Skip to content

fix(deps): patch Dependabot CVEs — high/medium/low severity#209

Open
vinodbhorge wants to merge 2 commits into
masterfrom
Vulnerability-fixes
Open

fix(deps): patch Dependabot CVEs — high/medium/low severity#209
vinodbhorge wants to merge 2 commits into
masterfrom
Vulnerability-fixes

Conversation

@vinodbhorge

@vinodbhorge vinodbhorge commented Apr 24, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Summary

  • CVE-2026-35554 (HIGH, CVSS 8.7): kafka-clients 3.9.1 → 3.9.2; kafka_2.13 direct dep bumped to align
  • CVE-2023-1370 (HIGH, CVSS 7.5): net.minidev:json-smart pinned ≥ 2.4.9 via root dependencyManagement
  • CVE-2025-66566 (HIGH): at.yawk.lz4:lz4-java 1.10.4 added explicitly to analytics-job-driver (already present in other modules)
  • CVE-2026-34477/34478/34480/34479 (MEDIUM): log4j-core, log4j-api, log4j-1.2-api bumped 2.25.3 → 2.25.4
  • CVE-2021-34429 (MEDIUM, CVSS 5.3): jetty-webapp 9.4.57 pinned via dependencyManagement (satisfies patched ≥ 9.4.43)
  • jackson-core GHSA (MEDIUM): compile-time version 2.15.4 → 2.19.0 (patched=2.18.6 not yet on Maven Central; 2.19.0 is next safe release). jackson-module-scala also upgraded to 2.19.0 in dependencyManagement to resolve transitive conflict with cloud-storage-sdk-aws.
  • CVE-2024-23454 (LOW, CVSS 3.3): hadoop.version 3.3.4 → 3.4.3 (all hadoop deps are provided scope)
  • LOW (jetty-xml): jetty-xml 9.4.57 pinned via dependencyManagement (satisfies patched ≥ 9.4.52)

Cannot fix (patch not yet released on Maven Central)

CVE Package Patched version Reason
CVE-2026-2332 (HIGH, 7.4) jetty-http 9.4.60 Not released on Maven Central (latest: 9.4.57)
CVE-2025-67721 (HIGH) aircompressor 2.0.3 Not released on Maven Central (latest: 2.0.2)
CVE-2024-6763 (MED, 3.7) jetty-http 12.0.12 Requires Jetty major upgrade — incompatible with Spark 3.5.x (bundles Jetty 9.x)
CVE-2025-11143 (LOW) jetty-http none No patch available

Runtime action needed

  • hadoop-common (CVE-2024-23454): provided scope — cluster/container must supply hadoop-common >= 3.4.0 for the fix to take effect at runtime.
  • jackson-core GHSA: Spark 3.5.8 bundles Jackson 2.15.4 at runtime (still in vulnerable range). Fully remediating requires a Spark upgrade.

Test plan

  • analytics-core build: SUCCESS
  • analytics-core tests: 72/73 pass (1 pre-existing AWS credentials failure — TestFrameworkContext)
  • analytics-job-driver build: SUCCESS
  • analytics-job-driver tests: 12/13 pass (1 pre-existing AWS credentials failure — TestJobDriver2)
  • batch-models build: SUCCESS
  • batch-models tests: 19/19 pass
  • Full root build (mvn clean install -DskipTests): SUCCESS
  • TestDatasetUtil updated: Hadoop 3.4.x throws Error (not Exception) for missing Azure filesystem class — added case _: Error branch

vinodbhorge and others added 2 commits April 24, 2026 12:37
@vinodbhorge @claude
fix(deps): patch high/medium CVEs across all modules
4bac67e 
- CVE-2026-35554 (HIGH, 8.7): kafka-clients 3.9.1→3.9.2 (analytics-core direct; dependencyManagement for transitive)
- CVE-2023-1370 (HIGH, 7.5): net.minidev:json-smart pinned ≥2.4.9 via dependencyManagement
- CVE-2025-66566 (HIGH): at.yawk.lz4:lz4-java explicit 1.10.4 added to analytics-job-driver
- CVE-2026-34477/78/79/80 (MED): log4j-core/api/1.2-api 2.25.3→2.25.4
- CVE-2021-34429 (MED): jetty-webapp 9.4.57 pinned via dependencyManagement
- jackson-core GHSA (MED): compile-time version 2.15.4→2.19.0 (runtime Spark-provided still 2.15.4)
- CVE-2024-23454 (LOW): hadoop.version 3.3.4→3.4.3 (provided scope; cluster must supply ≥3.4.0)
- LOW: jetty-xml 9.4.57 pinned via dependencyManagement

Cannot fix (version not on Maven Central):
- CVE-2026-2332: jetty-http 9.4.60 not yet released
- CVE-2025-67721: aircompressor 2.0.3 not yet released
- CVE-2024-6763: requires Jetty 12 (Spark 3.5.x bundles Jetty 9.x)
- CVE-2025-11143: no patch available

Test: TestDatasetUtil updated for Hadoop 3.4.x Error vs Exception behavior change

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@vinodbhorge @claude
fix(deps): override jackson-module-scala to 2.19.0 in dependencyManag…
3710dc7 
…ement

cloud-storage-sdk-aws brings jackson-module-scala_2.13:2.16.2 transitively,
which conflicts with jackson-databind 2.19.0 (requires < 2.17.0). Override
via dependencyManagement to align with jackson.version=2.19.0.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vinodbhorge