Skip to content

Address Netty CVEs by bumping AWS SDK and excluding micronaut-core-bom from test classpath #7100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pditommaso merged 8 commits into from
May 7, 2026
Merged

Address Netty CVEs by bumping AWS SDK and excluding micronaut-core-bom from test classpath #7100

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
f02ea8b
fix netty vulnerabilities
jorgee May 5, 2026
6308e6e
alternatice to version pinning
jorgee May 5, 2026
f801f91
Merge branch 'master' into fix-security-issues-2605
jorgee May 6, 2026
4f91099
Apply suggestion from @pditommaso [ci skip]
pditommaso May 6, 2026
27f94ea
Apply suggestion from @pditommaso [ci skip]
pditommaso May 6, 2026
241563c
Apply suggestion from @pditommaso [ci skip]
pditommaso May 6, 2026
9281dc2
Merge branch 'master' into fix-security-issues-2605
jorgee May 6, 2026
790c9e1
Merge branch 'master' into fix-security-issues-2605
jorgee May 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion modules/nextflow/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ dependencies {

testImplementation 'org.subethamail:subethasmtp:3.1.7'
testImplementation (project(':nf-lineage'))
testImplementation 'org.wiremock:wiremock:3.13.1'
testImplementation 'org.wiremock:wiremock:3.13.2'
// test configuration
testFixturesApi ("org.apache.groovy:groovy-test:4.0.31") { exclude group: 'org.apache.groovy' }
testFixturesApi ("org.objenesis:objenesis:3.4")
Expand Down
2 changes: 1 addition & 1 deletion modules/nf-commons/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,6 @@ dependencies {
testFixturesImplementation(project(":nextflow"))

testImplementation "org.apache.groovy:groovy-json:4.0.31" // needed by wiremock
testImplementation ('org.wiremock:wiremock:3.13.1') { exclude module: 'groovy-all' }
testImplementation ('org.wiremock:wiremock:3.13.2') { exclude module: 'groovy-all' }
}

2 changes: 1 addition & 1 deletion modules/nf-httpfs/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ dependencies {

/* testImplementation inherited from top gradle build file */
testImplementation "org.apache.groovy:groovy-json:4.0.31" // needed by wiremock
testImplementation ('org.wiremock:wiremock:3.13.1') { exclude module: 'groovy-all' }
testImplementation ('org.wiremock:wiremock:3.13.2') { exclude module: 'groovy-all' }

testImplementation(testFixtures(project(":nextflow")))
}
Expand Down
35 changes: 16 additions & 19 deletions plugins/nf-amazon/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,33 +48,30 @@ sourceSets {
configurations {
// see https://docs.gradle.org/4.1/userguide/dependency_management.html#sub:exclude_transitive_dependencies
runtimeClasspath.exclude group: 'org.slf4j', module: 'slf4j-api'
testRuntimeClasspath.exclude group: 'io.micronaut', module: 'micronaut-core-bom'
}

dependencies {

Comment thread
pditommaso marked this conversation as resolved.
Outdated
compileOnly project(':nextflow')
compileOnly 'org.slf4j:slf4j-api:2.0.17'
compileOnly 'org.pf4j:pf4j:3.14.1'

api ('javax.xml.bind:jaxb-api:2.4.0-b180830.0359')
api ('software.amazon.awssdk:s3:2.33.2')
api ('software.amazon.awssdk:ec2:2.33.2')
api ('software.amazon.awssdk:batch:2.33.2')
api ('software.amazon.awssdk:iam:2.33.2')
api ('software.amazon.awssdk:ecs:2.33.2')
api ('software.amazon.awssdk:cloudwatchlogs:2.33.2')
api ('software.amazon.awssdk:codecommit:2.33.2')
api ('software.amazon.awssdk:sts:2.33.2')
api ('software.amazon.awssdk:ses:2.33.2')
api ('software.amazon.awssdk:sso:2.33.2')
api ('software.amazon.awssdk:ssooidc:2.33.2')
api ('software.amazon.awssdk:s3-transfer-manager:2.33.2')
api ('software.amazon.awssdk:apache-client:2.33.2')
api ('software.amazon.awssdk:aws-crt-client:2.33.2')

// address security vulnerabilities
implementation 'io.netty:netty-common:4.1.132.Final'
implementation 'io.netty:netty-handler:4.1.132.Final'
implementation 'io.netty:netty-codec-http2:4.1.132.Final'
api ('software.amazon.awssdk:s3:2.42.41')
api ('software.amazon.awssdk:ec2:2.42.41')
api ('software.amazon.awssdk:batch:2.42.41')
api ('software.amazon.awssdk:iam:2.42.41')
api ('software.amazon.awssdk:ecs:2.42.41')
api ('software.amazon.awssdk:cloudwatchlogs:2.42.41')
api ('software.amazon.awssdk:codecommit:2.42.41')
api ('software.amazon.awssdk:sts:2.42.41')
api ('software.amazon.awssdk:ses:2.42.41')
api ('software.amazon.awssdk:sso:2.42.41')
api ('software.amazon.awssdk:ssooidc:2.42.41')
api ('software.amazon.awssdk:s3-transfer-manager:2.42.41')
api ('software.amazon.awssdk:apache-client:2.42.41')
api ('software.amazon.awssdk:aws-crt-client:2.42.41')

testImplementation(testFixtures(project(":nextflow")))
testImplementation project(':nextflow')
Expand Down
1 change: 1 addition & 0 deletions plugins/nf-amazon/src/main/nextflow/cloud/aws/nio/S3Client.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
import java.io.InputStream;
import java.io.InterruptedIOException;
import java.nio.file.*;
import java.nio.file.AccessDeniedException;
import java.nio.file.attribute.BasicFileAttributes;
import java.util.EnumSet;
import java.util.Queue;
Expand Down
6 changes: 4 additions & 2 deletions plugins/nf-azure/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,20 +47,22 @@ sourceSets {
configurations {
// see https://docs.gradle.org/4.1/userguide/dependency_management.html#sub:exclude_transitive_dependencies
runtimeClasspath.exclude group: 'org.slf4j', module: 'slf4j-api'
testRuntimeClasspath.exclude group: 'io.micronaut', module: 'micronaut-core-bom'
}

dependencies {

Comment thread
pditommaso marked this conversation as resolved.
Outdated
compileOnly project(':nextflow')
compileOnly 'org.slf4j:slf4j-api:2.0.17'
compileOnly 'org.pf4j:pf4j:3.14.1'
api('com.azure:azure-storage-blob:12.33.2') {
api('com.azure:azure-storage-blob:12.33.3') {
exclude group: 'org.slf4j', module: 'slf4j-api'
}
api('com.azure:azure-compute-batch:1.0.0-beta.3') {
exclude group: 'org.slf4j', module: 'slf4j-api'
exclude group: 'com.google.guava', module: 'guava'
}
api('com.azure:azure-identity:1.18.2') {
api('com.azure:azure-identity:1.18.3') {
exclude group: 'org.slf4j', module: 'slf4j-api'
}

Expand Down
11 changes: 5 additions & 6 deletions plugins/nf-codecommit/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,20 +43,19 @@ sourceSets {
configurations {
// see https://docs.gradle.org/4.1/userguide/dependency_management.html#sub:exclude_transitive_dependencies
runtimeClasspath.exclude group: 'org.slf4j', module: 'slf4j-api'
testRuntimeClasspath.exclude group: 'io.micronaut', module: 'micronaut-core-bom'
}

dependencies {

Comment thread
pditommaso marked this conversation as resolved.
Outdated
compileOnly project(':nextflow')
compileOnly 'org.slf4j:slf4j-api:2.0.17'
compileOnly 'org.pf4j:pf4j:3.14.1'

api ('javax.xml.bind:jaxb-api:2.4.0-b180830.0359')
api ('software.amazon.awssdk:codecommit:2.31.64')
api ('software.amazon.awssdk:sso:2.31.64')
api ('software.amazon.awssdk:ssooidc:2.31.64')

// address security vulnerabilities
runtimeOnly 'io.netty:netty-codec-http:4.1.132.Final'
api ('software.amazon.awssdk:codecommit:2.42.41')
api ('software.amazon.awssdk:sso:2.42.41')
api ('software.amazon.awssdk:ssooidc:2.42.41')

testImplementation(testFixtures(project(":nextflow")))
testImplementation project(':nextflow')
Expand Down
2 changes: 1 addition & 1 deletion plugins/nf-tower/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ dependencies {
testImplementation "org.apache.groovy:groovy-nio:4.0.31"
testImplementation "org.apache.groovy:groovy-json:4.0.31"
// wiremock required by TowerFusionEnvTest
testImplementation "org.wiremock:wiremock:3.13.1"
testImplementation "org.wiremock:wiremock:3.13.2"
// Address security vulnerabilities CVE-2022-45688 and CVE-2023-5072
testImplementation 'org.json:json:20240303'
}
Loading