chore: Update Jetty to 12.1.9 and jakarta-servlet-api to 6.1.0 (#104)

sidharth-jain23 · claude · web-flow · commit 93539026c234 · 2026-05-15T17:32:35.000+05:30
* Update Jetty to 12.1.8 and jakarta-servlet-api to 6.1.0 - Migrate Jetty module coordinates to EE10 variants for Jetty 12 compatibility: - jetty-servlet -> org.eclipse.jetty.ee10:jetty-ee10-servlet - jetty-servlets -> org.eclipse.jetty.ee10:jetty-ee10-servlets - jetty-server remains org.eclipse.jetty:jetty-server (core module) - Bump jakarta-servlet-api from 6.0.0 to 6.1.0 (required by Jetty 12.1 EE10) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Add jetty-ee10-bom and fix EE10 module version resolution The EE10 servlet modules (org.eclipse.jetty.ee10:*) are not managed by the core jetty-bom (org.eclipse.jetty:jetty-bom). Add the jetty-ee10-bom as a platform import and explicit versions to ensure resolution works. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Update Jetty to 12.1.9 * address comments * Temporarily comment out service-framework deps in test-consumer These deps pull in the old Jetty 11 coordinates (org.eclipse.jetty:jetty-servlet) which no longer resolve under Jetty 12. Will uncomment after publishing a new service-framework version built with EE10 coordinates. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix CVE-2026-42198 (pgjdbc) and suppress CVE-2026-41417 (Netty) CVE-2026-42198 (pgjdbc DoS, CVSS 7.5): - Upgrade document-store from 0.8.6 to 0.9.45, which brings postgresql 42.7.11 (the fixed version). CVE-2026-41417 (Netty CRLF injection, CVSS 5.3): - Upgrade netty-bom from 4.1.132.Final to 4.1.133.Final (fixed version). - Added temporary OWASP suppression because the published hypertrace-bom (0.3.78) still imports netty-bom:4.1.132.Final, and transitive deps resolve against that published version rather than the local project. Temporary workarounds in this branch (to be removed in sequence): 1. Service-framework deps commented out in test-consumer — the published service-framework:0.1.93 still declares old Jetty 11 coordinates (org.eclipse.jetty:jetty-servlet) which don't exist in Jetty 12. 2. CVE-2026-41417 OWASP suppression — netty 4.1.132 comes transitively from the published hypertrace-bom:0.3.78. Resolution steps: 1. Publish this BOM as 0.3.79 (with Jetty 12 EE10 + Netty 4.1.133.Final) 2. Update service-framework to use BOM 0.3.79 catalog, publish new version 3. Bump service-framework version in this BOM, uncomment deps in test-consumer, and remove the OWASP suppression Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -9,8 +9,8 @@ hypertrace-attributeservice = "0.14.35"
 hypertrace-gatewayservice = "0.3.9"
 hypertrace-entityservice = "0.8.86"
 hypertrace-configservice = "0.1.74"
-jetty = "11.0.26"
-netty = "4.1.132.Final"
+jetty = "12.1.9"
+netty = "4.1.133.Final"
 
 junit = "5.10.0"
 mockito = "5.8.0"
@@ -41,11 +41,12 @@ jackson-databind = { module = "com.fasterxml.jackson.core:jackson-databind" }
 jackson-datatype-jsr310 = { module = "com.fasterxml.jackson.datatype:jackson-datatype-jsr310" }
 jackson-datatype-jdk8 = { module = "com.fasterxml.jackson.datatype:jackson-datatype-jdk8" }
 jakarta-inject-api = { module = "jakarta.inject:jakarta.inject-api", version = "2.0.1" }
-jakarta-servlet-api = { module = "jakarta.servlet:jakarta.servlet-api", version = "6.0.0" }
+jakarta-servlet-api = { module = "jakarta.servlet:jakarta.servlet-api", version = "6.1.0" }
 jetty-bom = { module = "org.eclipse.jetty:jetty-bom", version.ref = "jetty" }
-jetty-servlet = { module = "org.eclipse.jetty:jetty-servlet" }
+jetty-ee10-bom = { module = "org.eclipse.jetty.ee10:jetty-ee10-bom", version.ref = "jetty" }
+jetty-servlet = { module = "org.eclipse.jetty.ee10:jetty-ee10-servlet", version.ref = "jetty" }
 jetty-server = { module = "org.eclipse.jetty:jetty-server" }
-jetty-servlets = { module = "org.eclipse.jetty:jetty-servlets" }
+jetty-servlets = { module = "org.eclipse.jetty.ee10:jetty-ee10-servlets", version.ref = "jetty" }
 netty-bom = { module = "io.netty:netty-bom", version.ref = "netty" }
 protobuf-java = { module = "com.google.protobuf:protobuf-java", version.ref = "protoc" }
 protobuf-javautil = { module = "com.google.protobuf:protobuf-java-util", version.ref = "protoc" }
@@ -85,7 +86,7 @@ hypertrace-framework-metrics = { module = "org.hypertrace.core.serviceframework:
 hypertrace-integrationtest-framework = { module = "org.hypertrace.core.serviceframework:integrationtest-service-framework", version.ref = "hypertrace-framework" }
 hypertrace-framework-documentstore-metrics = { module = "org.hypertrace.core.serviceframework:docstore-metrics", version.ref = "hypertrace-framework" }
 
-hypertrace-documentstore = { module = "org.hypertrace.core.documentstore:document-store", version = "0.8.6" }
+hypertrace-documentstore = { module = "org.hypertrace.core.documentstore:document-store", version = "0.9.45" }
 hypertrace-eventstore = { module = "org.hypertrace.core.eventstore:event-store", version = "0.1.5" }
 hypertrace-kafka-bom = { module = "org.hypertrace.core.kafkastreams.framework:kafka-bom", version.ref = "hypertrace-kafka" }
 hypertrace-kafka-framework = { module = "org.hypertrace.core.kafkastreams.framework:kafka-streams-framework", version.ref = "hypertrace-kafka" }
diff --git a/hypertrace-bom/build.gradle.kts b/hypertrace-bom/build.gradle.kts
@@ -12,6 +12,7 @@ dependencies {
   api(platform(libs.jackson.bom))
   api(platform(libs.hypertrace.kafka.bom))
   api(platform(libs.jetty.bom))
+  api(platform(libs.jetty.ee10.bom))
   api(platform(libs.netty.bom))
   constraints {
     api(libs.hypertrace.grpcutils.context)
diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
@@ -1,3 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <suppress>
+    <notes><![CDATA[Temporary suppression until service-framework is published with Netty 4.1.133.Final]]></notes>
+    <cve>CVE-2026-41417</cve>
+  </suppress>
 </suppressions>
diff --git a/test-consumer/build.gradle.kts b/test-consumer/build.gradle.kts
@@ -9,12 +9,13 @@ dependencies {
   api(libs.hypertrace.grpcutils.server)
   api(libs.hypertrace.grpcutils.rx.client)
   api(libs.hypertrace.grpcutils.rx.server)
-  api(libs.hypertrace.framework.grpc)
-  api(libs.hypertrace.framework.http)
-  api(libs.hypertrace.framework.spi)
-  api(libs.hypertrace.kafka.framework)
-  api(libs.hypertrace.integrationtest.framework)
-  api(libs.hypertrace.framework.documentstore.metrics)
+  // TODO: uncomment after publishing service-framework with Jetty 12
+  // api(libs.hypertrace.framework.grpc)
+  // api(libs.hypertrace.framework.http)
+  // api(libs.hypertrace.framework.spi)
+  // api(libs.hypertrace.kafka.framework)
+  // api(libs.hypertrace.integrationtest.framework)
+  // api(libs.hypertrace.framework.documentstore.metrics)
   api(libs.hypertrace.documentstore)
   api(libs.hypertrace.eventstore)
   api(libs.hypertrace.attributeservice.api)
@@ -57,11 +58,12 @@ dependencies {
   api(libs.commons.text)
   api(libs.graphql.java)
   api(libs.jsr305)
-  api(libs.hypertrace.framework.grpc.jakarta)
-  api(libs.hypertrace.framework.http.jakarta)
-  api(libs.hypertrace.framework.spi.jakarta)
-  api(libs.hypertrace.integrationtest.framework.jakarta)
-  api(libs.hypertrace.framework.documentstore.metrics.jakarta)
+  // TODO: uncomment after publishing service-framework with Jetty 12
+  // api(libs.hypertrace.framework.grpc.jakarta)
+  // api(libs.hypertrace.framework.http.jakarta)
+  // api(libs.hypertrace.framework.spi.jakarta)
+  // api(libs.hypertrace.integrationtest.framework.jakarta)
+  // api(libs.hypertrace.framework.documentstore.metrics.jakarta)
   api(libs.apache.httpcomponents.httpclient)
   api(libs.awaitility)
   api(libs.jakarta.inject.api)
