[cruise-control] Fix remaining language package vulnerabilities

mborst · claude · mborst · commit da0a3adff24d · 2026-02-11T16:03:11.000+01:00
Bump runtime deps: - netty 4.1.125 -> 4.1.129 (CVE-2025-67735) - vertx 4.5.22 -> 4.5.24 (CVE-2026-1002) Bump test deps: - bcpkix-jdk15on:1.70 -> bcpkix-jdk18on:1.79 (CVE-2025-8916, artifact renamed) - json-path 2.7.0 -> 2.9.0 (CVE-2023-51074) Add constraints: - json-smart >= 2.5.0 (CVE-2023-1370, transitive from json-path) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/build.gradle b/build.gradle
@@ -101,17 +101,20 @@ subprojects {
         because("CVE-2024-29371 - transitive from Kafka")
       }
       implementation("io.netty:netty-codec-http:${nettyVersion}") {
-        because("CVE-2025-58056, CVE-2025-67735 - transitive from Vert.x")
+        because("CVE-2025-58056, CVE-2025-67735 - version floor; Vert.x may pull a newer version")
       }
       implementation("io.netty:netty-codec-http2:${nettyVersion}") {
-        because("CVE-2025-55163 - transitive from Vert.x")
+        because("CVE-2025-55163 - version floor; Vert.x may pull a newer version")
       }
       implementation("org.apache.commons:commons-lang3:3.18.0") {
         because("CVE-2025-48924 - transitive from swagger-core")
       }
       implementation("at.yawk.lz4:lz4-java:1.8.1") {
         because("CVE-2025-12183 - transitive from Kafka (relocated from org.lz4)")
       }
+      implementation("net.minidev:json-smart:2.5.0") {
+        because("CVE-2023-1370 - transitive from json-path")
+      }
     }
   }
 
@@ -360,9 +363,10 @@ project(':cruise-control') {
     testImplementation "org.apache.kafka:kafka-clients:$kafkaVersion:test"
     testImplementation 'commons-io:commons-io:2.14.0'
     testImplementation 'org.apache.httpcomponents:httpclient:4.5.13:tests'
-    testImplementation 'org.bouncycastle:bcpkix-jdk15on:1.70'
+    testImplementation 'org.bouncycastle:bcpkix-jdk18on:1.79'
     testImplementation 'org.apache.kerby:kerb-simplekdc:2.1.0'
-    testImplementation 'com.jayway.jsonpath:json-path:2.7.0'
+    testImplementation 'com.jayway.jsonpath:json-path:2.9.0'
+    testImplementation 'net.minidev:json-smart:2.5.0'
     testImplementation 'org.powermock:powermock-module-junit4:2.0.9'
     testImplementation 'org.powermock:powermock-api-easymock:2.0.9'
   }
@@ -501,7 +505,7 @@ project(':cruise-control-metrics-reporter') {
     implementation 'com.fasterxml.jackson.core:jackson-databind:2.16.1'
 
     testImplementation 'junit:junit:4.13.2'
-    testImplementation 'org.bouncycastle:bcpkix-jdk15on:1.70'
+    testImplementation 'org.bouncycastle:bcpkix-jdk18on:1.79'
     testImplementation 'org.powermock:powermock-module-junit4:2.0.9'
     testImplementation 'org.powermock:powermock-api-easymock:2.0.9'
     testImplementation "org.apache.kafka:kafka-clients:$kafkaVersion:test"
diff --git a/gradle.properties b/gradle.properties
@@ -3,7 +3,7 @@ org.gradle.parallel=false
 org.gradle.jvmargs=-Xms512m -Xmx512m
 scalaVersion=2.13.13
 kafkaVersion=4.0.0
-nettyVersion=4.1.125.Final
+nettyVersion=4.1.129.Final
 jettyVersion=9.4.57.v20241219
-vertxVersion=4.5.22
+vertxVersion=4.5.24
 log4jVersion=2.25.3

Original file line number	Diff line number	Diff line change
`@@ -101,17 +101,20 @@ subprojects {`
`101`	`101`	`because("CVE-2024-29371 - transitive from Kafka")`
`102`	`102`	`}`
`103`	`103`	`implementation("io.netty:netty-codec-http:${nettyVersion}") {`
`104`		`- because("CVE-2025-58056, CVE-2025-67735 - transitive from Vert.x")`
	`104`	`+ because("CVE-2025-58056, CVE-2025-67735 - version floor; Vert.x may pull a newer version")`
`105`	`105`	`}`
`106`	`106`	`implementation("io.netty:netty-codec-http2:${nettyVersion}") {`
`107`		`- because("CVE-2025-55163 - transitive from Vert.x")`
	`107`	`+ because("CVE-2025-55163 - version floor; Vert.x may pull a newer version")`
`108`	`108`	`}`
`109`	`109`	`implementation("org.apache.commons:commons-lang3:3.18.0") {`
`110`	`110`	`because("CVE-2025-48924 - transitive from swagger-core")`
`111`	`111`	`}`
`112`	`112`	`implementation("at.yawk.lz4:lz4-java:1.8.1") {`
`113`	`113`	`because("CVE-2025-12183 - transitive from Kafka (relocated from org.lz4)")`
`114`	`114`	`}`
	`115`	`+ implementation("net.minidev:json-smart:2.5.0") {`
	`116`	`+ because("CVE-2023-1370 - transitive from json-path")`
	`117`	`+ }`
`115`	`118`	`}`
`116`	`119`	`}`
`117`	`120`
`@@ -360,9 +363,10 @@ project(':cruise-control') {`
`360`	`363`	`testImplementation "org.apache.kafka:kafka-clients:$kafkaVersion:test"`
`361`	`364`	`testImplementation 'commons-io:commons-io:2.14.0'`
`362`	`365`	`testImplementation 'org.apache.httpcomponents:httpclient:4.5.13:tests'`
`363`		`- testImplementation 'org.bouncycastle:bcpkix-jdk15on:1.70'`
	`366`	`+ testImplementation 'org.bouncycastle:bcpkix-jdk18on:1.79'`
`364`	`367`	`testImplementation 'org.apache.kerby:kerb-simplekdc:2.1.0'`
`365`		`- testImplementation 'com.jayway.jsonpath:json-path:2.7.0'`
	`368`	`+ testImplementation 'com.jayway.jsonpath:json-path:2.9.0'`
	`369`	`+ testImplementation 'net.minidev:json-smart:2.5.0'`
`366`	`370`	`testImplementation 'org.powermock:powermock-module-junit4:2.0.9'`
`367`	`371`	`testImplementation 'org.powermock:powermock-api-easymock:2.0.9'`
`368`	`372`	`}`
`@@ -501,7 +505,7 @@ project(':cruise-control-metrics-reporter') {`
`501`	`505`	`implementation 'com.fasterxml.jackson.core:jackson-databind:2.16.1'`
`502`	`506`
`503`	`507`	`testImplementation 'junit:junit:4.13.2'`
`504`		`- testImplementation 'org.bouncycastle:bcpkix-jdk15on:1.70'`
	`508`	`+ testImplementation 'org.bouncycastle:bcpkix-jdk18on:1.79'`
`505`	`509`	`testImplementation 'org.powermock:powermock-module-junit4:2.0.9'`
`506`	`510`	`testImplementation 'org.powermock:powermock-api-easymock:2.0.9'`
`507`	`511`	`testImplementation "org.apache.kafka:kafka-clients:$kafkaVersion:test"`