Clear CVE Dependabot alerts: Curator/ZooKeeper bump, assertj, e2e test fixtures#13913
Open
wu-sheng wants to merge 3 commits into
Open
Clear CVE Dependabot alerts: Curator/ZooKeeper bump, assertj, e2e test fixtures#13913wu-sheng wants to merge 3 commits into
wu-sheng wants to merge 3 commits into
Conversation
…hon fixtures Shipped (oap-server-bom + LICENSE + docs): - Apache Curator 4.3.0 -> 5.9.0 (curator-test too) and ZooKeeper 3.5.7 -> 3.9.5, bumped together (Curator 5.x is the line carrying the ZK 3.9.x client). Clears CVE-2023-44981. OAP is a ZK client only so the server-side bug was never reachable, but the bundled jar tripped Dependabot. Plugins use only stable Curator APIs; no source changes. Supported ZooKeeper server version is now 3.5+ (3.4.x dropped by Curator 5.x). LICENSE + cluster docs + application.yml updated. Build/test scope: - assertj-core 3.20.2 -> 3.27.7 (CVE-2026-24400, test scope only). e2e test fixtures (test/e2e-v2, never shipped): - guava -> 32.0.0-jre, kafka-clients -> 3.9.2, log4j-core -> 2.25.4, logback -> 1.2.13 (Java-8 line), json-path -> 2.9.0, flask -> 3.1.3, protobuf -> 4.25.8. The 17 Go-fixture alerts require a go1.24 toolchain (grpc 1.79.3 / x-crypto 0.45 need go 1.24, above skywalking-go's published go1.23 ceiling) and are handled separately: skywalking-go go1.24 enablement + e2e go fixture migration.
…entifiable) The Dependency-licenses CI job failed because `license-eye dependency resolve` cannot auto-identify the license of the org.apache.zookeeper:zookeeper / zookeeper-jute 3.9.5 jars (reported as "Unknown" -> "failed to identify the licenses"), so the resolve step exited 1 before the LICENSE diff check. Add an explicit Apache-2.0 override in .licenserc.yaml for both artifacts, mirroring the existing overrides (okhttp, retrofit, postgresql, ...). Verified locally with the CI-pinned license-eye: resolve now succeeds and regenerates a LICENSE identical to the committed one (the LICENSE content was already correct).
… 3.6+
The Cluster ZK e2e tests failed (oap1 unhealthy): the OAP's new Curator 5.9.0 /
ZooKeeper 3.9.5 client cannot register its instance against the e2e's EOL
zookeeper:3.5 server. Reproduced locally: Curator 5.x ServiceDiscovery
(watchInstances=true) issues `addWatch` (persistent watch, opcode 106), which
ZooKeeper added in server 3.6.0; a 3.5 server rejects it ("Received packet at
server of unknown type 106") so the create request fails with ConnectionLoss ->
ModuleStartException -> oap1 unhealthy. Verified the same path succeeds on
zookeeper:3.6 and 3.9, fails on 3.5.
- e2e: bump zookeeper:3.5 -> zookeeper:3.9 (matches the bundled 3.9.x client) in
cases/cluster/zk/{es,banyandb}.
- Correct the documented minimum from 3.5+ to 3.6+ (application.yml,
backend-cluster.md, changes.md) -- persistent watches require server 3.6.0.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This clears the actionable, non-Go Dependabot alerts on
master. (The Go e2e-fixture alerts require a Go 1.24 agent toolchain and are handled separately via skywalking-go image work + an e2e follow-up.)Shipped product (oap-server-bom + LICENSE + docs)
4.3.0→5.9.0(+curator-test) and Apache ZooKeeper3.5.7→3.9.5, bumped together — Curator 5.x is the line that carries the ZK 3.9.x client. Clears CVE-2023-44981 (critical). OAP is a ZooKeeper client only, so the server-side bug was never reachable, but the bundled jar tripped Dependabot. The cluster-zookeeper and configuration-zookeeper plugins use only stable Curator APIs, so no source changes were required. Operator-facing change: supported ZooKeeper server version is now 3.5+ (3.4.x dropped by Curator 5.x).dist-material/release-docs/LICENSEregenerated (curator ×4, zookeeper + jute, audience-annotations);application.yml+backend-cluster.mdupdated.Build/test scope
3.20.2→3.27.7— clears CVE-2026-24400 (XXE inisXmlEqualTo, unused), test scope.e2e test fixtures (
test/e2e-v2, never shipped)32.0.0-jre, kafka-clients →3.9.2(+ removed a stale unused2.4.1property), log4j-core →2.25.4, logback →1.2.13(the Java-8 line, not Dependabot's JDK-111.4.12), json-path →2.9.0, flask →3.1.3, protobuf →4.25.8.Validation
clean installof the reactor (BOM change) ✓; cluster-zookeeper + configuration-zookeeper plugin tests ✓ on Curator 5.9.0 / ZK 3.9.5;java-test-servicee2e reactor compiles against the bumped deps ✓; checkstyle + license-header preflight ✓.CHANGESlog.