fix(security): bump vulnerable transitive deps across service modules#27753
fix(security): bump vulnerable transitive deps across service modules#27753mohityadav766 wants to merge 6 commits intomainfrom
Conversation
Address Snyk vulnerability findings reported across the OpenMetadata modules: - BouncyCastle 1.80 -> 1.84 (critical signature-verification bypass + 3 high/medium) - httpcore5/-h2 5.1.3 -> 5.3.5, httpclient5 -> 5.5 (high HTTP/2 stream-reset DoS, pulled in transitively via calcite -> avatica) - tomcat-jdbc/juli 11.0.5 -> 11.0.11 (medium ANSI log injection) - resilience4j-ratelimiter 2.3.0 -> 2.4.0 (transitively bumps kotlin-stdlib) - kotlin-stdlib/-jdk7/-jdk8 pinned to 2.1.0 (low temp-file info exposure) - Spring 6.2.11 -> 6.2.17 (medium DoS in spring-core) - Jackson 2.18.6 -> 2.21.2 via jackson-bom (high jackson-core DoS; jackson-annotations uses x.y not x.y.z, so the BOM is required) - jsonschema2pojo 1.2.2 -> 1.3.0 (medium stack overflow) - k8s-operator local jackson 2.17.2 -> 2.21.2 (high jackson-core DoS) - common/pom.xml excludes tools.jackson.core:* from jsonschema2pojo-core 1.3.0 (its new Jackson 3 transitive ships 3 high-sev DoS CVEs and we don't need it) Other notes: - New dependencyManagement at the parent pom level so all submodules (service, dist, mcp, k8s-operator, sdk, spec) inherit the patched versions. - jsonschema2pojo 1.3.0 dropped its explicit plexus-utils dep; openmetadata-spec declares plexus-utils 3.6.0 in the plugin's <dependencies> so codegen still works. - log4j-core 2.25.3 has 4 unfixable Snyk advisories with no upstream patch published; tracked in security tracker. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
github-actions
Bot
added
backend
safe to test
![gitar-bot[bot]](https://avatars.githubusercontent.com/in/827041?s=60&v=4){kind=small}
| <kubernetes-client.version>21.0.1</kubernetes-client.version> | ||
| <!-- Jackson version (should match parent project) --> | ||
| <jackson.version>2.17.2</jackson.version> | ||
| <jackson.version>2.21.2</jackson.version> |
There was a problem hiding this comment.
💡 Quality: k8s-operator jackson.version property redundant with parent BOM
The parent pom now imports jackson-bom in <dependencyManagement>, which governs versions for all com.fasterxml.jackson.* artifacts across child modules. However, openmetadata-k8s-operator/pom.xml still declares a local <jackson.version> property (line 26) and hardcodes <version>${jackson.version}</version> on its jackson-databind and jackson-dataformat-yaml dependencies (lines 48, 54). This creates a maintenance burden: the comment says "should match parent project" but requires manual sync. If someone bumps only the parent BOM, the k8s-operator will silently stay on the old version.
Consider removing the local jackson.version property and the explicit <version> tags on the Jackson dependencies — the parent's BOM import will resolve the correct versions automatically.
Suggested fix:
Remove the local jackson.version property (line 26) and
the <version>${jackson.version}</version> tags from the
jackson-databind (line 48) and jackson-dataformat-yaml
(line 54) dependency declarations. The parent's jackson-bom
import will resolve versions automatically.
Was this helpful? React with 👍 / 👎 | Reply gitar fix to apply this suggestion
There was a problem hiding this comment.
Pull request overview
Updates Maven dependency versions across OpenMetadata modules to address Snyk-reported vulnerabilities (primarily via dependencyManagement overrides and a Jackson BOM import).
Changes:
- Bump and centrally manage patched dependency versions (Jackson via
jackson-bom, Spring, Tomcat, jsonschema2pojo). - Add dependencyManagement “security override” pins for vulnerable transitives (Apache HttpComponents 5, BouncyCastle, Kotlin stdlib).
- Adjust module-specific POMs to accommodate upgrades (spec plugin dependency tweak; operator/service version bumps; exclude Jackson 3
tools.jackson.core:*fromjsonschema2pojo-coreincommon).
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| pom.xml | Raises core dependency versions, imports jackson-bom, and adds dependencyManagement overrides for vulnerable transitives. |
| openmetadata-spec/pom.xml | Adds explicit plexus-utils plugin dependency to keep jsonschema2pojo plugin execution working after the bump. |
| openmetadata-service/pom.xml | Bumps resilience4j version property used by service dependencies. |
| openmetadata-k8s-operator/pom.xml | Bumps locally pinned Jackson version used by the operator module. |
| common/pom.xml | Excludes tools.jackson.core:* (Jackson 3) artifacts from jsonschema2pojo-core to avoid pulling vulnerable/unused runtime deps. |
| <!-- Import jackson-bom: jackson-annotations follows x.y versioning while jackson-core/databind | ||
| use x.y.z, so a single property cannot cover all artifacts. The BOM aligns them. --> | ||
| <dependency> | ||
| <groupId>com.fasterxml.jackson.core</groupId> | ||
| <artifactId>jackson-annotations</artifactId> | ||
| <version>${jackson.version}</version> | ||
| </dependency> | ||
| <dependency> | ||
| <groupId>com.fasterxml.jackson.core</groupId> | ||
| <artifactId>jackson-core</artifactId> | ||
| <version>${jackson.version}</version> | ||
| </dependency> | ||
| <dependency> | ||
| <groupId>com.fasterxml.jackson.core</groupId> | ||
| <artifactId>jackson-databind</artifactId> | ||
| <version>${jackson.version}</version> | ||
| </dependency> | ||
| <dependency> | ||
| <groupId>com.fasterxml.jackson.module</groupId> | ||
| <artifactId>jackson-module-blackbird</artifactId> | ||
| <groupId>com.fasterxml.jackson</groupId> | ||
| <artifactId>jackson-bom</artifactId> | ||
| <version>${jackson.version}</version> | ||
| <type>pom</type> | ||
| <scope>import</scope> | ||
| </dependency> |
There was a problem hiding this comment.
The new jackson-bom import should align all Jackson artifacts, but this POM still has an explicit dependencyManagement entry pinning com.fasterxml.jackson.dataformat:jackson-dataformat-yaml to 2.17.2 (see pom.xml around lines ~672-683). That override will prevent the BOM from fully aligning Jackson versions and can reintroduce older Jackson bits alongside 2.21.2. Consider removing that explicit version (or updating it to follow ${jackson.version} / BOM-managed version) so the BOM is the single source of truth.
| <!-- Kubernetes client version (should match openmetadata-service) --> | ||
| <kubernetes-client.version>21.0.1</kubernetes-client.version> | ||
| <!-- Jackson version (should match parent project) --> | ||
| <jackson.version>2.17.2</jackson.version> | ||
| <jackson.version>2.21.2</jackson.version> | ||
| </properties> |
There was a problem hiding this comment.
This module defines its own <jackson.version> property and pins Jackson dependency versions directly. Since the parent POM now imports jackson-bom (and already defines ${jackson.version}), keeping a module-local override makes it easy for the operator to drift from the platform’s patched Jackson set. Consider deleting this local jackson.version property and letting the operator inherit the parent’s BOM-managed Jackson versions (i.e., omit explicit Jackson <version> tags in dependencies).
Patches Dependabot advisory: spotless-maven-plugin XXE in pre-2.43 versions (GHSA-fjwh-xx9p-h7v9). Build-time only but flagged High severity. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The Java checkstyle failed. Please run You can install the pre-commit hooks with |
Final cleanup: the parent pom still pinned jetty.version=12.1.6 even though service/mcp had local overrides at 12.1.7. Modules that inherit the parent property without overriding (and consumers like collate) were still resolving the vulnerable 12.1.6 for jetty-http (HTTP request smuggling) and jetty-server. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The Java checkstyle failed. Please run You can install the pre-commit hooks with |
| <!-- Import jackson-bom: jackson-annotations follows x.y versioning while jackson-core/databind | ||
| use x.y.z, so a single property cannot cover all artifacts. The BOM aligns them. --> | ||
| <dependency> | ||
| <groupId>com.fasterxml.jackson.core</groupId> | ||
| <artifactId>jackson-annotations</artifactId> | ||
| <version>${jackson.version}</version> | ||
| </dependency> | ||
| <dependency> | ||
| <groupId>com.fasterxml.jackson.core</groupId> | ||
| <artifactId>jackson-core</artifactId> | ||
| <version>${jackson.version}</version> | ||
| </dependency> | ||
| <dependency> | ||
| <groupId>com.fasterxml.jackson.core</groupId> | ||
| <artifactId>jackson-databind</artifactId> | ||
| <version>${jackson.version}</version> | ||
| </dependency> | ||
| <dependency> | ||
| <groupId>com.fasterxml.jackson.module</groupId> | ||
| <artifactId>jackson-module-blackbird</artifactId> | ||
| <groupId>com.fasterxml.jackson</groupId> | ||
| <artifactId>jackson-bom</artifactId> |
There was a problem hiding this comment.
The imported jackson-bom here will not fully align Jackson artifacts because pom.xml still has an explicit <dependencyManagement> entry for com.fasterxml.jackson.dataformat:jackson-dataformat-yaml pinned to 2.17.2 (see pom.xml:673-676). That later entry will override the BOM and can leave an older/vulnerable or incompatible Jackson module in the build; please remove that explicit pin or bump it to match ${jackson.version}.
| <!-- Import jackson-bom: jackson-annotations follows x.y versioning while jackson-core/databind | ||
| use x.y.z, so a single property cannot cover all artifacts. The BOM aligns them. --> |
There was a problem hiding this comment.
The comment claims jackson-annotations uses x.y versioning while other Jackson artifacts use x.y.z, but this project previously pinned jackson-annotations to ${jackson.version} (e.g., 2.18.6), which suggests it also follows x.y.z. Please correct/clarify this comment so it doesn't mislead future dependency updates.
| <!-- Import jackson-bom: jackson-annotations follows x.y versioning while jackson-core/databind | |
| use x.y.z, so a single property cannot cover all artifacts. The BOM aligns them. --> | |
| <!-- Import jackson-bom to keep Jackson artifacts aligned to a compatible version set | |
| and avoid managing individual module versions separately. --> |
🟡 Playwright Results — all passed (19 flaky)✅ 3955 passed · ❌ 0 failed · 🟡 19 flaky · ⏭️ 86 skipped
🟡 19 flaky test(s) (passed on retry)
How to debug locally# Download playwright-test-results-<shard> artifact and unzip
npx playwright show-trace path/to/trace.zip # view trace |
Code Review 👍 Approved with suggestions 0 resolved / 1 findingsUpdates vulnerable transitive dependencies across service modules to mitigate security risks. Consider removing the redundant jackson.version property as it is now managed by the parent BOM. 💡 Quality: k8s-operator jackson.version property redundant with parent BOM📄 openmetadata-k8s-operator/pom.xml:26 📄 openmetadata-k8s-operator/pom.xml:45-55 The parent pom now imports Consider removing the local Suggested fix🤖 Prompt for agentsOptionsDisplay: compact → Showing less information. Comment with these commands to change:
Was this helpful? React with 👍 / 👎 | Gitar |
|
Summary
Address Snyk + Dependabot vulnerability findings across the OpenMetadata Maven modules. All fixes are dependency-version bumps; no source-code changes.
Critical
bcpkix/bcprov/bcutil-jdk18on1.80 → 1.84 (signature-verification bypass, transitive viaio.kubernetes:client-java)High
httpcore5-h25.1.3 → 5.3.5 +httpclient5→ 5.5 (HTTP/2 stream-reset DoS, transitive viacalcite-core→avatica-core)jackson-core/databind2.18.6 → 2.21.2 via jackson-bom (DoS)openmetadata-k8s-operatorlocal Jackson 2.17.2 → 2.21.2tools.jackson.core:*excluded fromjsonschema2pojo-coreincommon/pom.xml(3 high-sev DoS in Jackson 3.0.2 — not needed at runtime)spotless-maven-plugin2.41.1 → 2.46.0 (XXE, GHSA-fjwh-xx9p-h7v9 — second-pass commit)Medium
tomcat-jdbc/tomcat-juli11.0.5 → 11.0.11 (ANSI log injection)spring-core/ friends 6.2.11 → 6.2.17 (DoS)jsonschema2pojo-core1.2.2 → 1.3.0 (stack overflow)bcprov-jdk18onLDAP injection (covered by 1.84)Low
resilience4j-ratelimiter2.3.0 → 2.4.0 (pulls newer kotlin-stdlib)kotlin-stdlib/-jdk7/-jdk8pinned to 2.1.0 (deprecatedcreateTempDir/createTempFileinfo exposure)Notes / known leftovers
log4j-core@2.25.3has 4 Snyk advisories (2 high + 2 medium) with no upstream fix published yet — tracked in security tracker, will pick up automatically once the next 2.25.x patch lands.<dependencyManagement>so every submodule (service, dist, mcp, k8s-operator, sdk, spec) inherits the patched versions.openmetadata-spec/pom.xmladdsplexus-utils 3.6.0to thejsonschema2pojo-maven-pluginplugin deps because 1.3.0 dropped the explicit dep but still referencesorg.codehaus.plexus.util.DirectoryScanner.jackson-annotations/-core/-databind/-blackbirdversion pins in favour of a singlejackson-bomimport —jackson-annotationsusesx.ynotx.y.zversioning, so a single property cannot align all Jackson artifacts.Test plan
mvn clean install -DskipTests -pl '!openmetadata-ui,!openmetadata-ui-core-components' -ambuilds cleansnyk test --all-projects --severity-threshold=medium— only the unfixablelog4j-coreadvisories remainhttpclient5was bumped under it🤖 Generated with Claude Code
Summary by Gitar
activeStagedIndicesrouting to enable live writes to staged indices during reindexing.getWriteIndexNameandgetWriteFanoutTargetsto centralize index resolution and prevent data loss during alias swaps.registerSearchIndexHandlerto unregister stale handlers, ensuring event delivery to the activeSearchRepositoryinstance.SearchIndexRetryQueuesuspension checks from all indexing paths, delegating routing logic togetWriteIndexName.This will update automatically on new commits.