fix: resolve Dependabot security vulnerabilities (ZooKeeper, SnakeYAML, poi-ooxml, Jackson, Netty, Guava)

[aimansharief]

Summary

This PR resolves all open Dependabot security alerts on the repository by upgrading vulnerable dependencies and migrating discontinued test infrastructure (cassandra-unit → testcontainers).

---

Vulnerabilities Fixed

🔴 HIGH — ZooKeeper (alerts #89, #90)

Summary	Fix
Reverse-DNS fallback enables hostname verification bypass in ZKTrustManager	3.8.4 → 3.8.6 in root dependencyManagement
Improper handling of configuration values	same

File: pom.xml

---

🔴 HIGH — SnakeYAML Constructor Deserialization RCE (alerts #86, #87)

Summary	Fix
Arbitrary code execution via malicious YAML input	1.33 → 2.0

Root cause: cassandra-unit:3.11.2.0 (discontinued) calls new Constructor(Class) — an API removed in SnakeYAML 2.0 — blocking the upgrade.

Solution: Replaced cassandra-unit with testcontainers-cassandra in both affected modules:

• ontology-engine/graph-core_2.13 — EmbeddedCassandraServerHelper replaced with a CassandraTestSupport singleton that starts a cassandra:3.11 Docker container and injects the session into CassandraConnector via reflection
• ontology-engine/graph-engine_2.13 — same pattern; embedded Redis setup retained unchanged

Verified: 0 suites aborted (was 3), no NoSuchMethodError for SnakeYAML after migration.

---

🔴 HIGH — Jackson Core DoS (alerts #63, #68, #69, #77, #85, #88)

Summary	Fix
Number Length Constraint Bypass in Async Parser leads to DoS	2.15.3 → 2.18.6

Files: Root pom.xml (fasterxml.jackson.version), plus local overrides in taxonomy-controllers, content-controllers, assessment-controllers, knowlg-service, and hardcoded versions in search-core.

---

🟡 MEDIUM — Netty (alerts #70–84)

All io.netty:* vulnerabilities (CRLF injection, HTTP/2 DDoS reset, SSL crash, DoS) resolved via netty-bom:4.1.129.Final imported in root pom.xml.

---

🟡 MEDIUM — Apache POI OOXML Improper Input Validation (alert #21)

Summary	Fix
Malformed OOXML file can trigger improper input validation	3.17 → 5.4.0

Also upgraded xmlbeans 3.0.0 → 5.2.1 (required by POI 5.x) and removed the now-unnecessary xmlbeans exclusion. No source code changes — POI is not directly used in application code.

File: platform-core/platform-common/pom.xml

---

🟡 MEDIUM / 🟢 LOW — Guava (alerts #64, #65, #66)

Already at 32.1.3-jre in root pom.xml — no change needed.

🟡 MEDIUM — commons-io (alert #62)

Already at 2.14.0 in root pom.xml — no change needed.

---

Cannot Be Fixed

Alert	Reason
#67 — ZooKeeper info disclosure in persistent watchers	"fixed": null — no upstream patch exists from the Apache ZooKeeper project

---

Test plan

• Build: mvn clean install -DskipTests
• graph-core: mvn test -pl ontology-engine/graph-core_2.13 -DfailIfNoTests=false — 0 suites aborted, no SnakeYAML errors
• graph-engine: mvn test -pl ontology-engine/graph-engine_2.13 -DfailIfNoTests=false — 0 suites aborted
• Docker must be running for testcontainers-based tests
• Dependabot alerts should auto-close after merge (except Remove mobile support #67)

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2a688bd0-96ad-42e4-aa87-9f4f4c88aac1

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}