Security: remediate open Dependabot alerts (24 of 29) + remediation register#259
Conversation
Inventories all 29 open critical/high/medium alerts, groups them into ordered remediation waves with transitive-dependency rationale and per-item blast radius, and documents deferred items blocked by the Java 8 baseline. Intended to be executed one item per PR.
The enforcer plugin requires JDK 11/17/21/25 to build; compiled code targets Java 8. README previously said JDK 8.
spring-boot-autoconfigure 2.3.3 -> 2.7.18, spring-test 4.3.24 -> 5.3.39. spring-test 5.x mock-web requires spring-web for cookie handling; added as a test dependency where spring-test is used.
Closes 12 alerts including the snakeyaml Constructor RCE (CVE-2022-1471) and six jackson-databind highs. Imports jackson-bom so the datatype/ module/jaxrs jars Dropwizard pulls transitively stay on one version.
Build and tests green with oauth2-oidc-sdk 8.22, including the mock-IdP token renewal test. Manual OIDC login verification against a real IdP still recommended before release.
Moves all version properties and dependencyManagement from the root pom into a published BOM module that Legend applications can import to stay aligned with the versions (including the security bumps) managed here. Documented in README; CVE-driven exclusions propagate to importers.
Workflow Telemetry - Build CI / BuildWorkflow telemetry for commit 97df72cad0e16502a2991e5cbdcfd153237260b6 Step Tracegantt
title Build
dateFormat x
axisFormat %H:%M:%S
Set up job : milestone, 1783097338000, 1783097340000
Checkout repo : 1783097340000, 1783097340000
Cache Maven dependencies : 1783097340000, 1783097342000
Set up JDK : 1783097342000, 1783097342000
Configure git : 1783097342000, 1783097342000
Download deps and plugins : 1783097342000, 1783097353000
Collect Workflow Telemetry : 1783097353000, 1783097353000
Build + Test : 1783097353000, 1783097415000
Upload Test Results : 1783097415000, 1783097416000
|
The 4 'new' findings are known unfixable items re-attributed to the bumped jars, not regressions: CVE-2026-2332 (D1, no 9.4.x fix exists on Central despite Mend citing 9.4.60), CVE-2026-54515 (D4, no 2.x patch), CVE-2024-6763 (D5) and CVE-2025-11143 (new D6), both Jetty-12-only.
|
The WhiteSource failure is expected and now documented in |
Workflow Telemetry - Build CI / BuildWorkflow telemetry for commit 4cdac9e26bc624f06e15a0e6feac59e7d67ad9d4 Step Tracegantt
title Build
dateFormat x
axisFormat %H:%M:%S
Set up job : milestone, 1783097708000, 1783097709000
Checkout repo : 1783097709000, 1783097710000
Cache Maven dependencies : 1783097710000, 1783097712000
Set up JDK : 1783097712000, 1783097712000
Configure git : 1783097712000, 1783097712000
Download deps and plugins : 1783097712000, 1783097720000
Collect Workflow Telemetry : 1783097720000, 1783097720000
Build + Test : 1783097720000, 1783097786000
Upload Test Results : 1783097786000, 1783097786000
Upload CI Event : 1783097786000, 1783097787000
|
Mend's suggested 9.4.60 is a commercial HeroDevs NES release (private registry, same GAV). Not adoptable upstream (Central-resolvable deps required; FINOS project), but documented as a deployer-side override for organizations needing CVE-2026-2332/CVE-2025-11143 closed before the Phase-2 migration.
Workflow Telemetry - Build CI / BuildWorkflow telemetry for commit 9ef8a1032a857f20b2e068727d575ad798ed3e18 Step Tracegantt
title Build
dateFormat x
axisFormat %H:%M:%S
Set up job : milestone, 1783098208000, 1783098209000
Checkout repo : 1783098209000, 1783098210000
Cache Maven dependencies : 1783098210000, 1783098211000
Set up JDK : 1783098211000, 1783098212000
Configure git : 1783098212000, 1783098212000
Download deps and plugins : 1783098212000, 1783098217000
Collect Workflow Telemetry : 1783098217000, 1783098217000
Build + Test : 1783098217000, 1783098281000
Upload Test Results : 1783098281000, 1783098282000
|
Summary
Remediates 24 of the 29 open critical/high/medium Dependabot alerts, adds a tracked remediation register (
docs/security-remediation.md) documenting every alert — including the 5 that cannot be fixed on the current Java 8 / Dropwizard 1.3 baseline and why — and extracts dependency management into a publishedlegend-shared-bomso downstream Legend apps can import the same (patched) versions.One commit per remediation item, each independently verified with a full
mvn install(tests + checkstyle):Not fixed, documented as accepted risk / watch items in the register: jetty CVE-2026-2332 (no fix exists in any 9.4.x), pac4j CVE-2026-40458 (fix requires pac4j 5.7.10 → Java 11; pac4j CSRF machinery is not wired by legend-shared's default config), jackson-databind CVE-2026-54515 (no patched release yet), jetty CVE-2024-6763 (fixed only in Jetty 12). A Phase-2 modernization track (Java 11 → Dropwizard 3/4 → pac4j 5.7) is outlined in the register.
Verification
dependency:treechecks: single resolved version for all jetty (12 artifacts) and jackson (13 artifacts) jars; snakeyaml 2.3; json-smart 2.5.2./admin/healthcheckhealthy,/serves 200.spring-web(added test-scope).🤖 Generated with Claude Code