fix(security): cherry-pick CRITICAL/HIGH dep bumps to 1.12.7#27996
Conversation
github-actions
Bot
added
backend
safe to test
![gitar-bot[bot]](https://avatars.githubusercontent.com/in/827041?s=60&v=4){kind=small}
|
The Python checkstyle failed. Please run You can install the pre-commit hooks with |
Update: pre-existing 1.12.7 SDK test discovery bug + fixThe Reproduction on
|
|
The Python checkstyle failed. Please run You can install the pre-commit hooks with |
1 similar comment
|
The Python checkstyle failed. Please run You can install the pre-commit hooks with |
… CVEs (#27940) * fix(security): upgrade Java dependencies to resolve CRITICAL and HIGH CVEs - jetty-http: 12.1.6 → 12.1.7 (HTTP Request Smuggling, CRITICAL) - bcpkix/bcprov/bcutil-jdk18on: 1.80 → 1.84 (Crypto Signature Bypass + Timing Attack) - postgresql: 42.7.7 → 42.7.11 (SCRAM-SHA-256 DoS) - httpcore5-h2: pinned to 5.3.5 (HTTP/2 stream reset DoS) - commons-compress: pinned to 1.26.0 (Infinite Loop DoS) - jackson-core: 2.18.6 → 2.19.0 (async parser resource exhaustion) - maven-shade-plugin: 3.5.1 → 3.6.0 (supports Java 22 MR-JAR in jackson-core 2.19.0) - openapi-generator template override: jackson-version 2.17.1 → 2.19.0 in generated swagger pom * fix(security): upgrade spring-web 6.2.11 → 6.2.18 * fix(security): align jackson-dataformat-yaml, feign, gson, logback versions - jackson-dataformat-yaml: 2.17.2 → ${jackson.version} (2.19.0) - feign-core: 13.2.1 → 13.5 (in openapi-gen template) - gson: 2.10.1 → 2.11.0 (in openapi-gen template) - logback-classic: 1.3.13 → 1.5.25 (in openapi-gen template) * fix(security): use jackson 2.18.7 — highest clean 2.x with full ecosystem 2.19.0-2.21.0 all carry a HIGH (CVSS 8.7) vulnerability per Sonatype. 2.18.7 is the latest clean patch where all Jackson modules are released. * fix(security): remove hardcoded jackson 2.17.2 override in k8s-operator, inherit 2.18.7 from root * fix(security): upgrade gson 2.11.0 → 2.13.1 (Medium CVE) * fix(security): replace 436-line pom.mustache with minimal stub The openapi-generator-maven-plugin writes target/generated-sources/swagger/pom.xml at build time with hardcoded jackson 2.17.1. Snyk --all-projects picks up every pom.xml on disk and flags it as HIGH. The generated pom.xml is never packaged into any JAR or Docker image — it is a generator artefact. The actual runtime jackson version comes from the module pom inheriting jackson.version=2.18.7 from the root. Replace the 436-line verbatim upstream template (maintained just to change 2 version lines) with a 10-line coordinate-only stub. The generated pom.xml will have no <dependencies> block, so Snyk finds nothing to flag.
…n /openmetadata-service (#25523) * Chore(deps): Bump ch.qos.logback:logback-core in /openmetadata-service Bumps [ch.qos.logback:logback-core](https://github.com/qos-ch/logback) from 1.5.19 to 1.5.25. - [Release notes](https://github.com/qos-ch/logback/releases) - [Commits](qos-ch/logback@v_1.5.19...v_1.5.25) --- updated-dependencies: - dependency-name: ch.qos.logback:logback-core dependency-version: 1.5.25 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * Updated logback-classic.version to 1.5.25 in both --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Sriharsha Chintalapani <harshach@users.noreply.github.com> Co-authored-by: Ajith Prasad <37380177+aji-aju@users.noreply.github.com> Co-authored-by: sonika-shah <58761340+sonika-shah@users.noreply.github.com>
The SDK pom hard-pinned junit.version=5.9.3, but the parent's junit-bom 5.11.4
in dependencyManagement overrides transitive deps to junit-platform-commons
1.11.4. junit-platform-commons 1.11 made ReflectionUtils.returnsVoid(Method)
non-public, while junit-jupiter-engine 5.9.3 still calls it publicly, triggering
JUnitException: TestEngine 'junit-jupiter' failed to discover tests
This is a pre-existing 1.12.7 bug — same dep tree on origin/1.12.7 fails the
same way locally. The bare-branch CI never ran the unit-test workflow (it only
fires on pull_request events), so the bug stayed latent until this PR.
Match what main does: derive junit.version from the parent's
${org.junit.jupiter.version} so direct + transitive deps stay aligned.
Verified: 195 SDK tests pass, 0 failures.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…override The cherry-pick from main pinned commons-compress to 1.26.0 in the root pom, but openmetadata-mcp/pom.xml on 1.12.7 already declares 1.27.1 (added by "Fix Vulnerabilities" #22805 — a 1.12.7-only fix that never landed on main). Maven gives a child module's <dependencyManagement> precedence over the parent within that module's resolution, so the published JARs would have: - openmetadata-mcp: commons-compress 1.27.1 (child wins) - all other modules: commons-compress 1.26.0 (parent) Bump the parent pin to 1.27.1 to eliminate the skew. 1.27.1 carries all the fixes from 1.26.0 (the Infinite Loop DoS this pin was originally added for), plus additional patches. Backend Maven build verified (mvn clean install -DskipTests). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
sonika-shah
force-pushed
the
fix/security-cherry-pick-1.12.7
branch
from
4178f74 to
1ad074d
Compare
Code Review ✅ Approved 1 resolved / 1 findingsCherry-picks critical security dependency upgrades including Jetty, PostgreSQL, BouncyCastle, and Jackson to resolve multiple high-severity vulnerabilities. Conflicts with the child module commons-compress versioning were successfully resolved. ✅ 1 resolved✅ Quality: commons-compress pinned at 1.26.0 conflicts with child module
OptionsDisplay: compact → Showing less information. Comment with these commands to change:
Was this helpful? React with 👍 / 👎 | Gitar |
|
The Python checkstyle failed. Please run You can install the pre-commit hooks with |
3 participants
Summary
Cherry-picks the security dependency bumps from
mainthat are missing on1.12.7. Addresses the May 8 2026 Snyk scan against 1.12.7. Backend Maven build verified locally (mvn clean install -DskipTestspasses).fix(security): upgrade Java dependencies to resolve CRITICAL and HIGH CVEs (#27940)(cherry-pick of339b3dfb18from main)Chore(deps): Bump ch.qos.logback:logback-core from 1.5.19 to 1.5.25 in /openmetadata-service (#25523)(cherry-pick of6724762eb7from main)Vulnerabilities resolved (9 of 29 from the 1.12.7 Snyk report)
org.eclipse.jetty:jetty-http(root pom)org.postgresql:postgresqlorg.bouncycastle:bcprov-jdk18onorg.eclipse.angus:smtporg.bouncycastle:bcprov-jdk18onorg.bouncycastle:bcpkix-jdk18oncom.fasterxml.jackson.core:jackson-corech.qos.logback:logback-corech.qos.logback:logback-coreOther library bumps included (not security-flagged on 1.12.7 but came along with the cherry-pick)
These are part of the original
339b3dfb18security PR on main. Listed for transparency:gson2.11.0 → 2.13.1spring6.2.11 → 6.2.18httpcore5-h25.3.5,commons-compress1.26.0logback-classic1.5.18 → 1.5.25 (paired with logback-core)Conflict resolutions
pom.xml:76): 1.12.7 was at2.17.2, cherry-pick targets2.18.7. Took the cherry-pick's value to satisfy GHSA-72hv-8253-57qq. The2.17.2 → 2.18.7jump is the same delta main absorbed.org.junit.platform.versionproperty (pom.xml:113): the cherry-pick removes this unused property. Verified viagit grep '${org.junit.platform.version}'that nothing on 1.12.7 references it. Safe to drop.openmetadata-service/pom.xml:34): 1.12.7 was already at12.1.7(newer than the cherry-pick's12.1.1). Kept the newer value.Still open on 1.12.7 (out of scope for this PR — separate follow-ups)
netty-bom4.1.132 → 4.1.133. Tracked on main in #27994; cherry-pick to 1.12.7 once it merges.jsonschema2pojo1.2.2 → 1.3.0 (CVE-2025-3588) — covered by #27994.azure-identity1.14.0 → 1.15.2 (CVE-2024-35255) — covered by #27994.awssdk:cloudfront(GHSA-443w-3rq3-5m5h) — needs separate verification of awssdk version.reactor-netty-http1.2.14 (CVE-2025-22227) — needs separate verification.lcms2(CVE-2026-41254) — Alpine OS package, handled by Dockerapk upgrade, not Maven.jgit(CVE-2025-4949) and MEDeddsa(CVE-2020-36843) — confirmed via chore(security): bump deps to address reported CVEs #27994's PR description not in OpenMetadata's Maven tree (likely Airflow base image or stale scan).Test plan
mvn clean install -DskipTests -pl '!openmetadata-ui,!openmetadata-ui-core-components' -am)mvn dependency:treeconfirms resolved versions:jetty-http→ 12.1.7postgresql→ 42.7.11bc{pkix,prov,util}-jdk18on→ 1.84jackson-core→ 2.18.7logback-{core,classic}→ 1.5.25🤖 Generated with Claude Code
Summary by Gitar
jackson,gson,logback, andjettyversions in rootpom.xml.httpcore5-h2,commons-compress, andbouncycastlelibraries.junit-jupiterandjunit-platformversions inopenmetadata-sdk.maven-shade-pluginto3.6.0inelasticsearch-depandopensearch-dep.openmetadata-java-client.This will update automatically on new commits.