Elgato_dark/OpenMetadata
1
0
Fork 0
mirror of https://github.com/open-metadata/OpenMetadata synced 2026-05-24 09:39:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
OpenMetadata/openmetadata-clients/openmetadata-java-client
History
Ram Narayan Balaji 339b3dfb18
fix(security): upgrade Java dependencies to resolve CRITICAL and HIGH CVEs (#27940) 
* fix(security): upgrade Java dependencies to resolve CRITICAL and HIGH CVEs

- jetty-http: 12.1.6 → 12.1.7 (HTTP Request Smuggling, CRITICAL)
- bcpkix/bcprov/bcutil-jdk18on: 1.80 → 1.84 (Crypto Signature Bypass + Timing Attack)
- postgresql: 42.7.7 → 42.7.11 (SCRAM-SHA-256 DoS)
- httpcore5-h2: pinned to 5.3.5 (HTTP/2 stream reset DoS)
- commons-compress: pinned to 1.26.0 (Infinite Loop DoS)
- jackson-core: 2.18.6 → 2.19.0 (async parser resource exhaustion)
- maven-shade-plugin: 3.5.1 → 3.6.0 (supports Java 22 MR-JAR in jackson-core 2.19.0)
- openapi-generator template override: jackson-version 2.17.1 → 2.19.0 in generated swagger pom

* fix(security): upgrade spring-web 6.2.11 → 6.2.18

* fix(security): align jackson-dataformat-yaml, feign, gson, logback versions

- jackson-dataformat-yaml: 2.17.2 → ${jackson.version} (2.19.0)
- feign-core: 13.2.1 → 13.5 (in openapi-gen template)
- gson: 2.10.1 → 2.11.0 (in openapi-gen template)
- logback-classic: 1.3.13 → 1.5.25 (in openapi-gen template)

* fix(security): use jackson 2.18.7 — highest clean 2.x with full ecosystem

2.19.0-2.21.0 all carry a HIGH (CVSS 8.7) vulnerability per Sonatype.
2.18.7 is the latest clean patch where all Jackson modules are released.

* fix(security): remove hardcoded jackson 2.17.2 override in k8s-operator, inherit 2.18.7 from root

* fix(security): upgrade gson 2.11.0 → 2.13.1 (Medium CVE)

* fix(security): replace 436-line pom.mustache with minimal stub

The openapi-generator-maven-plugin writes target/generated-sources/swagger/pom.xml
at build time with hardcoded jackson 2.17.1. Snyk --all-projects picks up every
pom.xml on disk and flags it as HIGH.

The generated pom.xml is never packaged into any JAR or Docker image — it is a
generator artefact. The actual runtime jackson version comes from the module pom
inheriting jackson.version=2.18.7 from the root. Replace the 436-line verbatim
upstream template (maintained just to change 2 version lines) with a 10-line
coordinate-only stub. The generated pom.xml will have no <dependencies> block,
so Snyk finds nothing to flag.
2026-05-07 09:19:10 +00:00
..
src fix(security): upgrade Java dependencies to resolve CRITICAL and HIGH CVEs (#27940) 2026-05-07 09:19:10 +00:00
lombok.config [Backend][JavaClientFix] Java Client Fix (#6726) 2022-08-15 11:05:49 +05:30
pom.xml fix(security): upgrade Java dependencies to resolve CRITICAL and HIGH CVEs (#27940) 2026-05-07 09:19:10 +00:00