Skip to content

Fix jackson & netty CVEs via api-scoped dependency constraints#7329

Open
jorgee wants to merge 4 commits into
masterfrom
fix-jackson-databind-force
Open

Fix jackson & netty CVEs via api-scoped dependency constraints#7329
jorgee wants to merge 4 commits into
masterfrom
fix-jackson-databind-force

Conversation

@jorgee

@jorgee jorgee commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes the vulnerable transitive jackson and netty versions pulled by the Azure/Google/Seqera SDKs in nf-commons, nf-seqera, nf-azure and nf-google, using api-scoped dependency constraints so the fix applies to every configuration — including testFixtures*, which implementation/runtimeOnly pins don't reach (GitHub's dependency submission runs resolveAllDependencies over all configurations, so those testFixtures selections were being reported and kept alerts open).

Dependabot alerts cleared (alert numbers, not issues/PRs)

Why constraints

The vulnerable versions are pulled transitively, and the modules don't compile against jackson/netty directly. A constraint bumps a transitive version without adding a fake dependency; api scope reaches consumer / testFixtures compile classpaths; require (default) is a security floor (>= patched), so it won't block or silently downgrade a future SDK bump. A module that genuinely needs a library on its runtime classpath keeps a real dependency (e.g. jackson-dataformat-yaml in nf-seqera, which is not pulled transitively).

For netty the constraint targets the intermediate azure-core-http-netty (→ 1.16.5) rather than the ~15 netty-* modules: Gradle then only traverses 1.16.5's dependencies (netty 4.1.135), so the old 1.16.4 → netty 4.1.132 subtree never enters the graph.

Changes

Module Change
nf-commons constraint jackson-databind:2.21.5 (transitive via npr-api; api scope propagates to downstream modules + their testFixtures)
nf-seqera constraint jackson-databind:2.21.5 (transitive via tower-api). jackson-dataformat-yaml:2.21.5 stays a direct api dependency — required at runtime and not pulled transitively
nf-azure constraints: jackson databind/core/annotations → 2.18.9 (2.18 line required by the Azure SDK); azure-core-http-netty → 1.16.5 (brings patched netty 4.1.135). Replaces the runtimeOnly jackson-core and implementation azure-core-http-netty pins
nf-google constraints: jackson databind/core/annotations → 2.18.9. The existing grpc-netty-shaded runtimeOnly pin is left unchanged (no open alert; converting it is deferred to avoid perturbing the credential-gated GCP integration test BatchLoggingTest)

Verification

Generated the real GitHub dependency-graph snapshot (github-dependency-graph-gradle-plugin's ForceDependencyResolutionPlugin_resolveAllDependencies — the exact artifact submitted to GitHub); it contains only patched versions in every configuration:

  • jackson-databind → 2.18.9 / 2.21.5 (no 2.18.2 / 2.18.6 / 2.21.1)
  • jackson-dataformat-yaml → 2.21.5
  • netty-codec-http2 → 4.1.135.Final (no 4.1.132)
  • azure-core-http-netty → 1.16.5 (no 1.16.4)

make compile succeeds; the changed-module test suites pass. (Any red test_integration / test_parser_v2 jobs are pre-existing flakes — they fail on only one Java version and also flake on master.)

Supersedes the declaration-pin approach in #7322.

🤖 Generated with Claude Code

@netlify

netlify Bot commented Jul 13, 2026

Copy link
Copy Markdown

Deploy Preview for nextflow-docs canceled.

Name Link
🔨 Latest commit 9d245b7
🔍 Latest deploy log https://app.netlify.com/projects/nextflow-docs/deploys/6a552a514a65f20008c19930

@jorgee jorgee marked this pull request as draft July 13, 2026 09:24
@jorgee jorgee force-pushed the fix-jackson-databind-force branch from 63c526c to 1127587 Compare July 13, 2026 10:00
@jorgee jorgee changed the title Force patched jackson across all configurations to fully clear CVEs Fix jackson & netty CVEs via api-scoped dependency constraints Jul 13, 2026
@jorgee jorgee force-pushed the fix-jackson-databind-force branch 2 times, most recently from caac250 to c270265 Compare July 13, 2026 10:47
@jorgee jorgee marked this pull request as ready for review July 13, 2026 12:29
Overrides the vulnerable transitive jackson and netty versions pulled by the
Azure/Google/Seqera SDKs using api-scoped dependency constraints, which take
effect on ALL configurations — including testFixtures*, which implementation/
runtimeOnly pins don't reach. GitHub's dependency submission resolves every
configuration, so those testFixtures selections were reported in the graph and
kept alerts open.

- nf-commons: constraint jackson-databind 2.21.5 (transitive via npr-api; `api`
  scope propagates to downstream modules and their testFixtures)
- nf-seqera: constraint jackson-databind 2.21.5 (transitive via tower-api).
  jackson-dataformat-yaml stays a direct `api` dependency at 2.21.5 because it
  is required at runtime and is NOT pulled transitively.
- nf-azure: constraints jackson databind/core/annotations 2.18.9 (2.18 line
  required by the Azure SDK) and azure-core-http-netty 1.16.5 (brings patched
  netty 4.1.135).
- nf-google: constraints jackson databind/core/annotations 2.18.9. The existing
  grpc-netty-shaded runtimeOnly pin is left unchanged (it has no open alert;
  converting it to a constraint is deferred to avoid perturbing the
  credential-gated GCP integration test).

Constraints bump a transitive version without adding a fake dependency, `api`
scope reaches testFixtures compile classpaths, and `require` (default) is a
security floor (>= patched). Modules that genuinely use a library
(jackson-dataformat-yaml in nf-seqera) keep a real dependency.

Verified by generating the real GitHub dependency-graph snapshot: the submitted
graph contains only patched versions in every configuration — jackson
2.18.9 / 2.21.5, jackson-dataformat-yaml 2.21.5, netty 4.1.135,
azure-core-http-netty 1.16.5. Compile succeeds and the changed-module test
suites pass.

Addresses GHSA-rmj7-2vxq-3g9f, GHSA-j3rv-43j4-c7qm, GHSA-72hv-8253-57qq,
GHSA-3qp7-7mw8-wx86 (CVE-2026-44249).

Signed-off-by: Jorge Ejarque <jorge.ejarque@seqera.io>

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: jorgee <jorge.ejarque@seqera.io>
@jorgee jorgee force-pushed the fix-jackson-databind-force branch from c270265 to 5d71a12 Compare July 13, 2026 14:19
Resolve conflict in nf-seqera/build.gradle: the nf-tower consolidation was
reverted on master, so the tower-api/jackson deps moved back to nf-tower.
Port the jackson-databind CVE fix (2.21.5 via api-scoped constraint) to
plugins/nf-tower/build.gradle where those deps now live.
…d-force

Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>

# Conflicts:
#	modules/nf-commons/build.gradle
#	plugins/nf-azure/build.gradle
#	plugins/nf-google/build.gradle
#	plugins/nf-tower/build.gradle
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants