Merge branch 'rel-3.46.0' into maurever_GH-16676_remove_offset_effects

Author: maurever

.github/workflows/trigger-h2o-3-devops.yml

@@ -0,0 +1,23 @@
+# .github/workflows/trigger-h2o-3-devops.yml
+name: Trigger H2O-3 DevOps Workflows
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches: [master, rel-3.46.0]
+  workflow_dispatch:
+
+jobs:
+  trigger:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger Vulnerability Scan
+        run: |
+          curl -X POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.H2O_3_DEVOPS_REPO_TOKEN }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/h2oai/h2o-3-devops/dispatches \
+            -d '{"event_type":"h2o3-push","client_payload":{"branch":"${{ github.ref_name }}","sha":"${{ github.sha }}"}}'

Changes.md

@@ -2,6 +2,34 @@
 
 ## H2O
 
+### 3.46.0.10 - 3/12/2026
+
+Download at: <a href='http://h2o-release.s3.amazonaws.com/h2o/rel-3.46.0/10/index.html'>http://h2o-release.s3.amazonaws.com/h2o/rel-3.46.0/10/index.html</a>
+
+#### Bug
+- [[#16433]](https://github.com/h2oai/h2o-3/issues/16433) – Fixed minor errors in GAM, GLM, and ModelSelection.
+- [[#16129]](https://github.com/h2oai/h2o-3/issues/16129) – Fixed issues building Docker image using Dockerfile.
+- [[#16736]](https://github.com/h2oai/h2o-3/issues/16736) – Fixed R CRAN check.
+- [[#16755]](https://github.com/h2oai/h2o-3/issues/16755) – Fixed XGBoost H-statistic example.
+
+#### New Feature
+- [[#16769]](https://github.com/h2oai/h2o-3/issues/16769) – Added control variables MOJO support for regression and binomial distribution.
+
+#### Improvement
+- [[#16718]](https://github.com/h2oai/h2o-3/issues/16718) – Removed support for Python 3.6.
+- [[#16707]](https://github.com/h2oai/h2o-3/issues/16707) – Added support for R 4.5.
+
+#### Docs
+- [[#15991]](https://github.com/h2oai/h2o-3/issues/15991) – Updated Infogram pydocs.
+- [[#16216]](https://github.com/h2oai/h2o-3/issues/16216) – Updated AutoML user guide page to adhere to style guide.
+- [[#16604]](https://github.com/h2oai/h2o-3/issues/16604) – Removed HDP from supported version in the documentation.
+
+#### Security
+- [[#16744]](https://github.com/h2oai/h2o-3/issues/16744) – Fixed CVE-2025-68161 in log4j.
+- [[#16754]](https://github.com/h2oai/h2o-3/issues/16754) – FedRAMP vulnerability remediation (2026-02-02).
+- [[#16773]](https://github.com/h2oai/h2o-3/issues/16773) – Upgraded jackson-databind because of GHSA-72hv-8253-57qq.
+- [[#16775]](https://github.com/h2oai/h2o-3/issues/16775) – Added vulnerable PostgreSQL JDBC parameters to default disallowed parameters.
+
 ### 3.46.0.9 - 11/24/2025
 
 Download at: <a href='http://h2o-release.s3.amazonaws.com/h2o/rel-3.46.0/9/index.html'>http://h2o-release.s3.amazonaws.com/h2o/rel-3.46.0/9/index.html</a>

SECURITY.md

@@ -8,11 +8,12 @@ If the issue is confirmed, we will release a patch as soon as possible depending
 ## Known Vulnerabilities
 We located these vulnerabilites from our security scans. The following list shows the vulnerabilities and the libraries they were found in:
 
-Total: 8 (UNKNOWN: 0, LOW: 2, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
+Total: 4 (UNKNOWN: 0, LOW: 2, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
 
-| Library                         | Vulnerability    | Severity | Status   | Installed Version | Fixed Version | Title                                                                 |
-|---------------------------------|----------------|---------|---------|-----------------|---------------|----------------------------------------------------------------------|
-| commons-lang:commons-lang       | CVE-2025-48924 | MEDIUM  | affected | 2.6             |               | commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang [Link](https://avd.aquasec.com/nvd/cve-2025-48924) |
-| org.apache.hadoop:hadoop-common | CVE-2024-23454 | LOW     | fixed    | 3.3.6           | 3.4.0         | Apache Hadoop: Temporary File Local Information Disclosure [Link](https://avd.aquasec.com/nvd/cve-2024-23454) |
-| org.eclipse.jetty:jetty-http    | CVE-2024-6763  | MEDIUM  |         | 9.4.57.v20241219| 12.0.12       | org.eclipse.jetty:jetty-http: jetty: Jetty URI parsing of invalid authority [Link](https://avd.aquasec.com/nvd/cve-2024-6763) |
+| Library                         | Vulnerability    | Severity | Installed Version | Fixed Version | Title | Mitigation Status |
+|---------------------------------|----------------|---------|-----------------|---------------|-------|-------------------|
+| commons-lang:commons-lang       | CVE-2025-48924 | MEDIUM  | 2.6             |               | Uncontrolled Recursion vulnerability in `ClassUtils.getClass()` [Link](https://avd.aquasec.com/nvd/cve-2025-48924) | Not affected. H2O does not use `ClassUtils` anywhere in the codebase. H2O only uses safe utility methods from this library (e.g., `ArrayUtils`, `StringUtils.join`, `StringUtils.repeat`). |
+| org.eclipse.jetty:jetty-http    | CVE-2024-6763  | MEDIUM  | 9.4.57.v20241219| 12.0.12       | Jetty URI parsing of invalid authority [Link](https://avd.aquasec.com/nvd/cve-2024-6763) | Not affected. The vulnerability only affects applications that use `HttpURI` directly as a utility for URI validation. H2O does not use `HttpURI` in application code; only Jetty's own internal `Response.encodeURL()` references it, which the [Jetty advisory](https://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxh) confirms is not vulnerable. |
+| org.apache.hadoop:hadoop-common | CVE-2024-23454 | LOW     | 3.3.6           | 3.4.0         | Apache Hadoop: Temporary File Local Information Disclosure [Link](https://avd.aquasec.com/nvd/cve-2024-23454) | Not affected. The vulnerability involves Hadoop's `FileUtil.createTempFile()` creating temporary files with world-readable permissions (0666). H2O does not use Hadoop's `FileUtil` for temporary file creation. All temp file operations use Java's standard `File.createTempFile()`, and credential/keytab files are written via Java's `FileOutputStream` directly. |
+| org.eclipse.jetty:jetty-http    | CVE-2025-11143 | LOW     | 9.4.57.v20241219| 12.0.31, 12.1.5 | Security bypass due to different URI parsing between Jetty HttpURI and java.net.URI [Link](https://avd.aquasec.com/nvd/cve-2025-11143) | Not affected. The vulnerability requires an application to use both Jetty's `HttpURI` and Java's `java.net.URI` for security decisions, creating a parsing inconsistency bypass. H2O only uses Jetty's servlet API (`getServletPath()`) for URI extraction, does not use `HttpURI` or `java.net.URI` for security-critical comparisons, and its authentication constraint uses a blanket wildcard `/*` path that applies to all requests regardless of URI parsing. |
 

gradle/prCheck.gradle

@@ -100,17 +100,33 @@ def checkPull(changeId) {
     connection.setRequestMethod("POST")
     connection.setDoOutput(true)
     connection.setRequestProperty("Authorization", "Bearer ${System.getenv("H2O3_GET_PROJECT_TOKEN")}")
+    connection.setRequestProperty("Content-Type", "application/json")
     connection.connect()
     try(OutputStream os = connection.getOutputStream()) {
         os.write(projectRequest.getBytes());
     }
-    try(InputStream is = connection.getInputStream()) {
-        def responseText = is.getText()
-        def projectResponse = jsonSlurper.parseText(responseText)
-        if (projectResponse.data.repository.issue.projectV2 == null) {
-            errorMessages.add("The associated GitHub issue #${issueId} must be assigned to H2O-3 project.")
+
+    def responseText
+    def responseCode = connection.getResponseCode()
+    if (responseCode == 200) {
+        try(InputStream is = connection.getInputStream()) {
+            responseText = is.getText()
+        }
+    } else {
+        try(InputStream es = connection.getErrorStream()) {
+            responseText = es.getText()
         }
     }
+
+    println "GraphQL Response (${responseCode}): ${responseText}"
+    def projectResponse = jsonSlurper.parseText(responseText)
+
+    if (projectResponse.errors) {
+        println "GraphQL Errors: ${projectResponse.errors}"
+        errorMessages.add("Failed to check project assignment for GitHub issue #${issueId}: ${projectResponse.errors[0].message}")
+    } else if (projectResponse.data?.repository?.issue?.projectV2 == null) {
+        errorMessages.add("The associated GitHub issue #${issueId} must be assigned to H2O-3 project.")
+    }
 
     if (errorMessages.isEmpty()) {
         println "Pull request #$changeId seems correct. Thank you and good luck in code review!"

h2o-algos/src/main/java/hex/glm/GLMModel.java

@@ -13,7 +13,7 @@
 import org.apache.commons.math3.distribution.TDistribution;
 import org.apache.commons.math3.special.Gamma;
 import water.*;
-import water.codegen.CodeGenerator;
+import water.codegen.CodeGenerator; conflict
 import water.codegen.CodeGeneratorPipeline;
 import water.exceptions.JCodeSB;
 import water.fvec.Chunk;
@@ -2362,7 +2362,10 @@ public double score(double[] data) {
     classCtx.add(new CodeGenerator() {
       @Override
       public void generate(JCodeSB out) {
-        JCodeGen.toClassWithArray(out, "public static", "BETA", beta_internal()); // "The Coefficients"
+        if (_parms._control_variables != null && _parms._control_variables.length > 0)
+          JCodeGen.toClassWithArray(out, "public static", "BETA", _output.getControlValBeta(beta_internal().clone())); // "The Control Variables Coefficients"
+        else
+          JCodeGen.toClassWithArray(out, "public static", "BETA", beta_internal()); // "The Coefficients"
         JCodeGen.toClassWithArray(out, "static", "NUM_MEANS", _output._dinfo._numNAFill,"Imputed numeric values");
         JCodeGen.toClassWithArray(out, "static", "CAT_MODES", _output._dinfo.catNAFill(),"Imputed categorical values.");
         JCodeGen.toStaticVar(out, "CATOFFS", dinfo()._catOffsets, "Categorical Offsets");
@@ -2526,18 +2529,24 @@ protected ModelMetrics.MetricBuilder scoreMetrics(Frame adaptFrm) {
 
   @Override
   public boolean haveMojo() {
-    if (_parms._control_variables != null && _parms._control_variables.length>0)
-      return false;
-    if (_parms._remove_offset_effects) {
-        return false;
-    }
+    if (_parms._control_variables != null && _parms._control_variables.length > 0)
+      return _parms.interactionSpec() == null &&
+              !_parms._family.equals(Family.multinomial) &&
+              !_parms._family.equals(Family.ordinal) &&
+              super.haveMojo();
     if (_parms.interactionSpec() == null)
       return super.haveMojo();
     return false;
   }
 
   @Override
   public boolean havePojo() {
+    if (_parms._control_variables != null && _parms._control_variables.length > 0)
+      return _parms.interactionSpec() == null &&
+              _parms._offset_column == null &&
+              !_parms._family.equals(Family.multinomial) &&
+              !_parms._family.equals(Family.ordinal) &&
+              super.havePojo();
     if (_parms.interactionSpec() == null && _parms._offset_column == null) return super.havePojo();
     else return false;
   }

h2o-algos/src/main/java/hex/glm/GLMMojoWriter.java

@@ -31,8 +31,10 @@ protected void writeModelData() throws IOException {
       writekv("num_means", model.dinfo().numNAFill());
       writekv("cat_modes", model.dinfo().catNAFill());
     }
-
-    writekv("beta", model.beta_internal());
+    if (model._parms._control_variables != null && model._parms._control_variables.length > 0)
+      writekv("beta", model._output.getControlValBeta(model.beta_internal().clone()));  // "The Control Variables Coefficients"
+    else
+      writekv("beta", model.beta_internal());  // "The Coefficients"
 
     writekv("family", model._parms._family);
     writekv("link", model._parms._link);