From a6a2a3c868069b87b878c94417047c7942e3e0f9 Mon Sep 17 00:00:00 2001
From: Vastin <3690049+vastin@users.noreply.github.com>
Date: Fri, 26 Jun 2026 18:55:53 +0000
Subject: [PATCH] Bump jackson-bom to 2.21.4 to fix
 CVE-2026-54512/54513/54514/54516/54517/54518

jackson-databind 2.21.4 fixes 6 CVEs detected by the Trivy image scan.
CVE-2026-54515 is suppressed as no fix exists in the 2.21.x line yet
(Trivy DB references 2.21.5 which has not been released).

Also removes expired Netty CVE suppressions (already fixed by the
4.1.135.Final bump in #1389).
---
 .github/trivy/daily-scan.trivyignore.yaml | 15 +++------------
 .github/trivy/pr-build.trivyignore.yaml   | 15 +++------------
 dependencyManagement/build.gradle.kts     |  2 +-
 3 files changed, 7 insertions(+), 25 deletions(-)

diff --git a/.github/trivy/daily-scan.trivyignore.yaml b/.github/trivy/daily-scan.trivyignore.yaml
index 195bc4c643..9d34e2af17 100644
--- a/.github/trivy/daily-scan.trivyignore.yaml
+++ b/.github/trivy/daily-scan.trivyignore.yaml
@@ -11,15 +11,6 @@
 #    expired_at: <required - YYYY-MM-DD>
 
 vulnerabilities:
-  - id: CVE-2026-41417
-    statement: "Netty request-line validation bypass via setUri() enables CRLF injection/request smuggling. Low risk for ADOT Java agent (URIs are operator-configured, no attacker-controlled input reaches setUri()). Fix: bump netty-bom to 4.1.133.Final. https://nvd.nist.gov/vuln/detail/CVE-2026-41417"
-    expired_at: 2026-05-22
-  - id: CVE-2026-42583
-    statement: "Netty Lz4FrameDecoder resource exhaustion. Fix: bump netty-bom to 4.1.133.Final. https://avd.aquasec.com/nvd/cve-2026-42583"
-    expired_at: 2026-05-22
-  - id: CVE-2026-42584
-    statement: "Netty HttpClientCodec response desynchronization. Fix: bump netty-bom to 4.1.133.Final. https://avd.aquasec.com/nvd/cve-2026-42584"
-    expired_at: 2026-05-22
-  - id: CVE-2026-42587
-    statement: "Netty HttpContentDecompressor maxAllocation bypass with br/zstd/snappy Content-Encoding leads to decompression bomb. Fix: bump netty-bom to 4.1.133.Final. https://avd.aquasec.com/nvd/cve-2026-42587"
-    expired_at: 2026-05-22
+  - id: CVE-2026-54515
+    statement: "jackson-databind vulnerability. No fix available in 2.21.x yet (Trivy DB lists 2.21.5 which has not been released). https://avd.aquasec.com/nvd/cve-2026-54515"
+    expired_at: 2026-07-31
diff --git a/.github/trivy/pr-build.trivyignore.yaml b/.github/trivy/pr-build.trivyignore.yaml
index 0c5e7fd3e5..3a9eb06828 100644
--- a/.github/trivy/pr-build.trivyignore.yaml
+++ b/.github/trivy/pr-build.trivyignore.yaml
@@ -9,15 +9,6 @@
 #    expired_at: <required - YYYY-MM-DD>
 
 vulnerabilities:
-  - id: CVE-2026-41417
-    statement: "Netty request-line validation bypass via setUri() enables CRLF injection/request smuggling. Low risk for ADOT Java agent (URIs are operator-configured, no attacker-controlled input reaches setUri()). Fix: bump netty-bom to 4.1.133.Final. https://nvd.nist.gov/vuln/detail/CVE-2026-41417"
-    expired_at: 2026-05-22
-  - id: CVE-2026-42583
-    statement: "Netty Lz4FrameDecoder resource exhaustion. Fix: bump netty-bom to 4.1.133.Final. https://avd.aquasec.com/nvd/cve-2026-42583"
-    expired_at: 2026-05-22
-  - id: CVE-2026-42584
-    statement: "Netty HttpClientCodec response desynchronization. Fix: bump netty-bom to 4.1.133.Final. https://avd.aquasec.com/nvd/cve-2026-42584"
-    expired_at: 2026-05-22
-  - id: CVE-2026-42587
-    statement: "Netty HttpContentDecompressor maxAllocation bypass with br/zstd/snappy Content-Encoding leads to decompression bomb. Fix: bump netty-bom to 4.1.133.Final. https://avd.aquasec.com/nvd/cve-2026-42587"
-    expired_at: 2026-05-22
+  - id: CVE-2026-54515
+    statement: "jackson-databind vulnerability. No fix available in 2.21.x yet (Trivy DB lists 2.21.5 which has not been released). https://avd.aquasec.com/nvd/cve-2026-54515"
+    expired_at: 2026-07-31
diff --git a/dependencyManagement/build.gradle.kts b/dependencyManagement/build.gradle.kts
index 47cc0735ed..7c6e35061e 100644
--- a/dependencyManagement/build.gradle.kts
+++ b/dependencyManagement/build.gradle.kts
@@ -35,7 +35,7 @@ val otelJavaAgentVersion = if (!testSnapshots) otelVersion else "$otelSnapshotVe
 
 val dependencyBoms = listOf(
   "com.amazonaws:aws-java-sdk-bom:1.12.599",
-  "com.fasterxml.jackson:jackson-bom:2.21.1",
+  "com.fasterxml.jackson:jackson-bom:2.21.4",
   "com.google.guava:guava-bom:33.0.0-jre",
   "com.google.protobuf:protobuf-bom:3.25.1",
   "com.linecorp.armeria:armeria-bom:1.26.4",