fix: Address Trivy-reported security issues

piotrszul · claude · piotrszul · commit 5fa3975efadb · 2026-02-05T12:39:08.000+10:00
- Exclude ucumate-test-utils transitive dependency from ucumate-core - Bump assertj-core from 3.27.4 to 3.27.7 - Add CVE-2025-67721 (aircompressor Snappy/LZ4) to .trivyignore Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/.trivyignore b/.trivyignore
@@ -49,3 +49,10 @@ CVE-2026-1002
 CVE-2026-21884
 CVE-2026-22029
 CVE-2026-22030
+
+
+# aircompressor Snappy and LZ4 Java-based decompressor 
+# io.airlift:aircompressor is a Spark SQL dependency. Snappy is the default compression for parquet/delta.
+In the context od the library the the user has full control over compressed content so the attack vector is not applicable.
+In the context of the server the bulk import with parquet format could potentially be used as an attack vector. Needs to be investigated further.
+CVE-2025-67721
diff --git a/encoders/pom.xml b/encoders/pom.xml
@@ -116,6 +116,12 @@
       <groupId>io.github.fhnaumann</groupId>
       <artifactId>ucumate-core</artifactId>
       <version>1.0.8</version>
+      <exclusions>
+        <exclusion>
+          <groupId>io.github.fhnaumann</groupId>
+          <artifactId>ucumate-test-utils</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
diff --git a/server/pom.xml b/server/pom.xml
@@ -292,7 +292,7 @@
     <dependency>
       <groupId>org.assertj</groupId>
       <artifactId>assertj-core</artifactId>
-      <version>3.27.4</version>
+      <version>3.27.7</version>
       <scope>test</scope>
     </dependency>
     <dependency>
