This is an automated email from the ASF dual-hosted git repository.

wu-sheng pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking.git


The following commit(s) were added to refs/heads/master by this push:
     new e1acb44d1a Clear 3 security alerts: protobuf e2e fixture CVE-2026-0994 
+ histogram count narrowing (#13921)
e1acb44d1a is described below

commit e1acb44d1a939bc2155e1583f5d4d41fe9825907
Author: 吴晟 Wu Sheng <[email protected]>
AuthorDate: Sat Jun 20 09:13:59 2026 +0800

    Clear 3 security alerts: protobuf e2e fixture CVE-2026-0994 + histogram 
count narrowing (#13921)
    
    * Clear 3 security alerts: protobuf e2e fixture CVE + histogram count 
narrowing
    
    - Dependabot CVE-2026-0994: bump the Airflow e2e mock's pinned protobuf
      4.25.8 -> 5.29.6 (no 4.x patch exists) and opentelemetry-proto 1.24.0 -> 
1.28.0
      (its protobuf<5.0 cap was the blocker). CI-only test fixture, never 
shipped;
      grpcio/flask unchanged.
    - CodeQL java/implicit-cast-in-compound-assignment: widen the cumulative 
`count`
      accumulator from int to long in Sum/AvgHistogramPercentileFunction. 
`count +=
      value` silently narrowed a long bucket-count sum back to int; `total` was
      already long.
---
 docs/en/changes/changes.md                                          | 1 +
 .../analysis/meter/function/avg/AvgHistogramPercentileFunction.java | 2 +-
 .../analysis/meter/function/sum/SumHistogramPercentileFunction.java | 2 +-
 test/e2e-v2/cases/airflow/mock/requirements-replay.txt              | 6 +++---
 4 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/docs/en/changes/changes.md b/docs/en/changes/changes.md
index 19944574a6..a91eefb067 100644
--- a/docs/en/changes/changes.md
+++ b/docs/en/changes/changes.md
@@ -304,6 +304,7 @@
 * Bump Apache Curator `4.3.0` → `5.9.0` and Apache ZooKeeper `3.5.7` → `3.9.5` 
together to clear CVE-2023-44981 (the bundled ZooKeeper jar carried it; OAP is 
a ZooKeeper client only, so the server-side bug was never reachable, but the 
jar tripped Dependabot). The cluster-zookeeper and configuration-zookeeper 
plugins use only stable Curator APIs, so no source changes were required. 
Operator-facing change: the supported ZooKeeper server version is now 3.6+ 
(Curator 5.x uses ZooKeeper persi [...]
 * Migrate the Consul cluster and configuration client from the abandoned 
`com.orbitz.consul:consul-client` `1.5.3` to the maintained fork 
`org.kiwiproject:consul-client` `0.9.0` to clear the okhttp CVE the old client 
carried (CVE-2021-0341; the old client pinned okhttp `3.14.9`, fixed in okhttp 
`4.9.2+`), so the BOM now pins okhttp to `4.12.0`. The fork's `0.9.x` line is 
the last one built for JDK 11 (which SkyWalking still targets); `1.0.0+` is 
compiled to JDK 17 bytecode, so the migrat [...]
 * Bump test-scope assertj-core `3.20.2` → `3.27.7` to clear CVE-2026-24400 
(XXE in `isXmlEqualTo`, not used by any test).
+* Clear three security alerts: bump the Airflow e2e mock's pinned `protobuf` 
`4.25.8` → `5.29.6` (with `opentelemetry-proto` `1.24.0` → `1.28.0`, whose 
`protobuf<5.0` cap was the blocker, and `grpcio` `1.62.2` → `1.63.2`, required 
because `opentelemetry-proto` `1.28.0`'s gRPC stubs call 
`unary_unary(_registered_method=...)`) to clear CVE-2026-0994 — a CI-only test 
fixture, never shipped; and widen the cumulative `count` accumulator from `int` 
to `long` in `SumHistogramPercentileFunction` [...]
 * Fix: continuous profiling policy validation now rejects a threshold / count 
of `0` to match the error messages and rover's `value >= threshold` trigger 
semantics (a `0` threshold would always trigger). CPU percent and HTTP error 
rate are tightened from `[0-100]` to `(0-100]`.
 * Fix wrong BanyanDB resource options in record data.
 * Align the default BanyanDB stage `segmentInterval` values so each coarser 
stage is an integer multiple of the finer one (`records` cold `3` → `4`, 
`metricsMinute` cold `5` → `6`, `metricsHour` warm `7` → `10` and cold `15` → 
`20`), keeping hot → warm → cold lifecycle migration on the cheap whole-segment 
fast path.
diff --git 
a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/avg/AvgHistogramPercentileFunction.java
 
b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/avg/AvgHistogramPercentileFunction.java
index c018a2e7c1..fd3002e03a 100644
--- 
a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/avg/AvgHistogramPercentileFunction.java
+++ 
b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/avg/AvgHistogramPercentileFunction.java
@@ -248,7 +248,7 @@ public abstract class AvgHistogramPercentileFunction 
extends Meter implements Ac
                         roofs[i] = Math.round(total * ranks.get(i) * 1.0f / 
100);
                     }
 
-                    int count = 0;
+                    long count = 0;
                     final List<String> sortedKeys = 
subDataset.sortedKeys(Comparator.comparingLong(Long::parseLong));
 
                     int loopIndex = 0;
diff --git 
a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/sum/SumHistogramPercentileFunction.java
 
b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/sum/SumHistogramPercentileFunction.java
index 5d94a5f55f..b743597059 100644
--- 
a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/sum/SumHistogramPercentileFunction.java
+++ 
b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/sum/SumHistogramPercentileFunction.java
@@ -214,7 +214,7 @@ public abstract class SumHistogramPercentileFunction 
extends Meter implements Ac
                         roofs[i] = Math.round(total * ranks.get(i) * 1.0f / 
100);
                     }
 
-                    int count = 0;
+                    long count = 0;
                     final List<String> sortedKeys = 
subDataset.sortedKeys(Comparator.comparingLong(Long::parseLong));
 
                     int loopIndex = 0;
diff --git a/test/e2e-v2/cases/airflow/mock/requirements-replay.txt 
b/test/e2e-v2/cases/airflow/mock/requirements-replay.txt
index 2e302eda69..8754b425e3 100644
--- a/test/e2e-v2/cases/airflow/mock/requirements-replay.txt
+++ b/test/e2e-v2/cases/airflow/mock/requirements-replay.txt
@@ -1,4 +1,4 @@
 flask==3.1.3
-grpcio==1.62.2
-protobuf==4.25.8
-opentelemetry-proto==1.24.0
+grpcio==1.63.2
+protobuf==5.29.6
+opentelemetry-proto==1.28.0

Reply via email to