Skip to content

[fix][sec] Override commons-beanutils and commons-configuration2 to remediate CVEs #24936

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lhotari merged 4 commits into from
Nov 3, 2025
Merged

[fix][sec] Override commons-beanutils and commons-configuration2 to remediate CVEs #24936

lhotari merged 4 commits into from
Nov 3, 2025

Conversation

@guptas6est
Copy link
Contributor

@guptas6est guptas6est commented Nov 3, 2025

Fixes #xyz

Main Issue: #xyz

PIP: #xyz

Motivation

This PR addresses multiple vulnerabilities affecting transitive dependencies commons-beanutils:commons-beanutils and org.apache.commons:commons-configuration2 used across several Pulsar modules such as pulsar-io-hbase, pulsar-io-hdfs3, and tiered-storage/file-system.

Vulnerabilities remediated:

Modifications

Explicitly added commons-beanutils:commons-beanutils and org.apache.commons:commons-configuration2 under dependencyManagement in the parent pom.xml to enforce safe, fixed versions (1.11.0 and 2.12.0, respectively) across all transitive usages.

Verifying this change

  • Make sure that the change passes the CI checks.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

(or)

This change is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(example:)

  • Added integration tests for end-to-end deployment with large payloads (10MB)
  • Extended integration test for recovery after broker failure

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

  • Dependencies (add or upgrade a dependency)
  • The public API
  • The schema
  • The default values of configurations
  • The threading model
  • The binary protocol
  • The REST endpoints
  • The admin CLI options
  • The metrics
  • Anything that affects deployment

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

Matching PR in forked repository

PR in forked repository:

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Nov 3, 2025
lhotari
lhotari reviewed Nov 3, 2025
View reviewed changes
lhotari
lhotari reviewed Nov 3, 2025
View reviewed changes
@codecov-commenter
Copy link

codecov-commenter commented Nov 3, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.27%. Comparing base (402ed5b) to head (1c9f4fa).
⚠️ Report is 3 commits behind head on master.

Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #24936      +/-   ##
============================================
- Coverage     74.28%   74.27%   -0.02%     
- Complexity    33886    33898      +12     
============================================
  Files          1913     1913              
  Lines        149425   149446      +21     
  Branches      17358    17362       +4     
============================================
- Hits         111001   110994       -7     
- Misses        29572    29595      +23     
- Partials       8852     8857       +5
Flag Coverage Δ
inttests 26.31% <ø> (+0.08%) ⬆️
systests 22.76% <ø> (-0.01%) ⬇️
unittests 73.79% <ø> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 72 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@lhotari lhotari added this to the 4.2.0 milestone Nov 3, 2025
@lhotari lhotari merged commit fefe771 into apache:master Nov 3, 2025
52 of 53 checks passed
lhotari pushed a commit that referenced this pull request Nov 4, 2025
@guptas6est @lhotari
[fix][sec] Override commons-beanutils and commons-configuration2 to r…
c697826 
…emediate CVEs (#24936)

(cherry picked from commit fefe771)
lhotari pushed a commit that referenced this pull request Nov 4, 2025
@guptas6est @lhotari
[fix][sec] Override commons-beanutils and commons-configuration2 to r…
3740097 
…emediate CVEs (#24936)

(cherry picked from commit fefe771)
ganesh-ctds pushed a commit to datastax/pulsar that referenced this pull request Nov 6, 2025
@guptas6est @ganesh-ctds
[fix][sec] Override commons-beanutils and commons-configuration2 to r…
c4d4936 
…emediate CVEs (apache#24936)

(cherry picked from commit fefe771)
(cherry picked from commit 3740097)
srinath-ctds pushed a commit to datastax/pulsar that referenced this pull request Nov 6, 2025
@guptas6est @srinath-ctds
[fix][sec] Override commons-beanutils and commons-configuration2 to r…
5ca3b8c 
…emediate CVEs (apache#24936)

(cherry picked from commit fefe771)
(cherry picked from commit 3740097)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lhotari lhotari lhotari approved these changes

Assignees

No one assigned

Labels

cherry-picked/branch-4.0 cherry-picked/branch-4.1 doc-not-needed Your PR changes do not impact docs release/4.0.8 release/4.1.2

Projects

None yet

Milestone

4.2.0

Development

Successfully merging this pull request may close these issues.

3 participants

@guptas6est @codecov-commenter @lhotari