Updates several dependencies to address CVEs (#5914)

dlvenable · web-flow · commit c8f66fa4fd1e · 2025-07-30T08:31:45.000-07:00
Updates several dependencies to address CVEs * CVE-2025-46762 - Parquet 1.15.2 * CVE-2025-48734 - commons-beanutils 1.11.0 and Checkstyle 10.26.1 * CVE-2024-57699 - json-smart 2.5.2 * CVE-2025-24970 - Netty 4.1.123 * CVE-2025-27817 - Apache Kafka 3.9.1 and Confluent Kafka 7.9.1 Also, removes some broken code related to the kafka-client in unused Kafka tests. Signed-off-by: David Venable <dlv@amazon.com>
diff --git a/build.gradle b/build.gradle
@@ -47,7 +47,7 @@ allprojects {
     }
 
     checkstyle {
-        toolVersion = '10.12.3'
+        toolVersion = '10.26.1'
     }
 }
 
@@ -147,9 +147,9 @@ subprojects {
             }
             implementation('net.minidev:json-smart') {
                 version {
-                    require '2.5.0'
+                    require '2.5.2'
                 }
-                because 'CVE from transitive dependencies'
+                because 'CVE from transitive dependencies, including CVE-2024-57699'
             }
             implementation('org.jetbrains.kotlin:kotlin-stdlib') {
                 version {
@@ -217,18 +217,24 @@ subprojects {
                 }
                 because 'CVE-2024-25710, CVE-2024-26308'
             }
+            implementation('commons-beanutils:commons-beanutils') {
+                version {
+                    require '1.11.0'
+                }
+                because 'CVE-2025-48734'
+            }
         }
     }
 
     configurations.all {
         resolutionStrategy.eachDependency { def details ->
             if (details.requested.group == 'io.netty') {
                 if (details.requested.name == 'netty') {
-                    details.useTarget group: 'io.netty', name: 'netty-all', version: '4.1.108.Final'
-                    details.because 'Fixes CVE-2022-41881, CVE-2021-21290 and CVE-2022-41915.'
+                    details.useTarget group: 'io.netty', name: 'netty-all', version: '4.1.123.Final'
+                    details.because 'Fixes CVE-2025-24970, CVE-2022-41881, CVE-2021-21290 and CVE-2022-41915.'
                 } else if (!details.requested.name.startsWith('netty-tcnative')) {
-                    details.useVersion '4.1.108.Final'
-                    details.because 'Fixes CVE-2022-41881, CVE-2021-21290 and CVE-2022-41915.'
+                    details.useVersion '4.1.123.Final'
+                    details.because 'Fixes CVE-2025-24970, CVE-2022-41881, CVE-2021-21290 and CVE-2022-41915.'
                 }
             } else if (details.requested.group == 'log4j' && details.requested.name == 'log4j') {
                 details.useTarget group: 'org.apache.logging.log4j', name: 'log4j-1.2-api', version: '2.17.1'
diff --git a/data-prepper-plugins/kafka-plugins/build.gradle b/data-prepper-plugins/kafka-plugins/build.gradle
@@ -32,16 +32,16 @@ dependencies {
     implementation project(':data-prepper-plugins:encryption-plugin')
     // bump io.confluent:* dependencies correspondingly when bumping org.apache.kafka.*
     // https://docs.confluent.io/platform/current/release-notes/index.html
-    implementation 'org.apache.kafka:kafka-clients:3.6.1'
-    implementation 'org.apache.kafka:connect-json:3.6.1'
+    implementation 'org.apache.kafka:kafka-clients:3.9.1'
+    implementation 'org.apache.kafka:connect-json:3.9.1'
     implementation project(':data-prepper-plugins:http-common')
     implementation libs.avro.core
     implementation 'com.fasterxml.jackson.core:jackson-databind'
     implementation 'io.micrometer:micrometer-core'
     implementation libs.commons.lang3
-    implementation 'io.confluent:kafka-avro-serializer:7.6.0'
-    implementation 'io.confluent:kafka-json-schema-serializer:7.6.0'
-    implementation 'io.confluent:kafka-schema-registry-client:7.6.0'
+    implementation 'io.confluent:kafka-avro-serializer:7.9.1'
+    implementation 'io.confluent:kafka-json-schema-serializer:7.9.1'
+    implementation 'io.confluent:kafka-schema-registry-client:7.9.1'
     implementation 'software.amazon.awssdk:sts'
     implementation 'software.amazon.awssdk:auth'
     implementation 'software.amazon.awssdk:kafka'
@@ -77,8 +77,8 @@ dependencies {
     testImplementation 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml'
 
     integrationTestImplementation testLibs.junit.vintage
-    integrationTestImplementation 'io.confluent:kafka-schema-registry:7.6.0'
-    integrationTestImplementation ('io.confluent:kafka-schema-registry:7.6.0:tests') {
+    integrationTestImplementation 'io.confluent:kafka-schema-registry:7.9.1'
+    integrationTestImplementation ('io.confluent:kafka-schema-registry:7.9.1:tests') {
         exclude group: 'org.glassfish.jersey.containers', module: 'jersey-container-servlet'
         exclude group: 'org.glassfish.jersey.inject', module: 'jersey-hk2'
         exclude group: 'org.glassfish.jersey.ext', module: 'jersey-bean-validation'
diff --git a/data-prepper-plugins/kafka-plugins/src/integrationTest/java/org/opensearch/dataprepper/plugins/kafka/source/EmbeddedKafkaClusterSingleNode.java b/data-prepper-plugins/kafka-plugins/src/integrationTest/java/org/opensearch/dataprepper/plugins/kafka/source/EmbeddedKafkaClusterSingleNode.java
@@ -8,7 +8,6 @@
 import io.confluent.kafka.schemaregistry.RestApp;
 import io.confluent.kafka.schemaregistry.avro.AvroCompatibilityLevel;
 import io.confluent.kafka.schemaregistry.rest.SchemaRegistryConfig;
-import kafka.server.KafkaConfig$;
 import org.junit.rules.ExternalResource;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -58,8 +57,6 @@ public void start() throws Exception {
         log.debug("ZooKeeper instance is running at {}", zookeeper.connectString());
 
         final Properties effectiveBrokerConfig = effectiveBrokerConfigFrom(brokerConfig, zookeeper);
-        log.debug("Starting a Kafka instance on  ...",
-                effectiveBrokerConfig.getProperty(KafkaConfig$.MODULE$.ZkConnectDoc()));
         broker = new EmbeddedKafkaServer(effectiveBrokerConfig);
         log.debug("Kafka instance is running at {}, connected to ZooKeeper at {}",
                 broker.brokerList(), broker.zookeeperConnect());
@@ -80,15 +77,6 @@ public void start() throws Exception {
     private Properties effectiveBrokerConfigFrom(final Properties brokerConfig, final EmbeddedZooKeeperServer zookeeper) {
         final Properties effectiveConfig = new Properties();
         effectiveConfig.putAll(brokerConfig);
-        effectiveConfig.put(KafkaConfig$.MODULE$.ZkConnectProp(), zookeeper.connectString());
-        effectiveConfig.put(KafkaConfig$.MODULE$.ZkSessionTimeoutMsProp(), 30 * 1000);
-        effectiveConfig.put(KafkaConfig$.MODULE$.ZkConnectionTimeoutMsProp(), 60 * 1000);
-        effectiveConfig.put(KafkaConfig$.MODULE$.DeleteTopicEnableProp(), true);
-        effectiveConfig.put(KafkaConfig$.MODULE$.LogCleanerDedupeBufferSizeProp(), 2 * 1024 * 1024L);
-        effectiveConfig.put(KafkaConfig$.MODULE$.GroupMinSessionTimeoutMsProp(), 0);
-        effectiveConfig.put(KafkaConfig$.MODULE$.OffsetsTopicReplicationFactorProp(), (short) 1);
-        effectiveConfig.put(KafkaConfig$.MODULE$.OffsetsTopicPartitionsProp(), 1);
-        effectiveConfig.put(KafkaConfig$.MODULE$.AutoCreateTopicsEnableProp(), true);
         return effectiveConfig;
     }
 
diff --git a/data-prepper-plugins/kafka-plugins/src/integrationTest/java/org/opensearch/dataprepper/plugins/kafka/source/EmbeddedKafkaServer.java b/data-prepper-plugins/kafka-plugins/src/integrationTest/java/org/opensearch/dataprepper/plugins/kafka/source/EmbeddedKafkaServer.java
@@ -7,7 +7,6 @@
 
 
 import kafka.server.KafkaConfig;
-import kafka.server.KafkaConfig$;
 import kafka.server.KafkaServer;
 import kafka.utils.TestUtils;
 import org.apache.kafka.clients.admin.AdminClient;
@@ -61,19 +60,13 @@ public EmbeddedKafkaServer(final Properties config) throws IOException {
 
     private Properties effectiveConfigFrom(final Properties initialConfig) throws IOException {
         final Properties effectiveConfig = new Properties();
-        effectiveConfig.put(KafkaConfig$.MODULE$.BrokerIdProp(), 1);
-        effectiveConfig.put(KafkaConfig$.MODULE$.NumPartitionsProp(), 1);
-        effectiveConfig.put(KafkaConfig$.MODULE$.AutoCreateTopicsEnableProp(), true);
-        effectiveConfig.put(KafkaConfig$.MODULE$.MessageMaxBytesProp(), 1000000);
-        effectiveConfig.put(KafkaConfig$.MODULE$.ControlledShutdownEnableProp(), true);
 
         effectiveConfig.putAll(initialConfig);
-        effectiveConfig.setProperty(KafkaConfig$.MODULE$.LogDirProp(), logDir.getAbsolutePath());
         return effectiveConfig;
     }
 
     public String brokerList() {
-        return kafka.config().zkConnect();
+        return "";
     }
 
 
diff --git a/settings.gradle b/settings.gradle
@@ -61,7 +61,7 @@ dependencyResolutionManagement {
             library('commons-io', 'commons-io', 'commons-io').version('2.15.1')
             library('commons-codec', 'commons-codec', 'commons-codec').version('1.16.0')
             library('commons-compress', 'org.apache.commons', 'commons-compress').version('1.24.0')
-            version('parquet', '1.15.1')
+            version('parquet', '1.15.2')
             library('parquet-common', 'org.apache.parquet', 'parquet-common').versionRef('parquet')
             library('parquet-avro', 'org.apache.parquet', 'parquet-avro').versionRef('parquet')
             library('parquet-column', 'org.apache.parquet', 'parquet-column').versionRef('parquet')

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ allprojects {`
`47`	`47`	`}`
`48`	`48`
`49`	`49`	`checkstyle {`
`50`		`- toolVersion = '10.12.3'`
	`50`	`+ toolVersion = '10.26.1'`
`51`	`51`	`}`
`52`	`52`	`}`
`53`	`53`
`@@ -147,9 +147,9 @@ subprojects {`
`147`	`147`	`}`
`148`	`148`	`implementation('net.minidev:json-smart') {`
`149`	`149`	`version {`
`150`		`- require '2.5.0'`
	`150`	`+ require '2.5.2'`
`151`	`151`	`}`
`152`		`- because 'CVE from transitive dependencies'`
	`152`	`+ because 'CVE from transitive dependencies, including CVE-2024-57699'`
`153`	`153`	`}`
`154`	`154`	`implementation('org.jetbrains.kotlin:kotlin-stdlib') {`
`155`	`155`	`version {`
`@@ -217,18 +217,24 @@ subprojects {`
`217`	`217`	`}`
`218`	`218`	`because 'CVE-2024-25710, CVE-2024-26308'`
`219`	`219`	`}`
	`220`	`+ implementation('commons-beanutils:commons-beanutils') {`
	`221`	`+ version {`
	`222`	`+ require '1.11.0'`
	`223`	`+ }`
	`224`	`+ because 'CVE-2025-48734'`
	`225`	`+ }`
`220`	`226`	`}`
`221`	`227`	`}`
`222`	`228`
`223`	`229`	`configurations.all {`
`224`	`230`	`resolutionStrategy.eachDependency { def details ->`
`225`	`231`	`if (details.requested.group == 'io.netty') {`
`226`	`232`	`if (details.requested.name == 'netty') {`
`227`		`- details.useTarget group: 'io.netty', name: 'netty-all', version: '4.1.108.Final'`
`228`		`- details.because 'Fixes CVE-2022-41881, CVE-2021-21290 and CVE-2022-41915.'`
	`233`	`+ details.useTarget group: 'io.netty', name: 'netty-all', version: '4.1.123.Final'`
	`234`	`+ details.because 'Fixes CVE-2025-24970, CVE-2022-41881, CVE-2021-21290 and CVE-2022-41915.'`
`229`	`235`	`} else if (!details.requested.name.startsWith('netty-tcnative')) {`
`230`		`- details.useVersion '4.1.108.Final'`
`231`		`- details.because 'Fixes CVE-2022-41881, CVE-2021-21290 and CVE-2022-41915.'`
	`236`	`+ details.useVersion '4.1.123.Final'`
	`237`	`+ details.because 'Fixes CVE-2025-24970, CVE-2022-41881, CVE-2021-21290 and CVE-2022-41915.'`
`232`	`238`	`}`
`233`	`239`	`} else if (details.requested.group == 'log4j' && details.requested.name == 'log4j') {`
`234`	`240`	`details.useTarget group: 'org.apache.logging.log4j', name: 'log4j-1.2-api', version: '2.17.1'`