@@ -53,7 +53,6 @@ under the License.
5353 <!-- jackson-annotations doesn't have 2.21.4 version released -->
5454 <jackson-annotations .version>2.21</jackson-annotations .version>
5555 <spark .version>3.5.7</spark .version>
56- <tomcat .version>8.5.70</tomcat .version>
5756 <parquet .version>1.16.0</parquet .version>
5857 <orc .version>1.9.1</orc .version>
5958 <hadoop .version>3.4.3</hadoop .version>
@@ -262,10 +261,11 @@ under the License.
262261 </dependency >
263262
264263 <!-- https://mvnrepository.com/artifact/org.apache.commons/commons-lang3 -->
264+ <!-- 3.18.0 fixes CVE-2025-48924 (ClassUtils.getClass StackOverflow) -->
265265 <dependency >
266266 <groupId >org.apache.commons</groupId >
267267 <artifactId >commons-lang3</artifactId >
268- <version >3.9 </version >
268+ <version >3.18.0 </version >
269269 </dependency >
270270
271271 <!-- https://mvnrepository.com/artifact/org.apache.commons/commons-pool2 -->
@@ -587,13 +587,28 @@ under the License.
587587 <version >4.10.0</version >
588588 </dependency >
589589
590+ <!-- keep on the same train as okhttp (tencentcloud-sdk declares 3.12.x) -->
591+ <dependency >
592+ <groupId >com.squareup.okhttp3</groupId >
593+ <artifactId >logging-interceptor</artifactId >
594+ <version >4.10.0</version >
595+ </dependency >
596+
590597 <!-- https://mvnrepository.com/artifact/com.squareup.okio/okio -->
591598 <dependency >
592599 <groupId >com.squareup.okio</groupId >
593600 <artifactId >okio</artifactId >
594601 <version >3.4.0</version >
595602 </dependency >
596603
604+ <!-- pin okio-jvm to the same version as okio; okhttp 4.10.0 drags in
605+ okio-jvm 3.0.0 which is affected by CVE-2023-3635 -->
606+ <dependency >
607+ <groupId >com.squareup.okio</groupId >
608+ <artifactId >okio-jvm</artifactId >
609+ <version >3.4.0</version >
610+ </dependency >
611+
597612 <!-- https://mvnrepository.com/artifact/javax.validation/validation-api -->
598613 <dependency >
599614 <groupId >javax.validation</groupId >
@@ -1049,6 +1064,19 @@ under the License.
10491064 <version >3.3.0-8.3.2</version >
10501065 </dependency >
10511066
1067+ <!-- hadoop-cos pulls tencentcloud-sdk 3.1.213 whose okhttp 2.7.5 is EOL;
1068+ 3.1.1471+ ships okhttp3, keeping COS client-side encryption usable -->
1069+ <dependency >
1070+ <groupId >com.tencentcloudapi</groupId >
1071+ <artifactId >tencentcloud-sdk-java-kms</artifactId >
1072+ <version >3.1.1471</version >
1073+ </dependency >
1074+ <dependency >
1075+ <groupId >com.tencentcloudapi</groupId >
1076+ <artifactId >tencentcloud-sdk-java-common</artifactId >
1077+ <version >3.1.1471</version >
1078+ </dependency >
1079+
10521080 <!-- https://mvnrepository.com/artifact/com.qcloud/chdfs_hadoop_plugin_network -->
10531081 <dependency >
10541082 <groupId >com.qcloud</groupId >
@@ -1139,6 +1167,11 @@ under the License.
11391167 <groupId >org.apache.hbase.thirdparty</groupId >
11401168 <artifactId >hbase-shaded-netty</artifactId >
11411169 </exclusion >
1170+ <!-- JSP engine, unused here; tomcat-jasper 9.0.93 carries open CVEs -->
1171+ <exclusion >
1172+ <groupId >org.apache.tomcat</groupId >
1173+ <artifactId >*</artifactId >
1174+ </exclusion >
11421175 </exclusions >
11431176 </dependency >
11441177
@@ -1297,6 +1330,12 @@ under the License.
12971330 <groupId >org.lz4</groupId >
12981331 <artifactId >lz4-pure-java</artifactId >
12991332 </exclusion >
1333+ <!-- aliyun-java-auth drags in bcprov-jdk15on 1.70 (multiple CVEs);
1334+ bcprov-jdk18on 1.84 on the classpath provides the same packages -->
1335+ <exclusion >
1336+ <groupId >org.bouncycastle</groupId >
1337+ <artifactId >bcprov-jdk15on</artifactId >
1338+ </exclusion >
13001339 </exclusions >
13011340 </dependency >
13021341
@@ -1626,6 +1665,45 @@ under the License.
16261665 </dependencies >
16271666 </dependencyManagement >
16281667
1668+ <build >
1669+ <plugins >
1670+ <plugin >
1671+ <groupId >org.apache.maven.plugins</groupId >
1672+ <artifactId >maven-enforcer-plugin</artifactId >
1673+ <version >3.5.0</version >
1674+ <executions >
1675+ <execution >
1676+ <id >ban-vulnerable-dependencies</id >
1677+ <goals >
1678+ <goal >enforce</goal >
1679+ </goals >
1680+ <configuration >
1681+ <rules >
1682+ <bannedDependencies >
1683+ <excludes >
1684+ <!-- superseded by bcprov-jdk18on; 1.70 carries multiple open CVEs -->
1685+ <exclude >org.bouncycastle:bcprov-jdk15on</exclude >
1686+ <!-- EOL okhttp 2.x line -->
1687+ <exclude >com.squareup.okhttp:*</exclude >
1688+ <!-- okio-jvm below 3.4.0 is affected by CVE-2023-3635 -->
1689+ <exclude >com.squareup.okio:okio-jvm:[,3.4.0)</exclude >
1690+ <!-- commons-lang3 below 3.18.0 is affected by CVE-2025-48924 -->
1691+ <exclude >org.apache.commons:commons-lang3:[,3.18.0)</exclude >
1692+ <!-- JSP engine, unused by FE; 9.0.93 carries CVE-2025-55754/CVE-2025-52434 -->
1693+ <exclude >org.apache.tomcat:*</exclude >
1694+ <exclude >org.apache.tomcat.embed:*</exclude >
1695+ <!-- tencentcloud-sdk below 3.1.1471 drags in EOL okhttp 2.7.5 -->
1696+ <exclude >com.tencentcloudapi:*:[,3.1.1471)</exclude >
1697+ </excludes >
1698+ </bannedDependencies >
1699+ </rules >
1700+ </configuration >
1701+ </execution >
1702+ </executions >
1703+ </plugin >
1704+ </plugins >
1705+ </build >
1706+
16291707 <reporting >
16301708 <plugins >
16311709 <plugin >
0 commit comments