This is an automated email from the ASF dual-hosted git repository.

wu-sheng pushed a commit to branch fix/clear-security-alerts
in repository https://gitbox.apache.org/repos/asf/skywalking.git

commit dffbeb276f74572bfc344a92300ff61c23c3bf67
Author: Wu Sheng <[email protected]>
AuthorDate: Fri Jun 19 20:44:50 2026 +0800

    Clear 3 security alerts: protobuf e2e fixture CVE + histogram count 
narrowing
    
    - Dependabot CVE-2026-0994: bump the Airflow e2e mock's pinned protobuf
      4.25.8 -> 5.29.6 (no 4.x patch exists) and opentelemetry-proto 1.24.0 -> 
1.28.0
      (its protobuf<5.0 cap was the blocker). CI-only test fixture, never 
shipped;
      grpcio/flask unchanged.
    - CodeQL java/implicit-cast-in-compound-assignment: widen the cumulative 
`count`
      accumulator from int to long in Sum/AvgHistogramPercentileFunction. 
`count +=
      value` silently narrowed a long bucket-count sum back to int; `total` was
      already long.
    
    Verified: Sum/AvgHistogramPercentileFunctionTest pass (12/12); checkstyle + 
license clean.
---
 docs/en/changes/changes.md                                            | 1 +
 .../analysis/meter/function/avg/AvgHistogramPercentileFunction.java   | 2 +-
 .../analysis/meter/function/sum/SumHistogramPercentileFunction.java   | 2 +-
 test/e2e-v2/cases/airflow/mock/requirements-replay.txt                | 4 ++--
 4 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/docs/en/changes/changes.md b/docs/en/changes/changes.md
index 19944574a6..140114b8b7 100644
--- a/docs/en/changes/changes.md
+++ b/docs/en/changes/changes.md
@@ -304,6 +304,7 @@
 * Bump Apache Curator `4.3.0` → `5.9.0` and Apache ZooKeeper `3.5.7` → `3.9.5` 
together to clear CVE-2023-44981 (the bundled ZooKeeper jar carried it; OAP is 
a ZooKeeper client only, so the server-side bug was never reachable, but the 
jar tripped Dependabot). The cluster-zookeeper and configuration-zookeeper 
plugins use only stable Curator APIs, so no source changes were required. 
Operator-facing change: the supported ZooKeeper server version is now 3.6+ 
(Curator 5.x uses ZooKeeper persi [...]
 * Migrate the Consul cluster and configuration client from the abandoned 
`com.orbitz.consul:consul-client` `1.5.3` to the maintained fork 
`org.kiwiproject:consul-client` `0.9.0` to clear the okhttp CVE the old client 
carried (CVE-2021-0341; the old client pinned okhttp `3.14.9`, fixed in okhttp 
`4.9.2+`), so the BOM now pins okhttp to `4.12.0`. The fork's `0.9.x` line is 
the last one built for JDK 11 (which SkyWalking still targets); `1.0.0+` is 
compiled to JDK 17 bytecode, so the migrat [...]
 * Bump test-scope assertj-core `3.20.2` → `3.27.7` to clear CVE-2026-24400 
(XXE in `isXmlEqualTo`, not used by any test).
+* Clear three security alerts: bump the Airflow e2e mock's pinned `protobuf` 
`4.25.8` → `5.29.6` (and `opentelemetry-proto` `1.24.0` → `1.28.0`, whose 
`protobuf<5.0` cap was the blocker) to clear CVE-2026-0994 — a CI-only test 
fixture, never shipped; and widen the cumulative `count` accumulator from `int` 
to `long` in `SumHistogramPercentileFunction` / 
`AvgHistogramPercentileFunction` to clear the CodeQL 
`implicit-cast-in-compound-assignment` alerts (`count += value` silently 
narrowed a  [...]
 * Fix: continuous profiling policy validation now rejects a threshold / count 
of `0` to match the error messages and rover's `value >= threshold` trigger 
semantics (a `0` threshold would always trigger). CPU percent and HTTP error 
rate are tightened from `[0-100]` to `(0-100]`.
 * Fix wrong BanyanDB resource options in record data.
 * Align the default BanyanDB stage `segmentInterval` values so each coarser 
stage is an integer multiple of the finer one (`records` cold `3` → `4`, 
`metricsMinute` cold `5` → `6`, `metricsHour` warm `7` → `10` and cold `15` → 
`20`), keeping hot → warm → cold lifecycle migration on the cheap whole-segment 
fast path.
diff --git 
a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/avg/AvgHistogramPercentileFunction.java
 
b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/avg/AvgHistogramPercentileFunction.java
index c018a2e7c1..fd3002e03a 100644
--- 
a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/avg/AvgHistogramPercentileFunction.java
+++ 
b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/avg/AvgHistogramPercentileFunction.java
@@ -248,7 +248,7 @@ public abstract class AvgHistogramPercentileFunction 
extends Meter implements Ac
                         roofs[i] = Math.round(total * ranks.get(i) * 1.0f / 
100);
                     }
 
-                    int count = 0;
+                    long count = 0;
                     final List<String> sortedKeys = 
subDataset.sortedKeys(Comparator.comparingLong(Long::parseLong));
 
                     int loopIndex = 0;
diff --git 
a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/sum/SumHistogramPercentileFunction.java
 
b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/sum/SumHistogramPercentileFunction.java
index 5d94a5f55f..b743597059 100644
--- 
a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/sum/SumHistogramPercentileFunction.java
+++ 
b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/sum/SumHistogramPercentileFunction.java
@@ -214,7 +214,7 @@ public abstract class SumHistogramPercentileFunction 
extends Meter implements Ac
                         roofs[i] = Math.round(total * ranks.get(i) * 1.0f / 
100);
                     }
 
-                    int count = 0;
+                    long count = 0;
                     final List<String> sortedKeys = 
subDataset.sortedKeys(Comparator.comparingLong(Long::parseLong));
 
                     int loopIndex = 0;
diff --git a/test/e2e-v2/cases/airflow/mock/requirements-replay.txt 
b/test/e2e-v2/cases/airflow/mock/requirements-replay.txt
index 2e302eda69..8446cc888d 100644
--- a/test/e2e-v2/cases/airflow/mock/requirements-replay.txt
+++ b/test/e2e-v2/cases/airflow/mock/requirements-replay.txt
@@ -1,4 +1,4 @@
 flask==3.1.3
 grpcio==1.62.2
-protobuf==4.25.8
-opentelemetry-proto==1.24.0
+protobuf==5.29.6
+opentelemetry-proto==1.28.0

Reply via email to