Address Netty CVEs by bumping AWS SDK and excluding micronaut-core-bom from test classpath (#7100)

* fix netty vulnerabilities

Signed-off-by: jorgee <jorge.ejarque@seqera.io>

* alternatice to version pinning

Signed-off-by: jorgee <jorge.ejarque@seqera.io>

* Apply suggestion from @pditommaso [ci skip]

Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>

* Apply suggestion from @pditommaso [ci skip]

Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>

* Apply suggestion from @pditommaso [ci skip]

Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>

---------

Signed-off-by: jorgee <jorge.ejarque@seqera.io>
Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
Signed-off-by: Jorge Ejarque <jorgee@users.noreply.github.com>
Co-authored-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>

Author: jorgee

modules/nextflow/build.gradle

@@ -76,7 +76,7 @@ dependencies {
 
     testImplementation 'org.subethamail:subethasmtp:3.1.7'
     testImplementation (project(':nf-lineage'))
-    testImplementation 'org.wiremock:wiremock:3.13.1'
+    testImplementation 'org.wiremock:wiremock:3.13.2'
     // test configuration
     testFixturesApi ("org.apache.groovy:groovy-test:4.0.31") { exclude group: 'org.apache.groovy' }
     testFixturesApi ("org.objenesis:objenesis:3.4")

modules/nf-commons/build.gradle

@@ -45,6 +45,6 @@ dependencies {
     testFixturesImplementation(project(":nextflow"))
 
     testImplementation "org.apache.groovy:groovy-json:4.0.31" // needed by wiremock
-    testImplementation ('org.wiremock:wiremock:3.13.1') { exclude module: 'groovy-all' }
+    testImplementation ('org.wiremock:wiremock:3.13.2') { exclude module: 'groovy-all' }
 }
 

modules/nf-httpfs/build.gradle

@@ -36,7 +36,7 @@ dependencies {
 
     /* testImplementation inherited from top gradle build file */
     testImplementation "org.apache.groovy:groovy-json:4.0.31" // needed by wiremock
-    testImplementation ('org.wiremock:wiremock:3.13.1') { exclude module: 'groovy-all' }
+    testImplementation ('org.wiremock:wiremock:3.13.2') { exclude module: 'groovy-all' }
 
     testImplementation(testFixtures(project(":nextflow")))
 }

plugins/nf-amazon/build.gradle

@@ -48,6 +48,7 @@ sourceSets {
 configurations {
     // see https://docs.gradle.org/4.1/userguide/dependency_management.html#sub:exclude_transitive_dependencies
     runtimeClasspath.exclude group: 'org.slf4j', module: 'slf4j-api'
+    testRuntimeClasspath.exclude group: 'io.micronaut', module: 'micronaut-core-bom'
 }
 
 dependencies {
@@ -56,25 +57,20 @@ dependencies {
     compileOnly 'org.pf4j:pf4j:3.14.1'
 
     api ('javax.xml.bind:jaxb-api:2.4.0-b180830.0359')
-    api ('software.amazon.awssdk:s3:2.33.2')
-    api ('software.amazon.awssdk:ec2:2.33.2')
-    api ('software.amazon.awssdk:batch:2.33.2')
-    api ('software.amazon.awssdk:iam:2.33.2')
-    api ('software.amazon.awssdk:ecs:2.33.2')
-    api ('software.amazon.awssdk:cloudwatchlogs:2.33.2')
-    api ('software.amazon.awssdk:codecommit:2.33.2')
-    api ('software.amazon.awssdk:sts:2.33.2')
-    api ('software.amazon.awssdk:ses:2.33.2')
-    api ('software.amazon.awssdk:sso:2.33.2')
-    api ('software.amazon.awssdk:ssooidc:2.33.2')
-    api ('software.amazon.awssdk:s3-transfer-manager:2.33.2')
-    api ('software.amazon.awssdk:apache-client:2.33.2')
-    api ('software.amazon.awssdk:aws-crt-client:2.33.2')
-
-    // address security vulnerabilities
-    implementation 'io.netty:netty-common:4.1.133.Final'
-    implementation 'io.netty:netty-handler:4.1.133.Final'
-    implementation 'io.netty:netty-codec-http2:4.1.133.Final'
+    api ('software.amazon.awssdk:s3:2.44.3')
+    api ('software.amazon.awssdk:ec2:2.44.3')
+    api ('software.amazon.awssdk:batch:2.44.3')
+    api ('software.amazon.awssdk:iam:2.44.3')
+    api ('software.amazon.awssdk:ecs:2.44.3')
+    api ('software.amazon.awssdk:cloudwatchlogs:2.44.3')
+    api ('software.amazon.awssdk:codecommit:2.44.3')
+    api ('software.amazon.awssdk:sts:2.44.3')
+    api ('software.amazon.awssdk:ses:2.44.3')
+    api ('software.amazon.awssdk:sso:2.44.3')
+    api ('software.amazon.awssdk:ssooidc:2.44.3')
+    api ('software.amazon.awssdk:s3-transfer-manager:2.44.3')
+    api ('software.amazon.awssdk:apache-client:2.44.3')
+    api ('software.amazon.awssdk:aws-crt-client:2.44.3')
 
     testImplementation(testFixtures(project(":nextflow")))
     testImplementation project(':nextflow')

plugins/nf-amazon/src/main/nextflow/cloud/aws/nio/S3Client.java

@@ -21,6 +21,7 @@
 import java.io.InputStream;
 import java.io.InterruptedIOException;
 import java.nio.file.*;
+import java.nio.file.AccessDeniedException;
 import java.nio.file.attribute.BasicFileAttributes;
 import java.util.EnumSet;
 import java.util.Queue;

plugins/nf-azure/build.gradle

@@ -47,20 +47,21 @@ sourceSets {
 configurations {
     // see https://docs.gradle.org/4.1/userguide/dependency_management.html#sub:exclude_transitive_dependencies
     runtimeClasspath.exclude group: 'org.slf4j', module: 'slf4j-api'
+    testRuntimeClasspath.exclude group: 'io.micronaut', module: 'micronaut-core-bom'
 }
 
 dependencies {
     compileOnly project(':nextflow')
     compileOnly 'org.slf4j:slf4j-api:2.0.17'
     compileOnly 'org.pf4j:pf4j:3.14.1'
-    api('com.azure:azure-storage-blob:12.33.2') {
+    api('com.azure:azure-storage-blob:12.33.3') {
         exclude group: 'org.slf4j', module: 'slf4j-api'
     }
     api('com.azure:azure-compute-batch:1.0.0-beta.3') {
         exclude group: 'org.slf4j', module: 'slf4j-api'
         exclude group: 'com.google.guava', module: 'guava'
     }
-    api('com.azure:azure-identity:1.18.2') {
+    api('com.azure:azure-identity:1.18.3') {
         exclude group: 'org.slf4j', module: 'slf4j-api'
     }
 

plugins/nf-codecommit/build.gradle

@@ -43,6 +43,7 @@ sourceSets {
 configurations {
     // see https://docs.gradle.org/4.1/userguide/dependency_management.html#sub:exclude_transitive_dependencies
     runtimeClasspath.exclude group: 'org.slf4j', module: 'slf4j-api'
+    testRuntimeClasspath.exclude group: 'io.micronaut', module: 'micronaut-core-bom'
 }
 
 dependencies {
@@ -51,12 +52,9 @@ dependencies {
     compileOnly 'org.pf4j:pf4j:3.14.1'
 
     api ('javax.xml.bind:jaxb-api:2.4.0-b180830.0359')
-    api ('software.amazon.awssdk:codecommit:2.31.64')
-    api ('software.amazon.awssdk:sso:2.31.64')
-    api ('software.amazon.awssdk:ssooidc:2.31.64')
-
-    // address security vulnerabilities
-    runtimeOnly 'io.netty:netty-codec-http:4.1.133.Final'
+    api ('software.amazon.awssdk:codecommit:2.44.3')
+    api ('software.amazon.awssdk:sso:2.44.3')
+    api ('software.amazon.awssdk:ssooidc:2.44.3')
 
     testImplementation(testFixtures(project(":nextflow")))
     testImplementation project(':nextflow')

plugins/nf-tower/build.gradle

@@ -69,7 +69,7 @@ dependencies {
     testImplementation "org.apache.groovy:groovy-nio:4.0.31"
     testImplementation "org.apache.groovy:groovy-json:4.0.31"
     // wiremock required by TowerFusionEnvTest
-    testImplementation "org.wiremock:wiremock:3.13.1"
+    testImplementation "org.wiremock:wiremock:3.13.2"
     // Address security vulnerabilities CVE-2022-45688 and CVE-2023-5072
     testImplementation 'org.json:json:20240303'
 }