This is an automated email from the ASF dual-hosted git repository. wu-sheng pushed a commit to branch fix/clear-cve-dependabot-alerts in repository https://gitbox.apache.org/repos/asf/skywalking.git
commit cc1b8fca3074f2303cbe3c731cf2f680a137f140 Author: Wu Sheng <[email protected]> AuthorDate: Tue Jun 16 23:00:29 2026 +0800 Clear CVE Dependabot alerts: Curator/ZooKeeper, assertj, e2e Java/Python fixtures Shipped (oap-server-bom + LICENSE + docs): - Apache Curator 4.3.0 -> 5.9.0 (curator-test too) and ZooKeeper 3.5.7 -> 3.9.5, bumped together (Curator 5.x is the line carrying the ZK 3.9.x client). Clears CVE-2023-44981. OAP is a ZK client only so the server-side bug was never reachable, but the bundled jar tripped Dependabot. Plugins use only stable Curator APIs; no source changes. Supported ZooKeeper server version is now 3.5+ (3.4.x dropped by Curator 5.x). LICENSE + cluster docs + application.yml updated. Build/test scope: - assertj-core 3.20.2 -> 3.27.7 (CVE-2026-24400, test scope only). e2e test fixtures (test/e2e-v2, never shipped): - guava -> 32.0.0-jre, kafka-clients -> 3.9.2, log4j-core -> 2.25.4, logback -> 1.2.13 (Java-8 line), json-path -> 2.9.0, flask -> 3.1.3, protobuf -> 4.25.8. The 17 Go-fixture alerts require a go1.24 toolchain (grpc 1.79.3 / x-crypto 0.45 need go 1.24, above skywalking-go's published go1.23 ceiling) and are handled separately: skywalking-go go1.24 enablement + e2e go fixture migration. --- dist-material/release-docs/LICENSE | 14 +++++++------- docs/en/changes/changes.md | 2 ++ docs/en/setup/backend/backend-cluster.md | 6 +++--- oap-server-bom/pom.xml | 6 +++--- .../server-starter/src/main/resources/application.yml | 3 +-- pom.xml | 2 +- test/e2e-v2/cases/airflow/mock/requirements-replay.txt | 4 ++-- .../java-test-service/e2e-mock-baseline-server/pom.xml | 2 +- test/e2e-v2/java-test-service/e2e-mock-sender/pom.xml | 2 +- test/e2e-v2/java-test-service/e2e-service-provider/pom.xml | 6 +++--- test/e2e-v2/java-test-service/pom.xml | 6 +++--- 11 files changed, 27 insertions(+), 26 deletions(-) diff --git a/dist-material/release-docs/LICENSE b/dist-material/release-docs/LICENSE index 614f378faa..0776a406b0 100644 --- a/dist-material/release-docs/LICENSE +++ b/dist-material/release-docs/LICENSE @@ -323,10 +323,10 @@ The text of each license is the standard Apache 2.0 license. https://mvnrepository.com/artifact/org.apache.commons/commons-compress/1.26.2 Apache-2.0 https://mvnrepository.com/artifact/org.apache.commons/commons-lang3/3.18.0 Apache-2.0 https://mvnrepository.com/artifact/org.apache.commons/commons-text/1.4 Apache-2.0 - https://mvnrepository.com/artifact/org.apache.curator/curator-client/4.3.0 Apache-2.0 - https://mvnrepository.com/artifact/org.apache.curator/curator-framework/4.3.0 Apache-2.0 - https://mvnrepository.com/artifact/org.apache.curator/curator-recipes/4.3.0 Apache-2.0 - https://mvnrepository.com/artifact/org.apache.curator/curator-x-discovery/4.3.0 Apache-2.0 + https://mvnrepository.com/artifact/org.apache.curator/curator-client/5.9.0 Apache-2.0 + https://mvnrepository.com/artifact/org.apache.curator/curator-framework/5.9.0 Apache-2.0 + https://mvnrepository.com/artifact/org.apache.curator/curator-recipes/5.9.0 Apache-2.0 + https://mvnrepository.com/artifact/org.apache.curator/curator-x-discovery/5.9.0 Apache-2.0 https://mvnrepository.com/artifact/org.apache.httpcomponents/httpasyncclient/4.1.5 Apache-2.0 https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient/4.5.13 Apache-2.0 https://mvnrepository.com/artifact/org.apache.httpcomponents/httpcore/4.4.16 Apache-2.0 @@ -335,9 +335,9 @@ The text of each license is the standard Apache 2.0 license. https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api/2.25.4 Apache-2.0 https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.25.4 Apache-2.0 https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-slf4j-impl/2.25.4 Apache-2.0 - https://mvnrepository.com/artifact/org.apache.yetus/audience-annotations/0.5.0 Apache-2.0 - https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper/3.5.7 Apache-2.0 - https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper-jute/3.5.7 Apache-2.0 + https://mvnrepository.com/artifact/org.apache.yetus/audience-annotations/0.12.0 Apache-2.0 + https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper/3.9.5 Apache-2.0 + https://mvnrepository.com/artifact/org.apache.zookeeper/zookeeper-jute/3.9.5 Apache-2.0 https://mvnrepository.com/artifact/org.freemarker/freemarker/2.3.31 Apache-2.0 https://mvnrepository.com/artifact/org.jetbrains.kotlin/kotlin-reflect/1.7.10 Apache-2.0 https://mvnrepository.com/artifact/org.jetbrains.kotlin/kotlin-stdlib/1.7.10 Apache-2.0 diff --git a/docs/en/changes/changes.md b/docs/en/changes/changes.md index 0de690baf9..2cc1768421 100644 --- a/docs/en/changes/changes.md +++ b/docs/en/changes/changes.md @@ -301,6 +301,8 @@ * Add `@Stream(allowBootReshape = true)` opt-in for additive boot-time reshape of BanyanDB streams / measures. Code-defined stream classes (e.g. `AlarmRecord`) can now annotate their schema as eligible for in-place additive update at OAP boot — a new `@Column` is appended to the live tag-family / fields via `client.update` instead of being silently rejected with `SKIPPED_SHAPE_MISMATCH` (which previously forced operators to drop the measure / stream and lose historical rows). Additive in [...] * Mask keywords `trustStorePass`, `keyStorePass` by default. * Bump up dependencies to clear CVE alerts on shipped OAP jars: log4j `2.25.3` → `2.25.4`, jackson `2.18.5` → `2.18.6`, kafka-clients `3.4.0` → `3.9.2`, postgresql `42.4.4` → `42.7.11`, commons-compress `1.21` → `1.26.2`. +* Bump Apache Curator `4.3.0` → `5.9.0` and Apache ZooKeeper `3.5.7` → `3.9.5` together to clear CVE-2023-44981 (the bundled ZooKeeper jar carried it; OAP is a ZooKeeper client only, so the server-side bug was never reachable, but the jar tripped Dependabot). The cluster-zookeeper and configuration-zookeeper plugins use only stable Curator APIs, so no source changes were required. Operator-facing change: the supported ZooKeeper server version is now 3.5+ — ZooKeeper 3.4.x is no longer su [...] +* Bump test-scope assertj-core `3.20.2` → `3.27.7` to clear CVE-2026-24400 (XXE in `isXmlEqualTo`, not used by any test). * Fix: continuous profiling policy validation now rejects a threshold / count of `0` to match the error messages and rover's `value >= threshold` trigger semantics (a `0` threshold would always trigger). CPU percent and HTTP error rate are tightened from `[0-100]` to `(0-100]`. * Fix wrong BanyanDB resource options in record data. * Align the default BanyanDB stage `segmentInterval` values so each coarser stage is an integer multiple of the finer one (`records` cold `3` → `4`, `metricsMinute` cold `5` → `6`, `metricsHour` warm `7` → `10` and cold `15` → `20`), keeping hot → warm → cold lifecycle migration on the cheap whole-segment fast path. diff --git a/docs/en/setup/backend/backend-cluster.md b/docs/en/setup/backend/backend-cluster.md index ff1ea0e09f..c7ed2f55fa 100644 --- a/docs/en/setup/backend/backend-cluster.md +++ b/docs/en/setup/backend/backend-cluster.md @@ -82,7 +82,7 @@ You could have two options Zookeeper is a very common and widely used cluster coordinator. Set the **cluster/selector** to **zookeeper** in the yml to enable it. -Required Zookeeper version: 3.5+ +Supported Zookeeper server version: 3.5+. The bundled ZooKeeper client library is 3.9.x. ```yaml cluster: @@ -92,11 +92,11 @@ cluster: - `hostPort` is the list of zookeeper servers. Format is `IP1:PORT1,IP2:PORT2,...,IPn:PORTn` - `enableACL` - enable [Zookeeper ACL](https://zookeeper.apache.org/doc/r3.5.5/zookeeperProgrammers.html#sc_ZooKeeperAccessControl) to + enable [Zookeeper ACL](https://zookeeper.apache.org/doc/r3.9.3/zookeeperProgrammers.html#sc_ZooKeeperAccessControl) to control access to its znode. - `schema` is Zookeeper ACL schemas. - `expression` is a expression of ACL. The format of the expression is specific to - the [schema](https://zookeeper.apache.org/doc/r3.5.5/zookeeperProgrammers.html#sc_BuiltinACLSchemes). + the [schema](https://zookeeper.apache.org/doc/r3.9.3/zookeeperProgrammers.html#sc_BuiltinACLSchemes). - `hostPort`, `baseSleepTimeMs` and `maxRetries` are settings of Zookeeper curator client. Note: diff --git a/oap-server-bom/pom.xml b/oap-server-bom/pom.xml index 7a08c4593b..81768d79db 100644 --- a/oap-server-bom/pom.xml +++ b/oap-server-bom/pom.xml @@ -37,7 +37,7 @@ <okhttp.version>3.14.9</okhttp.version> <httpclient.version>4.5.13</httpclient.version> <joda-time.version>2.10.5</joda-time.version> - <zookeeper.version>3.5.7</zookeeper.version> + <zookeeper.version>3.9.5</zookeeper.version> <guava.version>32.0.1-jre</guava.version> <snakeyaml.version>2.0</snakeyaml.version> <protobuf-java.version>4.33.1</protobuf-java.version> @@ -54,8 +54,8 @@ <simpleclient.version>0.6.0</simpleclient.version> <apollo.version>1.8.0</apollo.version> <nacos.version>2.3.2</nacos.version> - <curator.version>4.3.0</curator.version> - <curator-test.version>2.12.0</curator-test.version> + <curator.version>5.9.0</curator.version> + <curator-test.version>5.9.0</curator-test.version> <etcd4j.version>2.18.0</etcd4j.version> <freemarker.version>2.3.31</freemarker.version> <javaassist.version>3.25.0-GA</javaassist.version> diff --git a/oap-server/server-starter/src/main/resources/application.yml b/oap-server/server-starter/src/main/resources/application.yml index e02938cc8e..089f6729bd 100644 --- a/oap-server/server-starter/src/main/resources/application.yml +++ b/oap-server/server-starter/src/main/resources/application.yml @@ -16,8 +16,7 @@ cluster: selector: ${SW_CLUSTER:standalone} standalone: - # Please check your ZooKeeper is 3.5+, However, it is also compatible with ZooKeeper 3.4.x. Replace the ZooKeeper 3.5+ - # library the oap-libs folder with your ZooKeeper 3.4.x library. + # Supported ZooKeeper server version: 3.5+. The bundled ZooKeeper client library is 3.9.x. zookeeper: namespace: ${SW_NAMESPACE:""} hostPort: ${SW_CLUSTER_ZK_HOST_PORT:localhost:2181} diff --git a/pom.xml b/pom.xml index 18490541ab..75696d88a4 100755 --- a/pom.xml +++ b/pom.xml @@ -182,7 +182,7 @@ <maven-checkstyle-plugin.version>3.1.0</maven-checkstyle-plugin.version> <jmh.version>1.37</jmh.version> <checkstyle.fails.on.error>true</checkstyle.fails.on.error> - <assertj-core.version>3.20.2</assertj-core.version> + <assertj-core.version>3.27.7</assertj-core.version> <cyclonedx-maven-plugin.version>2.8.0</cyclonedx-maven-plugin.version> <flatten-plugin-version>1.6.0</flatten-plugin-version> diff --git a/test/e2e-v2/cases/airflow/mock/requirements-replay.txt b/test/e2e-v2/cases/airflow/mock/requirements-replay.txt index 80c4250e3b..2e302eda69 100644 --- a/test/e2e-v2/cases/airflow/mock/requirements-replay.txt +++ b/test/e2e-v2/cases/airflow/mock/requirements-replay.txt @@ -1,4 +1,4 @@ -flask==3.0.3 +flask==3.1.3 grpcio==1.62.2 -protobuf==4.25.3 +protobuf==4.25.8 opentelemetry-proto==1.24.0 diff --git a/test/e2e-v2/java-test-service/e2e-mock-baseline-server/pom.xml b/test/e2e-v2/java-test-service/e2e-mock-baseline-server/pom.xml index e24dc67e3a..f1f91a0223 100644 --- a/test/e2e-v2/java-test-service/e2e-mock-baseline-server/pom.xml +++ b/test/e2e-v2/java-test-service/e2e-mock-baseline-server/pom.xml @@ -58,7 +58,7 @@ <dependency> <groupId>com.google.guava</groupId> <artifactId>guava</artifactId> - <version>23.0</version> + <version>32.0.0-jre</version> </dependency> <dependency> <groupId>io.grpc</groupId> diff --git a/test/e2e-v2/java-test-service/e2e-mock-sender/pom.xml b/test/e2e-v2/java-test-service/e2e-mock-sender/pom.xml index 922f7ed5e2..29dedb3b58 100644 --- a/test/e2e-v2/java-test-service/e2e-mock-sender/pom.xml +++ b/test/e2e-v2/java-test-service/e2e-mock-sender/pom.xml @@ -61,7 +61,7 @@ <dependency> <groupId>com.jayway.jsonpath</groupId> <artifactId>json-path</artifactId> - <version>2.7.0</version> + <version>2.9.0</version> </dependency> </dependencies> <build> diff --git a/test/e2e-v2/java-test-service/e2e-service-provider/pom.xml b/test/e2e-v2/java-test-service/e2e-service-provider/pom.xml index 2de07cc331..74b73f137c 100644 --- a/test/e2e-v2/java-test-service/e2e-service-provider/pom.xml +++ b/test/e2e-v2/java-test-service/e2e-service-provider/pom.xml @@ -35,8 +35,8 @@ <properties> <log4j.version>1.2.17</log4j.version> - <log4j2.version>2.17.1</log4j2.version> - <logback.version>1.2.3</logback.version> + <log4j2.version>2.25.4</log4j2.version> + <logback.version>1.2.13</logback.version> </properties> <dependencies> @@ -109,7 +109,7 @@ <dependency> <groupId>com.google.guava</groupId> <artifactId>guava</artifactId> - <version>23.0</version> + <version>32.0.0-jre</version> </dependency> </dependencies> diff --git a/test/e2e-v2/java-test-service/pom.xml b/test/e2e-v2/java-test-service/pom.xml index f7206b423a..1a0e04524e 100644 --- a/test/e2e-v2/java-test-service/pom.xml +++ b/test/e2e-v2/java-test-service/pom.xml @@ -50,11 +50,11 @@ <spring.cloud.version>2.1.2.RELEASE</spring.cloud.version> <jupeter.version>5.6.0</jupeter.version> <jackson.version>2.9.7</jackson.version> - <guava.version>30.1.1-jre</guava.version> + <guava.version>32.0.0-jre</guava.version> <h2.version>2.1.210</h2.version> <mysql.version>8.0.13</mysql.version> <lombok.version>1.18.40</lombok.version> - <kafka-clients.version>2.4.1</kafka-clients.version> + <kafka-clients.version>3.9.2</kafka-clients.version> <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version> <maven-compiler-plugin.version>3.13.0</maven-compiler-plugin.version> @@ -120,7 +120,7 @@ <dependency> <groupId>org.apache.kafka</groupId> <artifactId>kafka-clients</artifactId> - <version>2.8.0</version> + <version>${kafka-clients.version}</version> </dependency> </dependencies>
