Skip to content

fix(deps): patch CRITICAL/HIGH transitive CVEs on shared base (trivy-fs)#119

Open
seonghobae wants to merge 2 commits into
mainfrom
fix/dep-vulns-shared-base
Open

fix(deps): patch CRITICAL/HIGH transitive CVEs on shared base (trivy-fs)#119
seonghobae wants to merge 2 commits into
mainfrom
fix/dep-vulns-shared-base

Conversation

@seonghobae

Copy link
Copy Markdown
Collaborator

What

Fixes all CRITICAL/HIGH dependency vulnerabilities that trivy-fs flags on main (19 findings). Because these live in the shared base pom.xml, fixing here lets every open feature branch inherit the fix on rebase.

Root cause (from the real trivy-fs SARIF/log, verified with mvn dependency:tree)

Package Installed Fixed CVE
org.bouncycastle:bcprov-jdk18on 1.81 (via tika removal) CVE-2025-14813 CRITICAL
com.fasterxml.jackson.core:jackson-databind 2.19.0 2.21.4 CVE-2026-54512, CVE-2026-54513
io.netty:netty-* (codec/http/http2/handler/resolver-dns/dns) 4.1.121.Final 4.1.135.Final CVE-2025-55163, CVE-2026-33870, CVE-2026-33871, CVE-2026-42579, CVE-2026-42583, CVE-2026-42584, CVE-2026-42587, CVE-2026-44249, CVE-2026-45416, CVE-2026-45674, CVE-2026-47691, CVE-2026-50010
org.springframework:spring-core 6.2.7 6.2.18 CVE-2025-41249
org.springframework.boot:spring-boot 3.5.0 3.5.14 CVE-2026-40973
commons-io:commons-io 2.7 (via tika removal) CVE-2024-47554

Changes

  • spring-boot-starter-parent 3.5.0 → 3.5.14
  • Pin BOM-managed properties to CVE-fixed versions: netty.version=4.1.135.Final, jackson-bom.version=2.21.4, spring-framework.version=6.2.18
  • Remove org.apache.tika:tika-parsers-standard-package — it is unused (no source references) and was the sole source of the CRITICAL BouncyCastle and the commons-io 2.7 vulnerabilities

Verification

  • trivy fs --scanners vuln --severity CRITICAL,HIGH --ignore-unfixed0 findings (was 19)
  • mvn dependency:tree confirms netty 4.1.135.Final, jackson-databind 2.21.4, spring-core 6.2.18, spring-boot 3.5.14
  • mvn test335 tests, 0 failures, 0 errors

All dependencies remain permissively licensed (Apache-2.0 / MIT / BSD).

🤖 Generated with Claude Code

Bump the shared base so all feature branches inherit the fix:
- spring-boot-starter-parent 3.5.0 -> 3.5.14 (CVE-2026-40973 spring-boot)
- spring-framework.version 6.2.18 (CVE-2025-41249 spring-core)
- netty.version 4.1.135.Final (CVE-2025-55163, CVE-2026-33870/33871,
  42579/42583/42584/42587, 44249/45416/45674/47691/50010)
- jackson-bom.version 2.21.4 (CVE-2026-54512, CVE-2026-54513)
- remove unused org.apache.tika:tika-parsers-standard-package, the sole
  source of commons-io 2.7 (CVE-2024-47554) and bouncycastle 1.81
  (CVE-2025-14813, CRITICAL); no source references tika

trivy fs CRITICAL,HIGH now reports 0; full suite (335 tests) green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RTAMs4bpSZS77Xe3RQjv9P
@seonghobae

Copy link
Copy Markdown
Collaborator Author

Follow-up from the failing security checks on PR #119.

What failed on the previous head:

  • trivy-fs uploaded SARIF for pom.xml showing com.fasterxml.jackson.core:jackson-databind installed as 2.19.0, CVE-2026-54515, severity Medium, fixed in 2.21.5 / 2.22.1 / 2.18.9 / 3.1.4.
  • osv-scan did not report an actual OSV vulnerability in its summary; the job failed while extracting Maven metadata after Maven Central returned 429 for the Spring Boot parent POM.
  • Scorecard also flagged repo-governance items: missing dependency update tool and security policy link. Those are addressed here with local Dependabot Maven config and an explicit private vulnerability reporting link. SAST/fuzzing are broader governance items; SAST should be fixed centrally because the org codeql-pr.yml currently does not detect Java/Kotlin repositories.

Changes pushed:

  • Bumped jackson-bom.version to 2.21.5.
  • Added an explicit jackson-databind version so Maven and Trivy/SBOM parsing resolve the fixed version directly.
  • Added .github/dependabot.yml for Maven updates.
  • Added SECURITY.md with the private advisory reporting URL and response windows.

Local verification:

  • pom.xml parses as XML.
  • Maven 3.9.16 dependency tree resolves com.fasterxml.jackson.core:jackson-databind:jar:2.21.5:compile.
  • mvn test passes: 335 tests, 0 failures, 0 errors, 0 skipped.
  • git diff --check passed; only Windows CRLF normalization warnings were reported.
  • codegraph sync / codegraph status passed.

@opencode-agent opencode-agent Bot disabled auto-merge July 11, 2026 11:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant