Skip to content

[2.19] Bump dependencies to address CVEs#22292

Merged
andrross merged 1 commit into
opensearch-project:2.19from
andrross:backport/cve-fixes-2.19
Jun 26, 2026
Merged

[2.19] Bump dependencies to address CVEs#22292
andrross merged 1 commit into
opensearch-project:2.19from
andrross:backport/cve-fixes-2.19

Conversation

@andrross

@andrross andrross commented Jun 23, 2026

Copy link
Copy Markdown
Member

Check List

  • Functionality includes testing.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@andrross andrross requested a review from a team as a code owner June 23, 2026 21:49
@github-actions

github-actions Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 29961d6.

PathLineSeverityDescription
buildSrc/build.gradle139highNew dependency added: org.codehaus.plexus:plexus-xml:3.0.1. This is a net-new artifact not previously present in the build. Maintainers must verify the artifact's authenticity and provenance.
buildSrc/build.gradle138highDependency version change: org.apache.maven:maven-model upgraded from 3.9.6 to 3.9.16. All dependency version changes must be flagged for maintainer verification.
buildSrc/build.gradle169highNew forced resolution rule added for org.apache.logging.log4j:log4j-core. This globally overrides the log4j-core version across the build and must be verified to ensure the forced version is correct and not maliciously downgraded.
buildSrc/src/testKit/thirdPartyAudit/sample_jars/build.gradle21highDependency version change: org.apache.logging.log4j:log4j-core upgraded from 2.24.3 to 2.25.4. All dependency version changes must be flagged for maintainer verification.
gradle/libs.versions.toml11highDependency version change: jackson and jackson_databind upgraded from 2.18.6 to 2.18.8. Affects all Jackson artifacts across the project. Maintainers must verify artifact integrity.
gradle/libs.versions.toml14highDependency version change: log4j upgraded from 2.25.3 to 2.25.4. Affects log4j-api, log4j-core, log4j-jul, and related artifacts project-wide. Maintainers must verify artifact integrity.
gradle/libs.versions.toml42highDependency version change: reactor upgraded from 3.7.5 to 3.7.19 (large version jump of 14 minor versions). Maintainers must verify artifact authenticity and changelog for unexpected behavior.
gradle/libs.versions.toml41highDependency version change: reactor_netty upgraded from 1.2.9 to 1.2.18 (large version jump of 9 minor versions). Maintainers must verify artifact authenticity.
plugins/ingest-attachment/build.gradle78highDependency version change: org.jsoup:jsoup upgraded from 1.20.1 to 1.22.2. All dependency version changes must be flagged for maintainer verification.
plugins/repository-hdfs/build.gradle77highDependency version change: org.apache.commons:commons-configuration2 upgraded from 2.11.0 to 2.15.0 (large version jump). Maintainers must verify artifact authenticity.

The table above displays the top 10 most important findings.

Total: 12 | Critical: 0 | High: 12 | Medium: 0 | Low: 0


Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.


⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

@Divyaasm

Copy link
Copy Markdown
Contributor

@andrross need to backport these PR's to 2.19 #21808
#22138 to address the GH action failures forced to shas.

@andrross andrross added the skip-diff-analyzer Maintainer to skip code-diff-analyzer check, after reviewing issues in AI analysis. label Jun 23, 2026
@andrross andrross force-pushed the backport/cve-fixes-2.19 branch from 29961d6 to 155560a Compare June 23, 2026 23:36
@github-actions

github-actions Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

PR Reviewer Guide 🔍

(Review updated until commit 0771e07)

Here are some key observations to aid the review process:

🧪 No relevant tests
🔒 No security concerns identified
✅ No TODO sections
🔀 No multiple PR themes
⚡ No major issues detected

@github-actions

Copy link
Copy Markdown
Contributor

❌ Gradle check result for 155560a: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

@github-actions

Copy link
Copy Markdown
Contributor

❌ Gradle check result for 155560a: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

@github-actions

Copy link
Copy Markdown
Contributor

❌ Gradle check result for 155560a: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

@github-actions

Copy link
Copy Markdown
Contributor

❌ Gradle check result for 155560a: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

@github-actions

Copy link
Copy Markdown
Contributor

❌ Gradle check result for 155560a: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

@github-actions

Copy link
Copy Markdown
Contributor

❌ Gradle check result for 155560a: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

@github-actions

Copy link
Copy Markdown
Contributor

❌ Gradle check result for 155560a: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

@github-actions

Copy link
Copy Markdown
Contributor

❌ Gradle check result for 155560a: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

- Bump log4j from 2.25.3 to 2.25.4 (CVE-2026-34480, CVE-2026-34478, CVE-2026-34477)
- Bump jetty from 9.4.57 to 9.4.58 (CVE-2026-2332)
- Upgrade maven-model from 3.9.6 to 3.9.16, add plexus-xml 3.0.1 (CVE-2025-67030)
- Force log4j-core to 2.25.4 in buildSrc
- Bump commons-configuration2 from 2.11.0/2.13.0 to 2.15.0 (CVE-2026-34479)
- Bump jsoup from 1.20.1 to 1.22.2 (CVE-2026-5598, CVE-2025-33042)
- Bump Jackson from 2.18.6 to 2.18.8 (CVE-2026-0636, CVE-2026-5588)
- Bump reactor-netty from 1.2.9 to 1.2.18, reactor-core from 3.7.5 to 3.7.19 (CVE-2026-24281, CVE-2026-24308)

Signed-off-by: Andrew Ross <andrross@amazon.com>
@andrross andrross force-pushed the backport/cve-fixes-2.19 branch from 155560a to 0771e07 Compare June 25, 2026 20:43
@github-actions

Copy link
Copy Markdown
Contributor

Persistent review updated to latest commit 0771e07

@github-actions

Copy link
Copy Markdown
Contributor

❌ Gradle check result for 0771e07: null

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

@github-actions

Copy link
Copy Markdown
Contributor

✅ Gradle check result for 0771e07: SUCCESS

@codecov

codecov Bot commented Jun 26, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.00%. Comparing base (aff3489) to head (0771e07).
⚠️ Report is 10 commits behind head on 2.19.

Additional details and impacted files
@@             Coverage Diff              @@
##               2.19   #22292      +/-   ##
============================================
+ Coverage     71.92%   72.00%   +0.07%     
+ Complexity    66009    64441    -1568     
============================================
  Files          5342     5121     -221     
  Lines        307392   300231    -7161     
  Branches      44862    44090     -772     
============================================
- Hits         221105   216171    -4934     
+ Misses        67823    65921    -1902     
+ Partials      18464    18139     -325     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@andrross andrross merged commit de59a9e into opensearch-project:2.19 Jun 26, 2026
48 of 50 checks passed
@andrross andrross deleted the backport/cve-fixes-2.19 branch June 26, 2026 16:26
@rursprung rursprung mentioned this pull request Jul 10, 2026
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

skip-changelog skip-diff-analyzer Maintainer to skip code-diff-analyzer check, after reviewing issues in AI analysis.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants