From f02ea8b92e80a1d129256d987fecbded15da2a59 Mon Sep 17 00:00:00 2001 From: jorgee Date: Tue, 5 May 2026 16:59:17 +0200 Subject: [PATCH 1/5] fix netty vulnerabilities Signed-off-by: jorgee --- plugins/nf-amazon/build.gradle | 17 ++++++++++++----- plugins/nf-azure/build.gradle | 18 ++++++++++++++++-- plugins/nf-codecommit/build.gradle | 15 ++++++++++++--- plugins/nf-tower/build.gradle | 2 +- 4 files changed, 41 insertions(+), 11 deletions(-) diff --git a/plugins/nf-amazon/build.gradle b/plugins/nf-amazon/build.gradle index 1488a3c80f..388512f533 100644 --- a/plugins/nf-amazon/build.gradle +++ b/plugins/nf-amazon/build.gradle @@ -51,6 +51,18 @@ configurations { } dependencies { + // Force patched Netty across all configurations (incl. testRuntimeClasspath, where + // a transitive fixture would otherwise escalate to 4.2.x). + // Addresses GHSA-pwqr-wmgm-9rr8 (netty-codec-http HTTP Request Smuggling) + // and GHSA-w9fj-cfpg-grvv (netty-codec-http2 CONTINUATION Frame Flood DoS). + constraints { + implementation('io.netty:netty-buffer') { version { strictly '4.1.132.Final' } } + implementation('io.netty:netty-common') { version { strictly '4.1.132.Final' } } + implementation('io.netty:netty-handler') { version { strictly '4.1.132.Final' } } + implementation('io.netty:netty-codec-http') { version { strictly '4.1.132.Final' } } + implementation('io.netty:netty-codec-http2') { version { strictly '4.1.132.Final' } } + } + compileOnly project(':nextflow') compileOnly 'org.slf4j:slf4j-api:2.0.17' compileOnly 'org.pf4j:pf4j:3.14.1' @@ -71,11 +83,6 @@ dependencies { api ('software.amazon.awssdk:apache-client:2.33.2') api ('software.amazon.awssdk:aws-crt-client:2.33.2') - // address security vulnerabilities - implementation 'io.netty:netty-common:4.1.132.Final' - implementation 'io.netty:netty-handler:4.1.132.Final' - implementation 'io.netty:netty-codec-http2:4.1.132.Final' - testImplementation(testFixtures(project(":nextflow"))) testImplementation project(':nextflow') testImplementation "org.apache.groovy:groovy:4.0.31" diff --git a/plugins/nf-azure/build.gradle b/plugins/nf-azure/build.gradle index 63371d193a..6f09af8183 100644 --- a/plugins/nf-azure/build.gradle +++ b/plugins/nf-azure/build.gradle @@ -50,17 +50,31 @@ configurations { } dependencies { + // Force patched Netty across all configurations (incl. testRuntimeClasspath, where + // a transitive fixture would otherwise escalate to 4.2.x). + // Addresses GHSA-pwqr-wmgm-9rr8 (netty-codec-http HTTP Request Smuggling) + // and GHSA-w9fj-cfpg-grvv (netty-codec-http2 CONTINUATION Frame Flood DoS). + // netty-buffer must be pinned alongside the rest -- leaving it at 4.2.x + // (via Micronaut BOM) causes ABI mismatch in AbstractByteBufAllocator. + constraints { + implementation('io.netty:netty-buffer') { version { strictly '4.1.132.Final' } } + implementation('io.netty:netty-common') { version { strictly '4.1.132.Final' } } + implementation('io.netty:netty-handler') { version { strictly '4.1.132.Final' } } + implementation('io.netty:netty-codec-http') { version { strictly '4.1.132.Final' } } + implementation('io.netty:netty-codec-http2') { version { strictly '4.1.132.Final' } } + } + compileOnly project(':nextflow') compileOnly 'org.slf4j:slf4j-api:2.0.17' compileOnly 'org.pf4j:pf4j:3.14.1' - api('com.azure:azure-storage-blob:12.33.2') { + api('com.azure:azure-storage-blob:12.33.3') { exclude group: 'org.slf4j', module: 'slf4j-api' } api('com.azure:azure-compute-batch:1.0.0-beta.3') { exclude group: 'org.slf4j', module: 'slf4j-api' exclude group: 'com.google.guava', module: 'guava' } - api('com.azure:azure-identity:1.18.2') { + api('com.azure:azure-identity:1.18.3') { exclude group: 'org.slf4j', module: 'slf4j-api' } diff --git a/plugins/nf-codecommit/build.gradle b/plugins/nf-codecommit/build.gradle index 46c421b1b9..468ea3a580 100644 --- a/plugins/nf-codecommit/build.gradle +++ b/plugins/nf-codecommit/build.gradle @@ -46,6 +46,18 @@ configurations { } dependencies { + // Force patched Netty across all configurations (incl. testRuntimeClasspath, where + // a transitive fixture would otherwise escalate to 4.2.x). + // Addresses GHSA-pwqr-wmgm-9rr8 (netty-codec-http HTTP Request Smuggling) + // and GHSA-w9fj-cfpg-grvv (netty-codec-http2 CONTINUATION Frame Flood DoS). + constraints { + implementation('io.netty:netty-buffer') { version { strictly '4.1.132.Final' } } + implementation('io.netty:netty-common') { version { strictly '4.1.132.Final' } } + implementation('io.netty:netty-handler') { version { strictly '4.1.132.Final' } } + implementation('io.netty:netty-codec-http') { version { strictly '4.1.132.Final' } } + implementation('io.netty:netty-codec-http2') { version { strictly '4.1.132.Final' } } + } + compileOnly project(':nextflow') compileOnly 'org.slf4j:slf4j-api:2.0.17' compileOnly 'org.pf4j:pf4j:3.14.1' @@ -55,9 +67,6 @@ dependencies { api ('software.amazon.awssdk:sso:2.31.64') api ('software.amazon.awssdk:ssooidc:2.31.64') - // address security vulnerabilities - runtimeOnly 'io.netty:netty-codec-http:4.1.132.Final' - testImplementation(testFixtures(project(":nextflow"))) testImplementation project(':nextflow') testImplementation "org.apache.groovy:groovy:4.0.31" diff --git a/plugins/nf-tower/build.gradle b/plugins/nf-tower/build.gradle index 7b63a2f57d..5aefac4f66 100644 --- a/plugins/nf-tower/build.gradle +++ b/plugins/nf-tower/build.gradle @@ -69,7 +69,7 @@ dependencies { testImplementation "org.apache.groovy:groovy-nio:4.0.31" testImplementation "org.apache.groovy:groovy-json:4.0.31" // wiremock required by TowerFusionEnvTest - testImplementation "org.wiremock:wiremock:3.13.1" + testImplementation "org.wiremock:wiremock:3.13.2" // Address security vulnerabilities CVE-2022-45688 and CVE-2023-5072 testImplementation 'org.json:json:20240303' } From 6308e6e7eee9ba1baf984bfc0eac57cdf87eeff8 Mon Sep 17 00:00:00 2001 From: jorgee Date: Tue, 5 May 2026 19:59:26 +0200 Subject: [PATCH 2/5] alternatice to version pinning Signed-off-by: jorgee --- modules/nextflow/build.gradle | 2 +- modules/nf-commons/build.gradle | 2 +- modules/nf-httpfs/build.gradle | 2 +- plugins/nf-amazon/build.gradle | 40 +++++++------------ .../main/nextflow/cloud/aws/nio/S3Client.java | 1 + plugins/nf-azure/build.gradle | 14 +------ plugins/nf-codecommit/build.gradle | 18 ++------- 7 files changed, 24 insertions(+), 55 deletions(-) diff --git a/modules/nextflow/build.gradle b/modules/nextflow/build.gradle index de5240774c..0b5a7eeb3c 100644 --- a/modules/nextflow/build.gradle +++ b/modules/nextflow/build.gradle @@ -76,7 +76,7 @@ dependencies { testImplementation 'org.subethamail:subethasmtp:3.1.7' testImplementation (project(':nf-lineage')) - testImplementation 'org.wiremock:wiremock:3.13.1' + testImplementation 'org.wiremock:wiremock:3.13.2' // test configuration testFixturesApi ("org.apache.groovy:groovy-test:4.0.31") { exclude group: 'org.apache.groovy' } testFixturesApi ("org.objenesis:objenesis:3.4") diff --git a/modules/nf-commons/build.gradle b/modules/nf-commons/build.gradle index ef1a429896..9d8eb460ca 100644 --- a/modules/nf-commons/build.gradle +++ b/modules/nf-commons/build.gradle @@ -45,6 +45,6 @@ dependencies { testFixturesImplementation(project(":nextflow")) testImplementation "org.apache.groovy:groovy-json:4.0.31" // needed by wiremock - testImplementation ('org.wiremock:wiremock:3.13.1') { exclude module: 'groovy-all' } + testImplementation ('org.wiremock:wiremock:3.13.2') { exclude module: 'groovy-all' } } diff --git a/modules/nf-httpfs/build.gradle b/modules/nf-httpfs/build.gradle index 1ead9cc6cb..98e46c1c6d 100644 --- a/modules/nf-httpfs/build.gradle +++ b/modules/nf-httpfs/build.gradle @@ -36,7 +36,7 @@ dependencies { /* testImplementation inherited from top gradle build file */ testImplementation "org.apache.groovy:groovy-json:4.0.31" // needed by wiremock - testImplementation ('org.wiremock:wiremock:3.13.1') { exclude module: 'groovy-all' } + testImplementation ('org.wiremock:wiremock:3.13.2') { exclude module: 'groovy-all' } testImplementation(testFixtures(project(":nextflow"))) } diff --git a/plugins/nf-amazon/build.gradle b/plugins/nf-amazon/build.gradle index 388512f533..101332bc04 100644 --- a/plugins/nf-amazon/build.gradle +++ b/plugins/nf-amazon/build.gradle @@ -48,40 +48,30 @@ sourceSets { configurations { // see https://docs.gradle.org/4.1/userguide/dependency_management.html#sub:exclude_transitive_dependencies runtimeClasspath.exclude group: 'org.slf4j', module: 'slf4j-api' + testRuntimeClasspath.exclude group: 'io.micronaut', module: 'micronaut-core-bom' } dependencies { - // Force patched Netty across all configurations (incl. testRuntimeClasspath, where - // a transitive fixture would otherwise escalate to 4.2.x). - // Addresses GHSA-pwqr-wmgm-9rr8 (netty-codec-http HTTP Request Smuggling) - // and GHSA-w9fj-cfpg-grvv (netty-codec-http2 CONTINUATION Frame Flood DoS). - constraints { - implementation('io.netty:netty-buffer') { version { strictly '4.1.132.Final' } } - implementation('io.netty:netty-common') { version { strictly '4.1.132.Final' } } - implementation('io.netty:netty-handler') { version { strictly '4.1.132.Final' } } - implementation('io.netty:netty-codec-http') { version { strictly '4.1.132.Final' } } - implementation('io.netty:netty-codec-http2') { version { strictly '4.1.132.Final' } } - } compileOnly project(':nextflow') compileOnly 'org.slf4j:slf4j-api:2.0.17' compileOnly 'org.pf4j:pf4j:3.14.1' api ('javax.xml.bind:jaxb-api:2.4.0-b180830.0359') - api ('software.amazon.awssdk:s3:2.33.2') - api ('software.amazon.awssdk:ec2:2.33.2') - api ('software.amazon.awssdk:batch:2.33.2') - api ('software.amazon.awssdk:iam:2.33.2') - api ('software.amazon.awssdk:ecs:2.33.2') - api ('software.amazon.awssdk:cloudwatchlogs:2.33.2') - api ('software.amazon.awssdk:codecommit:2.33.2') - api ('software.amazon.awssdk:sts:2.33.2') - api ('software.amazon.awssdk:ses:2.33.2') - api ('software.amazon.awssdk:sso:2.33.2') - api ('software.amazon.awssdk:ssooidc:2.33.2') - api ('software.amazon.awssdk:s3-transfer-manager:2.33.2') - api ('software.amazon.awssdk:apache-client:2.33.2') - api ('software.amazon.awssdk:aws-crt-client:2.33.2') + api ('software.amazon.awssdk:s3:2.42.41') + api ('software.amazon.awssdk:ec2:2.42.41') + api ('software.amazon.awssdk:batch:2.42.41') + api ('software.amazon.awssdk:iam:2.42.41') + api ('software.amazon.awssdk:ecs:2.42.41') + api ('software.amazon.awssdk:cloudwatchlogs:2.42.41') + api ('software.amazon.awssdk:codecommit:2.42.41') + api ('software.amazon.awssdk:sts:2.42.41') + api ('software.amazon.awssdk:ses:2.42.41') + api ('software.amazon.awssdk:sso:2.42.41') + api ('software.amazon.awssdk:ssooidc:2.42.41') + api ('software.amazon.awssdk:s3-transfer-manager:2.42.41') + api ('software.amazon.awssdk:apache-client:2.42.41') + api ('software.amazon.awssdk:aws-crt-client:2.42.41') testImplementation(testFixtures(project(":nextflow"))) testImplementation project(':nextflow') diff --git a/plugins/nf-amazon/src/main/nextflow/cloud/aws/nio/S3Client.java b/plugins/nf-amazon/src/main/nextflow/cloud/aws/nio/S3Client.java index 5a59b61c2a..205a16de35 100644 --- a/plugins/nf-amazon/src/main/nextflow/cloud/aws/nio/S3Client.java +++ b/plugins/nf-amazon/src/main/nextflow/cloud/aws/nio/S3Client.java @@ -21,6 +21,7 @@ import java.io.InputStream; import java.io.InterruptedIOException; import java.nio.file.*; +import java.nio.file.AccessDeniedException; import java.nio.file.attribute.BasicFileAttributes; import java.util.EnumSet; import java.util.Queue; diff --git a/plugins/nf-azure/build.gradle b/plugins/nf-azure/build.gradle index 6f09af8183..567f493262 100644 --- a/plugins/nf-azure/build.gradle +++ b/plugins/nf-azure/build.gradle @@ -47,22 +47,10 @@ sourceSets { configurations { // see https://docs.gradle.org/4.1/userguide/dependency_management.html#sub:exclude_transitive_dependencies runtimeClasspath.exclude group: 'org.slf4j', module: 'slf4j-api' + testRuntimeClasspath.exclude group: 'io.micronaut', module: 'micronaut-core-bom' } dependencies { - // Force patched Netty across all configurations (incl. testRuntimeClasspath, where - // a transitive fixture would otherwise escalate to 4.2.x). - // Addresses GHSA-pwqr-wmgm-9rr8 (netty-codec-http HTTP Request Smuggling) - // and GHSA-w9fj-cfpg-grvv (netty-codec-http2 CONTINUATION Frame Flood DoS). - // netty-buffer must be pinned alongside the rest -- leaving it at 4.2.x - // (via Micronaut BOM) causes ABI mismatch in AbstractByteBufAllocator. - constraints { - implementation('io.netty:netty-buffer') { version { strictly '4.1.132.Final' } } - implementation('io.netty:netty-common') { version { strictly '4.1.132.Final' } } - implementation('io.netty:netty-handler') { version { strictly '4.1.132.Final' } } - implementation('io.netty:netty-codec-http') { version { strictly '4.1.132.Final' } } - implementation('io.netty:netty-codec-http2') { version { strictly '4.1.132.Final' } } - } compileOnly project(':nextflow') compileOnly 'org.slf4j:slf4j-api:2.0.17' diff --git a/plugins/nf-codecommit/build.gradle b/plugins/nf-codecommit/build.gradle index 468ea3a580..9d027a1f48 100644 --- a/plugins/nf-codecommit/build.gradle +++ b/plugins/nf-codecommit/build.gradle @@ -43,29 +43,19 @@ sourceSets { configurations { // see https://docs.gradle.org/4.1/userguide/dependency_management.html#sub:exclude_transitive_dependencies runtimeClasspath.exclude group: 'org.slf4j', module: 'slf4j-api' + testRuntimeClasspath.exclude group: 'io.micronaut', module: 'micronaut-core-bom' } dependencies { - // Force patched Netty across all configurations (incl. testRuntimeClasspath, where - // a transitive fixture would otherwise escalate to 4.2.x). - // Addresses GHSA-pwqr-wmgm-9rr8 (netty-codec-http HTTP Request Smuggling) - // and GHSA-w9fj-cfpg-grvv (netty-codec-http2 CONTINUATION Frame Flood DoS). - constraints { - implementation('io.netty:netty-buffer') { version { strictly '4.1.132.Final' } } - implementation('io.netty:netty-common') { version { strictly '4.1.132.Final' } } - implementation('io.netty:netty-handler') { version { strictly '4.1.132.Final' } } - implementation('io.netty:netty-codec-http') { version { strictly '4.1.132.Final' } } - implementation('io.netty:netty-codec-http2') { version { strictly '4.1.132.Final' } } - } compileOnly project(':nextflow') compileOnly 'org.slf4j:slf4j-api:2.0.17' compileOnly 'org.pf4j:pf4j:3.14.1' api ('javax.xml.bind:jaxb-api:2.4.0-b180830.0359') - api ('software.amazon.awssdk:codecommit:2.31.64') - api ('software.amazon.awssdk:sso:2.31.64') - api ('software.amazon.awssdk:ssooidc:2.31.64') + api ('software.amazon.awssdk:codecommit:2.42.41') + api ('software.amazon.awssdk:sso:2.42.41') + api ('software.amazon.awssdk:ssooidc:2.42.41') testImplementation(testFixtures(project(":nextflow"))) testImplementation project(':nextflow') From 4f91099badfb1f7a11b5ff6e84c48db8e4af27e9 Mon Sep 17 00:00:00 2001 From: Paolo Di Tommaso Date: Wed, 6 May 2026 09:32:45 +0200 Subject: [PATCH 3/5] Apply suggestion from @pditommaso [ci skip] Signed-off-by: Paolo Di Tommaso --- plugins/nf-amazon/build.gradle | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/nf-amazon/build.gradle b/plugins/nf-amazon/build.gradle index 101332bc04..44f348d393 100644 --- a/plugins/nf-amazon/build.gradle +++ b/plugins/nf-amazon/build.gradle @@ -52,7 +52,6 @@ configurations { } dependencies { - compileOnly project(':nextflow') compileOnly 'org.slf4j:slf4j-api:2.0.17' compileOnly 'org.pf4j:pf4j:3.14.1' From 27f94ead7c7067305ecda4c6cad4916af75dc58f Mon Sep 17 00:00:00 2001 From: Paolo Di Tommaso Date: Wed, 6 May 2026 09:33:05 +0200 Subject: [PATCH 4/5] Apply suggestion from @pditommaso [ci skip] Signed-off-by: Paolo Di Tommaso --- plugins/nf-azure/build.gradle | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/nf-azure/build.gradle b/plugins/nf-azure/build.gradle index 567f493262..49e1e4e37b 100644 --- a/plugins/nf-azure/build.gradle +++ b/plugins/nf-azure/build.gradle @@ -51,7 +51,6 @@ configurations { } dependencies { - compileOnly project(':nextflow') compileOnly 'org.slf4j:slf4j-api:2.0.17' compileOnly 'org.pf4j:pf4j:3.14.1' From 241563ccc896bc5f95f67928732221b1d0421f6b Mon Sep 17 00:00:00 2001 From: Paolo Di Tommaso Date: Wed, 6 May 2026 09:33:26 +0200 Subject: [PATCH 5/5] Apply suggestion from @pditommaso [ci skip] Signed-off-by: Paolo Di Tommaso --- plugins/nf-codecommit/build.gradle | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/nf-codecommit/build.gradle b/plugins/nf-codecommit/build.gradle index 9d027a1f48..c17300dd68 100644 --- a/plugins/nf-codecommit/build.gradle +++ b/plugins/nf-codecommit/build.gradle @@ -47,7 +47,6 @@ configurations { } dependencies { - compileOnly project(':nextflow') compileOnly 'org.slf4j:slf4j-api:2.0.17' compileOnly 'org.pf4j:pf4j:3.14.1'