fix netty vulnerabilities

jorgee · jorgee · commit f02ea8b92e80 · 2026-05-05T16:59:17.000+02:00
Signed-off-by: jorgee &lt;jorge.ejarque@seqera.io&gt;
diff --git a/plugins/nf-amazon/build.gradle b/plugins/nf-amazon/build.gradle
@@ -51,6 +51,18 @@ configurations {
 }
 
 dependencies {
+    // Force patched Netty across all configurations (incl. testRuntimeClasspath, where
+    // a transitive fixture would otherwise escalate to 4.2.x).
+    // Addresses GHSA-pwqr-wmgm-9rr8 (netty-codec-http HTTP Request Smuggling)
+    // and GHSA-w9fj-cfpg-grvv (netty-codec-http2 CONTINUATION Frame Flood DoS).
+    constraints {
+        implementation('io.netty:netty-buffer') { version { strictly '4.1.132.Final' } }
+        implementation('io.netty:netty-common') { version { strictly '4.1.132.Final' } }
+        implementation('io.netty:netty-handler') { version { strictly '4.1.132.Final' } }
+        implementation('io.netty:netty-codec-http') { version { strictly '4.1.132.Final' } }
+        implementation('io.netty:netty-codec-http2') { version { strictly '4.1.132.Final' } }
+    }
+
     compileOnly project(':nextflow')
     compileOnly 'org.slf4j:slf4j-api:2.0.17'
     compileOnly 'org.pf4j:pf4j:3.14.1'
@@ -71,11 +83,6 @@ dependencies {
     api ('software.amazon.awssdk:apache-client:2.33.2')
     api ('software.amazon.awssdk:aws-crt-client:2.33.2')
 
-    // address security vulnerabilities
-    implementation 'io.netty:netty-common:4.1.132.Final'
-    implementation 'io.netty:netty-handler:4.1.132.Final'
-    implementation 'io.netty:netty-codec-http2:4.1.132.Final'
-
     testImplementation(testFixtures(project(":nextflow")))
     testImplementation project(':nextflow')
     testImplementation "org.apache.groovy:groovy:4.0.31"
diff --git a/plugins/nf-azure/build.gradle b/plugins/nf-azure/build.gradle
@@ -50,17 +50,31 @@ configurations {
 }
 
 dependencies {
+    // Force patched Netty across all configurations (incl. testRuntimeClasspath, where
+    // a transitive fixture would otherwise escalate to 4.2.x).
+    // Addresses GHSA-pwqr-wmgm-9rr8 (netty-codec-http HTTP Request Smuggling)
+    // and GHSA-w9fj-cfpg-grvv (netty-codec-http2 CONTINUATION Frame Flood DoS).
+    // netty-buffer must be pinned alongside the rest -- leaving it at 4.2.x
+    // (via Micronaut BOM) causes ABI mismatch in AbstractByteBufAllocator.
+    constraints {
+        implementation('io.netty:netty-buffer') { version { strictly '4.1.132.Final' } }
+        implementation('io.netty:netty-common') { version { strictly '4.1.132.Final' } }
+        implementation('io.netty:netty-handler') { version { strictly '4.1.132.Final' } }
+        implementation('io.netty:netty-codec-http') { version { strictly '4.1.132.Final' } }
+        implementation('io.netty:netty-codec-http2') { version { strictly '4.1.132.Final' } }
+    }
+
     compileOnly project(':nextflow')
     compileOnly 'org.slf4j:slf4j-api:2.0.17'
     compileOnly 'org.pf4j:pf4j:3.14.1'
-    api('com.azure:azure-storage-blob:12.33.2') {
+    api('com.azure:azure-storage-blob:12.33.3') {
         exclude group: 'org.slf4j', module: 'slf4j-api'
     }
     api('com.azure:azure-compute-batch:1.0.0-beta.3') {
         exclude group: 'org.slf4j', module: 'slf4j-api'
         exclude group: 'com.google.guava', module: 'guava'
     }
-    api('com.azure:azure-identity:1.18.2') {
+    api('com.azure:azure-identity:1.18.3') {
         exclude group: 'org.slf4j', module: 'slf4j-api'
     }
 
diff --git a/plugins/nf-codecommit/build.gradle b/plugins/nf-codecommit/build.gradle
@@ -46,6 +46,18 @@ configurations {
 }
 
 dependencies {
+    // Force patched Netty across all configurations (incl. testRuntimeClasspath, where
+    // a transitive fixture would otherwise escalate to 4.2.x).
+    // Addresses GHSA-pwqr-wmgm-9rr8 (netty-codec-http HTTP Request Smuggling)
+    // and GHSA-w9fj-cfpg-grvv (netty-codec-http2 CONTINUATION Frame Flood DoS).
+    constraints {
+        implementation('io.netty:netty-buffer') { version { strictly '4.1.132.Final' } }
+        implementation('io.netty:netty-common') { version { strictly '4.1.132.Final' } }
+        implementation('io.netty:netty-handler') { version { strictly '4.1.132.Final' } }
+        implementation('io.netty:netty-codec-http') { version { strictly '4.1.132.Final' } }
+        implementation('io.netty:netty-codec-http2') { version { strictly '4.1.132.Final' } }
+    }
+
     compileOnly project(':nextflow')
     compileOnly 'org.slf4j:slf4j-api:2.0.17'
     compileOnly 'org.pf4j:pf4j:3.14.1'
@@ -55,9 +67,6 @@ dependencies {
     api ('software.amazon.awssdk:sso:2.31.64')
     api ('software.amazon.awssdk:ssooidc:2.31.64')
 
-    // address security vulnerabilities
-    runtimeOnly 'io.netty:netty-codec-http:4.1.132.Final'
-
     testImplementation(testFixtures(project(":nextflow")))
     testImplementation project(':nextflow')
     testImplementation "org.apache.groovy:groovy:4.0.31"
diff --git a/plugins/nf-tower/build.gradle b/plugins/nf-tower/build.gradle
@@ -69,7 +69,7 @@ dependencies {
     testImplementation "org.apache.groovy:groovy-nio:4.0.31"
     testImplementation "org.apache.groovy:groovy-json:4.0.31"
     // wiremock required by TowerFusionEnvTest
-    testImplementation "org.wiremock:wiremock:3.13.1"
+    testImplementation "org.wiremock:wiremock:3.13.2"
     // Address security vulnerabilities CVE-2022-45688 and CVE-2023-5072
     testImplementation 'org.json:json:20240303'
 }

Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ dependencies {`
`69`	`69`	`testImplementation "org.apache.groovy:groovy-nio:4.0.31"`
`70`	`70`	`testImplementation "org.apache.groovy:groovy-json:4.0.31"`
`71`	`71`	`// wiremock required by TowerFusionEnvTest`
`72`		`- testImplementation "org.wiremock:wiremock:3.13.1"`
	`72`	`+ testImplementation "org.wiremock:wiremock:3.13.2"`
`73`	`73`	`// Address security vulnerabilities CVE-2022-45688 and CVE-2023-5072`
`74`	`74`	`testImplementation 'org.json:json:20240303'`
`75`	`75`	`}`