5
s3-transfer-manager:2.33.11 -> s3-transfer-manager:2.42.35
Results:
Java (jar)
==========
Total: 22 (UNKNOWN: 0, LOW: 1, MEDIUM: 12, HIGH: 8, CRITICAL: 1)
Total: 13 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 5, CRITICAL: 1)
- Refactored JDBC access code - Refactored Format and FormatUtil Results: Java (jar) ========== Total: 13 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 5, CRITICAL: 1) Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
robyww
approved these changes
Apr 21, 2026
Contributor
robyww
left a comment
robyww
left a comment
There was a problem hiding this comment.
The code looks good to me. I will try to do more testing.
| setHeader(HttpHeaders.USER_AGENT, VersionUtil.getUserAgentString()); | ||
| setHeader(HttpHeaders.ACCEPT_ENCODING, "gzip"); | ||
| setHeader("User-Agent", VersionUtil.getUserAgentString()); | ||
| setHeader("Accept-Encoding", "gzip"); |
Contributor
There was a problem hiding this comment.
should be use all lowercase. I think you brought this up a few months ago.
Contributor
Author
There was a problem hiding this comment.
HTTP header names are case-insensitive, so it does not matter. This way improves readability.
| final long finalVisHeapBytes = visHeapBytes; | ||
| CacheManager manager = CacheManagerBuilder.newCacheManagerBuilder() | ||
| .using(visStats) | ||
| .using(new CustomSizeOfEngine.Provider(Long.MAX_VALUE, Long.MAX_VALUE)) |
Contributor
There was a problem hiding this comment.
I wish I remembered why we had to compute sizeof ourselves. Something was not working.
Contributor
Author
There was a problem hiding this comment.
Yes, some cached objects reference classes in private modules. This provides a way to short-circuit and return the object’s size without relying on reflection.
| } | ||
|
|
||
| public void batchUpdate(String sql, List<Object[]> paramsList) { | ||
| if (paramsList == null || paramsList.isEmpty()) return; |
kpuriIpac
approved these changes
Apr 22, 2026
Contributor
kpuriIpac
left a comment
kpuriIpac
left a comment
There was a problem hiding this comment.
I tested all 3 apps, did all basic searches once and didn't find any new issues. I'll test some more tomorrow as well, but looks good to me so far.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ticket: https://jira.ipac.caltech.edu/browse/FIREFLY-1982
Additional changes here: https://github.com/IPAC-SW/irsa-ife/pull/463
This PR addresses the HIGH and CRITICAL severity CVEs identified in the current Firefly container image to improve security and meet compliance requirements.
The work included scanning the image, identifying affected packages and dependencies, updating vulnerable components, rebuilding the image, and re-scanning to verify the fixes.
Report was generated with:
docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ aquasec/trivy:0.69.3 image ipac/firefly > report.txtNOTE: The final scan report has been attached to the ticket as
final.txt.Changes included
Container / base image
Dependency and library updates
Code cleanup / removals
Results
Base image
Java (jar)
Regression testing is required to ensure everything continues to work as before:
https://fireflydev.ipac.caltech.edu/firefly-1982-fix-cve/firefly/
https://firefly-1982-fix-cve.irsakubedev.ipac.caltech.edu/irsaviewer/
https://firefly-1982-fix-cve.irsakubedev.ipac.caltech.edu/applications/spherex/