MLE-24747 Bumping netty to address CVE

rjrudin · rjrudin · commit b3edddf84b3a · 2025-10-17T10:50:13.000-04:00
diff --git a/build.gradle b/build.gradle
@@ -57,21 +57,14 @@ configurations {
       force "com.marklogic:ml-gradle:6.1.0"
 
       resolutionStrategy.eachDependency { DependencyResolveDetails details ->
-        // Force v12.1.1 of jetty-http to avoid CVE-2025-5115
-        // (https://nvd.nist.gov/vuln/detail/CVE-2025-5115), which is a transitive
-        // dependency of Kafka connect-runtime:4.1.0
-        // Need to ensure this inclusdes all jetty modules, such as "org.eclipse.jetty.ee10"
         if (details.requested.group.startsWith("org.eclipse.jetty") && details.requested.version.startsWith("12")) {
           details.useVersion "12.1.1"
-          details.because "Bumping from 12.0.22 (what Kafka connect-runtime:4.1.0 depends on) to 12.1.1 to eliminate CVEs."
+          details.because "Eliminating CVEs on earlier versions. This is a compileOnly dependency of Kafka Connect and has no impact on our connector."
         }
 
-        // Force v4.2.6.Final of netty-all to avoid CVE-2025-58057
-        // (https://www.cve.org/CVERecord?id=CVE-2025-58057), which is a transitive
-        // dependency of marklogic-data-hub:6.2.1
         if (details.requested.group.equals("io.netty") && details.requested.version.startsWith("4")) {
-          details.useVersion "4.2.6.Final"
-          details.because "Bumping from 4.1.0 (what marklogic-data-hub:6.2.1 depends on) to 4.2.6.Final to eliminate CVEs."
+          details.useVersion "4.2.7.Final"
+          details.because "Eliminating CVEs on earlier patch versions. io.netty is brought in by marklogic-data-hub. "
         }
       }
     }

Original file line number	Diff line number	Diff line change
`@@ -57,21 +57,14 @@ configurations {`
`57`	`57`	`force "com.marklogic:ml-gradle:6.1.0"`
`58`	`58`
`59`	`59`	`resolutionStrategy.eachDependency { DependencyResolveDetails details ->`
`60`		`- // Force v12.1.1 of jetty-http to avoid CVE-2025-5115`
`61`		`- // (https://nvd.nist.gov/vuln/detail/CVE-2025-5115), which is a transitive`
`62`		`- // dependency of Kafka connect-runtime:4.1.0`
`63`		`- // Need to ensure this inclusdes all jetty modules, such as "org.eclipse.jetty.ee10"`
`64`	`60`	`if (details.requested.group.startsWith("org.eclipse.jetty") && details.requested.version.startsWith("12")) {`
`65`	`61`	`details.useVersion "12.1.1"`
`66`		`- details.because "Bumping from 12.0.22 (what Kafka connect-runtime:4.1.0 depends on) to 12.1.1 to eliminate CVEs."`
	`62`	`+ details.because "Eliminating CVEs on earlier versions. This is a compileOnly dependency of Kafka Connect and has no impact on our connector."`
`67`	`63`	`}`
`68`	`64`
`69`		`- // Force v4.2.6.Final of netty-all to avoid CVE-2025-58057`
`70`		`- // (https://www.cve.org/CVERecord?id=CVE-2025-58057), which is a transitive`
`71`		`- // dependency of marklogic-data-hub:6.2.1`
`72`	`65`	`if (details.requested.group.equals("io.netty") && details.requested.version.startsWith("4")) {`
`73`		`- details.useVersion "4.2.6.Final"`
`74`		`- details.because "Bumping from 4.1.0 (what marklogic-data-hub:6.2.1 depends on) to 4.2.6.Final to eliminate CVEs."`
	`66`	`+ details.useVersion "4.2.7.Final"`
	`67`	`+ details.because "Eliminating CVEs on earlier patch versions. io.netty is brought in by marklogic-data-hub. "`
`75`	`68`	`}`
`76`	`69`	`}`
`77`	`70`	`}`