Skip to content

Security: remediate open Dependabot alerts (24 of 29) + remediation register#259

Merged
rafaelbey merged 12 commits into
legend-shared-deps-updatefrom
security/remediation-register
Jul 3, 2026
Merged

Security: remediate open Dependabot alerts (24 of 29) + remediation register#259
rafaelbey merged 12 commits into
legend-shared-deps-updatefrom
security/remediation-register

Conversation

@rafaelbey

Copy link
Copy Markdown
Contributor

Summary

Remediates 24 of the 29 open critical/high/medium Dependabot alerts, adds a tracked remediation register (docs/security-remediation.md) documenting every alert — including the 5 that cannot be fixed on the current Java 8 / Dropwizard 1.3 baseline and why — and extracts dependency management into a published legend-shared-bom so downstream Legend apps can import the same (patched) versions.

One commit per remediation item, each independently verified with a full mvn install (tests + checkstyle):

Item Change Alerts closed
V01 trivy-action → 0.35.0, SHA-pinned CVE-2026-33634 (critical, CI)
V02 hazelcast 5.3.1 → 5.3.8 CVE-2023-45859, CVE-2023-45860
V03 json-smart 2.4.2 → 2.5.2 CVE-2021-31684, CVE-2023-1370
V04 jetty 9.4.44 → 9.4.57.v20241219 CVE-2024-13009 + 4 medium
V05 spring-boot-autoconfigure → 2.7.18, spring-test → 5.3.39 (test scope) CVE-2023-20883
V06 jackson family → 2.18.8 (via jackson-bom) + snakeyaml → 2.3 12 alerts incl. snakeyaml RCE CVE-2022-1471
V07 nimbus-jose-jwt 8.0 → 9.37.4 CVE-2023-52428, CVE-2025-53864

Not fixed, documented as accepted risk / watch items in the register: jetty CVE-2026-2332 (no fix exists in any 9.4.x), pac4j CVE-2026-40458 (fix requires pac4j 5.7.10 → Java 11; pac4j CSRF machinery is not wired by legend-shared's default config), jackson-databind CVE-2026-54515 (no patched release yet), jetty CVE-2024-6763 (fixed only in Jetty 12). A Phase-2 modernization track (Java 11 → Dropwizard 3/4 → pac4j 5.7) is outlined in the register.

Verification

  • Full reactor build + tests + checkstyle green after every item.
  • dependency:tree checks: single resolved version for all jetty (12 artifacts) and jackson (13 artifacts) jars; snakeyaml 2.3; json-smart 2.5.2.
  • Shaded static server boot smoke test after the jetty and jackson bumps: config parsed, /admin/healthcheck healthy, / serves 200.
  • spring-test 5.x gotcha found and fixed: mock-web cookie handling now requires spring-web (added test-scope).

⚠️ Reviewer note: the nimbus 9.37.4 + oauth2-oidc-sdk 8.22 pairing passes all tests (including the mock-IdP token-renewal test) but a manual OIDC login against a real IdP is recommended before release — the unit suite does not exercise the full authorization-code flow.

🤖 Generated with Claude Code

rafaelbey added 10 commits July 3, 2026 12:22
Inventories all 29 open critical/high/medium alerts, groups them into
ordered remediation waves with transitive-dependency rationale and
per-item blast radius, and documents deferred items blocked by the
Java 8 baseline. Intended to be executed one item per PR.
The enforcer plugin requires JDK 11/17/21/25 to build; compiled code
targets Java 8. README previously said JDK 8.
spring-boot-autoconfigure 2.3.3 -> 2.7.18, spring-test 4.3.24 -> 5.3.39.
spring-test 5.x mock-web requires spring-web for cookie handling; added
as a test dependency where spring-test is used.
Closes 12 alerts including the snakeyaml Constructor RCE (CVE-2022-1471)
and six jackson-databind highs. Imports jackson-bom so the datatype/
module/jaxrs jars Dropwizard pulls transitively stay on one version.
Build and tests green with oauth2-oidc-sdk 8.22, including the mock-IdP
token renewal test. Manual OIDC login verification against a real IdP
still recommended before release.
Moves all version properties and dependencyManagement from the root pom
into a published BOM module that Legend applications can import to stay
aligned with the versions (including the security bumps) managed here.
Documented in README; CVE-driven exclusions propagate to importers.
@rafaelbey rafaelbey requested a review from a team as a code owner July 3, 2026 16:48
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

Workflow Telemetry - Build CI / Build

Workflow telemetry for commit 97df72cad0e16502a2991e5cbdcfd153237260b6
You can access workflow job details here

Step Trace

gantt
	title Build
	dateFormat x
	axisFormat %H:%M:%S
	Set up job : milestone, 1783097338000, 1783097340000
	Checkout repo : 1783097340000, 1783097340000
	Cache Maven dependencies : 1783097340000, 1783097342000
	Set up JDK : 1783097342000, 1783097342000
	Configure git : 1783097342000, 1783097342000
	Download deps and plugins : 1783097342000, 1783097353000
	Collect Workflow Telemetry : 1783097353000, 1783097353000
	Build + Test : 1783097353000, 1783097415000
	Upload Test Results : 1783097415000, 1783097416000

Loading

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

Test Results

20 files  ±0  20 suites  ±0   23s ⏱️ -1s
83 tests ±0  83 ✔️ ±0  0 💤 ±0  0 ±0 

Results for commit 9ef8a10. ± Comparison against base commit 2bd4a69.

♻️ This comment has been updated with latest results.

The 4 'new' findings are known unfixable items re-attributed to the
bumped jars, not regressions: CVE-2026-2332 (D1, no 9.4.x fix exists on
Central despite Mend citing 9.4.60), CVE-2026-54515 (D4, no 2.x patch),
CVE-2024-6763 (D5) and CVE-2025-11143 (new D6), both Jetty-12-only.
@rafaelbey

Copy link
Copy Markdown
Contributor Author

The WhiteSource failure is expected and now documented in docs/security-remediation.md (see "Scanner reconciliation"): it confirms 37 vulnerabilities remediated; the "4 new" are the known unfixable items re-attributed to the bumped jar versions, not regressions — CVE-2026-2332 (no 9.4.x fix exists on Maven Central; Mend's suggested 9.4.60 has not shipped), CVE-2026-54515 (no jackson 2.x patch yet), and CVE-2024-6763 / CVE-2025-11143 (both fixed only in Jetty 12). All four are blocked by the Java 8 / Dropwizard 1.3 baseline and tracked as D1/D4/D5/D6 with re-check instructions.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

Workflow Telemetry - Build CI / Build

Workflow telemetry for commit 4cdac9e26bc624f06e15a0e6feac59e7d67ad9d4
You can access workflow job details here

Step Trace

gantt
	title Build
	dateFormat x
	axisFormat %H:%M:%S
	Set up job : milestone, 1783097708000, 1783097709000
	Checkout repo : 1783097709000, 1783097710000
	Cache Maven dependencies : 1783097710000, 1783097712000
	Set up JDK : 1783097712000, 1783097712000
	Configure git : 1783097712000, 1783097712000
	Download deps and plugins : 1783097712000, 1783097720000
	Collect Workflow Telemetry : 1783097720000, 1783097720000
	Build + Test : 1783097720000, 1783097786000
	Upload Test Results : 1783097786000, 1783097786000
	Upload CI Event : 1783097786000, 1783097787000

Loading

Mend's suggested 9.4.60 is a commercial HeroDevs NES release (private
registry, same GAV). Not adoptable upstream (Central-resolvable deps
required; FINOS project), but documented as a deployer-side override
for organizations needing CVE-2026-2332/CVE-2025-11143 closed before
the Phase-2 migration.
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

Workflow Telemetry - Build CI / Build

Workflow telemetry for commit 9ef8a1032a857f20b2e068727d575ad798ed3e18
You can access workflow job details here

Step Trace

gantt
	title Build
	dateFormat x
	axisFormat %H:%M:%S
	Set up job : milestone, 1783098208000, 1783098209000
	Checkout repo : 1783098209000, 1783098210000
	Cache Maven dependencies : 1783098210000, 1783098211000
	Set up JDK : 1783098211000, 1783098212000
	Configure git : 1783098212000, 1783098212000
	Download deps and plugins : 1783098212000, 1783098217000
	Collect Workflow Telemetry : 1783098217000, 1783098217000
	Build + Test : 1783098217000, 1783098281000
	Upload Test Results : 1783098281000, 1783098282000

Loading

@rafaelbey rafaelbey changed the base branch from master to legend-shared-deps-update July 3, 2026 17:12
@rafaelbey rafaelbey merged commit add1652 into legend-shared-deps-update Jul 3, 2026
4 of 5 checks passed
@rafaelbey rafaelbey deleted the security/remediation-register branch July 3, 2026 17:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant