MLE-30013 MLE-30014 MLE-30015 MLE-30016 MLE-30017 MLE-30018 CVEs in dependencies#647
Conversation
rjdew-progress
commented
Jun 26, 2026
- MLE-30013 MLE-30014 MLE-30015 OpenNLP CVEs
- MLE-30016 GHSA-jjwr-xmw6-gf78 in Apache PDFBox v3.0.7
- MLE-30017 MLE-30018 Jetty CVEs
There was a problem hiding this comment.
Pull request overview
Updates several Gradle-managed dependencies to remediate referenced CVEs (OpenNLP/PDFBox/Jetty-related) and adjusts S3/AWS SDK integration and tests to remain compatible with the upgraded AWS SDK/Hadoop stack.
Changes:
- Bump core dependency versions (Hadoop, AWS SDK, LangChain4j, Tika; plus Azure storage client).
- Add explicit AWS SDK Apache HTTP client dependency needed by
hadoop-awsafter excluding the large AWS SDK bundle. - Adjust S3 credential handling usage in code/tests (AWS SDK
DefaultCredentialsProviderinstantiation + test arguments/fixtures).
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
gradle.properties |
Updates shared dependency versions (Hadoop/AWS SDK/LangChain4j/Tika). |
flux-embedding-model-minilm/build.gradle |
Bumps the minilm embeddings artifact version. |
flux-cli/build.gradle |
Adds software.amazon.awssdk:apache-client and bumps Azure Data Lake dependency. |
flux-cli/src/main/java/com/marklogic/flux/impl/S3Params.java |
Updates AWS SDK credentials provider construction for newer SDK versions. |
flux-cli/src/test/java/com/marklogic/flux/impl/S3ParamsTest.java |
Adds fake AWS credentials setup/teardown for deterministic DefaultCredentialsProvider behavior. |
flux-cli/src/test/java/com/marklogic/flux/impl/HandleErrorTest.java |
Uses explicit S3 access key/secret args in the S3 connectivity error test. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
rjrudin
left a comment
There was a problem hiding this comment.
I would do all the bumps except forcing Hadoop to a version other than the one that Spark depends on.
| awssdkVersion=2.29.52 | ||
| langchain4jVersion=1.11.0 | ||
| tikaVersion=3.2.3 | ||
| hadoopVersion=3.5.0 |
There was a problem hiding this comment.
Spark can be bumped to 4.1.2 - https://spark.apache.org/releases/spark-release-4-1-2.html - but I strongly recommend not forcing Spark to use a version of Hadoop that it's not tested with. Spark and Hadoop have a tight coupling and once we force Spark to use a different version of Hadoop, we're no longer using the Apache-verified/tested Spark, we're using a custom version of Spark.
Any vulnerabilities associated with Hadoop thus have to be accepted and I think can reasonably be justified as "There are far more users of Apache Spark that are living with these vulnerabilities and waiting for Apache Spark 4.2.0 to be released".
If necessary, you could try bumping to the latest preview release of Spark 4.2.0 to see how many vulnerabilities that addresses.
There was a problem hiding this comment.
Reverted the Hadoop version bump.
ba383ff to
390f5f7
Compare
| awssdkVersion=2.29.52 | ||
| langchain4jVersion=1.11.0 | ||
| tikaVersion=3.2.3 | ||
| awssdkVersion=2.46.17 |
There was a problem hiding this comment.
This has the same risk as forcing Spark to use a different version of Hadoop - it's forcing hadoop-aws to use a version of the AWS SDK other than the one it was tested with. In theory, it's fine - i.e. if semver is being strictly followed by every dependency. But we can't know that for sure, so I would keep this at 2.29.52.
There was a problem hiding this comment.
Reverted this version bump
|
|
||
| if (addCredentials) { | ||
| try (DefaultCredentialsProvider provider = DefaultCredentialsProvider.create()) { | ||
| try (DefaultCredentialsProvider provider = DefaultCredentialsProvider.builder().build()) { |
There was a problem hiding this comment.
This looks like a useful change regardless of what version of the AWS SDK is used, as the fact that 2.46 deprecates it suggests that we ought to be using this approach now anyway.
|
|
||
| // Required by hadoop-aws for its HTTP client; must be declared explicitly because software.amazon.awssdk is | ||
| // excluded from hadoop-aws to avoid the 558mb bundle. | ||
| implementation "software.amazon.awssdk:apache-client:${awssdkVersion}" |
There was a problem hiding this comment.
Is this needed as a result of bumping the AWS SDK to 2.46.x? i.e. it's not needed if we stay with 2.29.52?
8da4722 to
6004bd9
Compare
Reverted the dependency updates in question
| implementation "org.apache.hadoop:hadoop-azure:${hadoopVersion}" | ||
| // For Blob Storage | ||
| implementation "com.microsoft.azure:azure-storage:8.6.6" | ||
| implementation "com.azure:azure-storage-blob:12.35.0" |
There was a problem hiding this comment.
Is this known to work with hadoop-azure? IIRC, I didn't bump this up before due to what Hadoop-azure depends on. I can test it out later today, actually doing some Azure test in studio right now.
7c2fdf2 to
41d8f69
Compare