From 6a79091964127b8dd3956bf0958193f5503ef317 Mon Sep 17 00:00:00 2001 From: David Venable Date: Wed, 30 Jul 2025 10:31:45 -0500 Subject: [PATCH] Updates several dependencies to address CVEs (#5914) Updates several dependencies to address CVEs * CVE-2025-46762 - Parquet 1.15.2 * CVE-2025-48734 - commons-beanutils 1.11.0 and Checkstyle 10.26.1 * CVE-2024-57699 - json-smart 2.5.2 * CVE-2025-24970 - Netty 4.1.123 * CVE-2025-27817 - Apache Kafka 3.9.1 and Confluent Kafka 7.9.1 Also, removes some broken code related to the kafka-client in unused Kafka tests. Signed-off-by: David Venable (cherry picked from commit c8f66fa4fd1ed67fdbbeb230daf948e76207cf10) --- build.gradle | 20 ++++++++++++------- .../kafka-plugins/build.gradle | 14 ++++++------- .../EmbeddedKafkaClusterSingleNode.java | 12 ----------- .../kafka/source/EmbeddedKafkaServer.java | 9 +-------- settings.gradle | 2 +- 5 files changed, 22 insertions(+), 35 deletions(-) diff --git a/build.gradle b/build.gradle index 6a9273a98c..4e8159f7b6 100644 --- a/build.gradle +++ b/build.gradle @@ -47,7 +47,7 @@ allprojects { } checkstyle { - toolVersion = '10.12.3' + toolVersion = '10.26.1' } } @@ -147,9 +147,9 @@ subprojects { } implementation('net.minidev:json-smart') { version { - require '2.5.0' + require '2.5.2' } - because 'CVE from transitive dependencies' + because 'CVE from transitive dependencies, including CVE-2024-57699' } implementation('org.jetbrains.kotlin:kotlin-stdlib') { version { @@ -217,6 +217,12 @@ subprojects { } because 'CVE-2024-25710, CVE-2024-26308' } + implementation('commons-beanutils:commons-beanutils') { + version { + require '1.11.0' + } + because 'CVE-2025-48734' + } } } @@ -224,11 +230,11 @@ subprojects { resolutionStrategy.eachDependency { def details -> if (details.requested.group == 'io.netty') { if (details.requested.name == 'netty') { - details.useTarget group: 'io.netty', name: 'netty-all', version: '4.1.108.Final' - details.because 'Fixes CVE-2022-41881, CVE-2021-21290 and CVE-2022-41915.' + details.useTarget group: 'io.netty', name: 'netty-all', version: '4.1.123.Final' + details.because 'Fixes CVE-2025-24970, CVE-2022-41881, CVE-2021-21290 and CVE-2022-41915.' } else if (!details.requested.name.startsWith('netty-tcnative')) { - details.useVersion '4.1.108.Final' - details.because 'Fixes CVE-2022-41881, CVE-2021-21290 and CVE-2022-41915.' + details.useVersion '4.1.123.Final' + details.because 'Fixes CVE-2025-24970, CVE-2022-41881, CVE-2021-21290 and CVE-2022-41915.' } } else if (details.requested.group == 'log4j' && details.requested.name == 'log4j') { details.useTarget group: 'org.apache.logging.log4j', name: 'log4j-1.2-api', version: '2.17.1' diff --git a/data-prepper-plugins/kafka-plugins/build.gradle b/data-prepper-plugins/kafka-plugins/build.gradle index 1f3e80f757..3c6519380c 100644 --- a/data-prepper-plugins/kafka-plugins/build.gradle +++ b/data-prepper-plugins/kafka-plugins/build.gradle @@ -32,16 +32,16 @@ dependencies { implementation project(':data-prepper-plugins:encryption-plugin') // bump io.confluent:* dependencies correspondingly when bumping org.apache.kafka.* // https://docs.confluent.io/platform/current/release-notes/index.html - implementation 'org.apache.kafka:kafka-clients:3.6.1' - implementation 'org.apache.kafka:connect-json:3.6.1' + implementation 'org.apache.kafka:kafka-clients:3.9.1' + implementation 'org.apache.kafka:connect-json:3.9.1' implementation project(':data-prepper-plugins:http-common') implementation libs.avro.core implementation 'com.fasterxml.jackson.core:jackson-databind' implementation 'io.micrometer:micrometer-core' implementation libs.commons.lang3 - implementation 'io.confluent:kafka-avro-serializer:7.6.0' - implementation 'io.confluent:kafka-json-schema-serializer:7.6.0' - implementation 'io.confluent:kafka-schema-registry-client:7.6.0' + implementation 'io.confluent:kafka-avro-serializer:7.9.1' + implementation 'io.confluent:kafka-json-schema-serializer:7.9.1' + implementation 'io.confluent:kafka-schema-registry-client:7.9.1' implementation 'software.amazon.awssdk:sts' implementation 'software.amazon.awssdk:auth' implementation 'software.amazon.awssdk:kafka' @@ -77,8 +77,8 @@ dependencies { testImplementation 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml' integrationTestImplementation testLibs.junit.vintage - integrationTestImplementation 'io.confluent:kafka-schema-registry:7.6.0' - integrationTestImplementation ('io.confluent:kafka-schema-registry:7.6.0:tests') { + integrationTestImplementation 'io.confluent:kafka-schema-registry:7.9.1' + integrationTestImplementation ('io.confluent:kafka-schema-registry:7.9.1:tests') { exclude group: 'org.glassfish.jersey.containers', module: 'jersey-container-servlet' exclude group: 'org.glassfish.jersey.inject', module: 'jersey-hk2' exclude group: 'org.glassfish.jersey.ext', module: 'jersey-bean-validation' diff --git a/data-prepper-plugins/kafka-plugins/src/integrationTest/java/org/opensearch/dataprepper/plugins/kafka/source/EmbeddedKafkaClusterSingleNode.java b/data-prepper-plugins/kafka-plugins/src/integrationTest/java/org/opensearch/dataprepper/plugins/kafka/source/EmbeddedKafkaClusterSingleNode.java index ec791c221f..73a36e8dfd 100644 --- a/data-prepper-plugins/kafka-plugins/src/integrationTest/java/org/opensearch/dataprepper/plugins/kafka/source/EmbeddedKafkaClusterSingleNode.java +++ b/data-prepper-plugins/kafka-plugins/src/integrationTest/java/org/opensearch/dataprepper/plugins/kafka/source/EmbeddedKafkaClusterSingleNode.java @@ -8,7 +8,6 @@ import io.confluent.kafka.schemaregistry.RestApp; import io.confluent.kafka.schemaregistry.avro.AvroCompatibilityLevel; import io.confluent.kafka.schemaregistry.rest.SchemaRegistryConfig; -import kafka.server.KafkaConfig$; import org.junit.rules.ExternalResource; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -58,8 +57,6 @@ public void start() throws Exception { log.debug("ZooKeeper instance is running at {}", zookeeper.connectString()); final Properties effectiveBrokerConfig = effectiveBrokerConfigFrom(brokerConfig, zookeeper); - log.debug("Starting a Kafka instance on ...", - effectiveBrokerConfig.getProperty(KafkaConfig$.MODULE$.ZkConnectDoc())); broker = new EmbeddedKafkaServer(effectiveBrokerConfig); log.debug("Kafka instance is running at {}, connected to ZooKeeper at {}", broker.brokerList(), broker.zookeeperConnect()); @@ -80,15 +77,6 @@ public void start() throws Exception { private Properties effectiveBrokerConfigFrom(final Properties brokerConfig, final EmbeddedZooKeeperServer zookeeper) { final Properties effectiveConfig = new Properties(); effectiveConfig.putAll(brokerConfig); - effectiveConfig.put(KafkaConfig$.MODULE$.ZkConnectProp(), zookeeper.connectString()); - effectiveConfig.put(KafkaConfig$.MODULE$.ZkSessionTimeoutMsProp(), 30 * 1000); - effectiveConfig.put(KafkaConfig$.MODULE$.ZkConnectionTimeoutMsProp(), 60 * 1000); - effectiveConfig.put(KafkaConfig$.MODULE$.DeleteTopicEnableProp(), true); - effectiveConfig.put(KafkaConfig$.MODULE$.LogCleanerDedupeBufferSizeProp(), 2 * 1024 * 1024L); - effectiveConfig.put(KafkaConfig$.MODULE$.GroupMinSessionTimeoutMsProp(), 0); - effectiveConfig.put(KafkaConfig$.MODULE$.OffsetsTopicReplicationFactorProp(), (short) 1); - effectiveConfig.put(KafkaConfig$.MODULE$.OffsetsTopicPartitionsProp(), 1); - effectiveConfig.put(KafkaConfig$.MODULE$.AutoCreateTopicsEnableProp(), true); return effectiveConfig; } diff --git a/data-prepper-plugins/kafka-plugins/src/integrationTest/java/org/opensearch/dataprepper/plugins/kafka/source/EmbeddedKafkaServer.java b/data-prepper-plugins/kafka-plugins/src/integrationTest/java/org/opensearch/dataprepper/plugins/kafka/source/EmbeddedKafkaServer.java index 1bb6953ed9..4904159474 100644 --- a/data-prepper-plugins/kafka-plugins/src/integrationTest/java/org/opensearch/dataprepper/plugins/kafka/source/EmbeddedKafkaServer.java +++ b/data-prepper-plugins/kafka-plugins/src/integrationTest/java/org/opensearch/dataprepper/plugins/kafka/source/EmbeddedKafkaServer.java @@ -7,7 +7,6 @@ import kafka.server.KafkaConfig; -import kafka.server.KafkaConfig$; import kafka.server.KafkaServer; import kafka.utils.TestUtils; import org.apache.kafka.clients.admin.AdminClient; @@ -61,19 +60,13 @@ public EmbeddedKafkaServer(final Properties config) throws IOException { private Properties effectiveConfigFrom(final Properties initialConfig) throws IOException { final Properties effectiveConfig = new Properties(); - effectiveConfig.put(KafkaConfig$.MODULE$.BrokerIdProp(), 1); - effectiveConfig.put(KafkaConfig$.MODULE$.NumPartitionsProp(), 1); - effectiveConfig.put(KafkaConfig$.MODULE$.AutoCreateTopicsEnableProp(), true); - effectiveConfig.put(KafkaConfig$.MODULE$.MessageMaxBytesProp(), 1000000); - effectiveConfig.put(KafkaConfig$.MODULE$.ControlledShutdownEnableProp(), true); effectiveConfig.putAll(initialConfig); - effectiveConfig.setProperty(KafkaConfig$.MODULE$.LogDirProp(), logDir.getAbsolutePath()); return effectiveConfig; } public String brokerList() { - return kafka.config().zkConnect(); + return ""; } diff --git a/settings.gradle b/settings.gradle index d7dfc2b90a..71926ee174 100644 --- a/settings.gradle +++ b/settings.gradle @@ -61,7 +61,7 @@ dependencyResolutionManagement { library('commons-io', 'commons-io', 'commons-io').version('2.15.1') library('commons-codec', 'commons-codec', 'commons-codec').version('1.16.0') library('commons-compress', 'org.apache.commons', 'commons-compress').version('1.24.0') - version('parquet', '1.15.1') + version('parquet', '1.15.2') library('parquet-common', 'org.apache.parquet', 'parquet-common').versionRef('parquet') library('parquet-avro', 'org.apache.parquet', 'parquet-avro').versionRef('parquet') library('parquet-column', 'org.apache.parquet', 'parquet-column').versionRef('parquet')