Fix jackson & netty CVEs via api-scoped dependency constraints#7329
Open
jorgee wants to merge 4 commits into
Open
Fix jackson & netty CVEs via api-scoped dependency constraints#7329jorgee wants to merge 4 commits into
jorgee wants to merge 4 commits into
Conversation
✅ Deploy Preview for nextflow-docs canceled.
|
63c526c to
1127587
Compare
caac250 to
c270265
Compare
Overrides the vulnerable transitive jackson and netty versions pulled by the Azure/Google/Seqera SDKs using api-scoped dependency constraints, which take effect on ALL configurations — including testFixtures*, which implementation/ runtimeOnly pins don't reach. GitHub's dependency submission resolves every configuration, so those testFixtures selections were reported in the graph and kept alerts open. - nf-commons: constraint jackson-databind 2.21.5 (transitive via npr-api; `api` scope propagates to downstream modules and their testFixtures) - nf-seqera: constraint jackson-databind 2.21.5 (transitive via tower-api). jackson-dataformat-yaml stays a direct `api` dependency at 2.21.5 because it is required at runtime and is NOT pulled transitively. - nf-azure: constraints jackson databind/core/annotations 2.18.9 (2.18 line required by the Azure SDK) and azure-core-http-netty 1.16.5 (brings patched netty 4.1.135). - nf-google: constraints jackson databind/core/annotations 2.18.9. The existing grpc-netty-shaded runtimeOnly pin is left unchanged (it has no open alert; converting it to a constraint is deferred to avoid perturbing the credential-gated GCP integration test). Constraints bump a transitive version without adding a fake dependency, `api` scope reaches testFixtures compile classpaths, and `require` (default) is a security floor (>= patched). Modules that genuinely use a library (jackson-dataformat-yaml in nf-seqera) keep a real dependency. Verified by generating the real GitHub dependency-graph snapshot: the submitted graph contains only patched versions in every configuration — jackson 2.18.9 / 2.21.5, jackson-dataformat-yaml 2.21.5, netty 4.1.135, azure-core-http-netty 1.16.5. Compile succeeds and the changed-module test suites pass. Addresses GHSA-rmj7-2vxq-3g9f, GHSA-j3rv-43j4-c7qm, GHSA-72hv-8253-57qq, GHSA-3qp7-7mw8-wx86 (CVE-2026-44249). Signed-off-by: Jorge Ejarque <jorge.ejarque@seqera.io> Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: jorgee <jorge.ejarque@seqera.io>
c270265 to
5d71a12
Compare
Resolve conflict in nf-seqera/build.gradle: the nf-tower consolidation was reverted on master, so the tower-api/jackson deps moved back to nf-tower. Port the jackson-databind CVE fix (2.21.5 via api-scoped constraint) to plugins/nf-tower/build.gradle where those deps now live.
…d-force Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com> # Conflicts: # modules/nf-commons/build.gradle # plugins/nf-azure/build.gradle # plugins/nf-google/build.gradle # plugins/nf-tower/build.gradle
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the vulnerable transitive jackson and netty versions pulled by the Azure/Google/Seqera SDKs in nf-commons, nf-seqera, nf-azure and nf-google, using
api-scoped dependency constraints so the fix applies to every configuration — includingtestFixtures*, whichimplementation/runtimeOnlypins don't reach (GitHub's dependency submission runsresolveAllDependenciesover all configurations, so those testFixtures selections were being reported and kept alerts open).Dependabot alerts cleared (alert numbers, not issues/PRs)
azure-core-http-nettyconstraint → netty 4.1.135): 192, 193, 194, 196, 198, 216, 217 — GHSA-3qp7-7mw8-wx86 / CVE-2026-44249Why constraints
The vulnerable versions are pulled transitively, and the modules don't compile against jackson/netty directly. A constraint bumps a transitive version without adding a fake dependency;
apiscope reaches consumer / testFixtures compile classpaths;require(default) is a security floor (>=patched), so it won't block or silently downgrade a future SDK bump. A module that genuinely needs a library on its runtime classpath keeps a real dependency (e.g.jackson-dataformat-yamlin nf-seqera, which is not pulled transitively).For netty the constraint targets the intermediate
azure-core-http-netty(→ 1.16.5) rather than the ~15netty-*modules: Gradle then only traverses 1.16.5's dependencies (netty 4.1.135), so the old 1.16.4 → netty 4.1.132 subtree never enters the graph.Changes
nf-commonsjackson-databind:2.21.5(transitive vianpr-api;apiscope propagates to downstream modules + their testFixtures)nf-seqerajackson-databind:2.21.5(transitive viatower-api).jackson-dataformat-yaml:2.21.5stays a directapidependency — required at runtime and not pulled transitivelynf-azuredatabind/core/annotations→ 2.18.9 (2.18 line required by the Azure SDK);azure-core-http-netty→ 1.16.5 (brings patched netty 4.1.135). Replaces theruntimeOnlyjackson-core andimplementationazure-core-http-netty pinsnf-googledatabind/core/annotations→ 2.18.9. The existinggrpc-netty-shadedruntimeOnlypin is left unchanged (no open alert; converting it is deferred to avoid perturbing the credential-gated GCP integration testBatchLoggingTest)Verification
Generated the real GitHub dependency-graph snapshot (
github-dependency-graph-gradle-plugin'sForceDependencyResolutionPlugin_resolveAllDependencies— the exact artifact submitted to GitHub); it contains only patched versions in every configuration:jackson-databind→ 2.18.9 / 2.21.5 (no 2.18.2 / 2.18.6 / 2.21.1)jackson-dataformat-yaml→ 2.21.5netty-codec-http2→ 4.1.135.Final (no 4.1.132)azure-core-http-netty→ 1.16.5 (no 1.16.4)make compilesucceeds; the changed-module test suites pass. (Any redtest_integration/test_parser_v2jobs are pre-existing flakes — they fail on only one Java version and also flake on master.)Supersedes the declaration-pin approach in #7322.
🤖 Generated with Claude Code