From e2e89b52b7fdca4d15f0351ff34d8ecf0ab21cac Mon Sep 17 00:00:00 2001
From: chrislu <chris.lu@gmail.com>
Date: Sat, 22 Nov 2025 22:06:29 -0800
Subject: [PATCH] security: add dependency overrides for vulnerable transitive
 deps

- Add commons-beanutils 1.11.0 (fixes CVE in 1.9.4)
- Add protobuf-java 3.25.5 (compatible with Spark/Hadoop ecosystem)
- Add nimbus-jose-jwt 9.37.2 (minimum secure version)
- Add snappy-java 1.1.10.4 (fixes compression vulnerabilities)
- Add dnsjava 3.6.0 (fixes DNS security issues)

All dependencies are pulled transitively from Hadoop/Spark:
- commons-beanutils: hadoop-common
- protobuf-java: hadoop-common
- nimbus-jose-jwt: hadoop-auth
- snappy-java: spark-core
- dnsjava: hadoop-common

Verified with mvn dependency:tree that overrides are applied correctly.
---
 test/java/spark/pom.xml | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/test/java/spark/pom.xml b/test/java/spark/pom.xml
index 535c7b29c..b6f5154cb 100644
--- a/test/java/spark/pom.xml
+++ b/test/java/spark/pom.xml
@@ -136,6 +136,11 @@
                 <artifactId>commons-io</artifactId>
                 <version>2.15.1</version>
             </dependency>
+            <dependency>
+                <groupId>commons-beanutils</groupId>
+                <artifactId>commons-beanutils</artifactId>
+                <version>1.11.0</version>
+            </dependency>
 
             <!-- Guava - Fix CVEs -->
             <dependency>
@@ -151,6 +156,34 @@
                 <version>2.2</version>
             </dependency>
 
+            <!-- Protobuf - Fix CVEs -->
+            <dependency>
+                <groupId>com.google.protobuf</groupId>
+                <artifactId>protobuf-java</artifactId>
+                <version>3.25.5</version>
+            </dependency>
+
+            <!-- Nimbus JOSE JWT - Fix CVEs -->
+            <dependency>
+                <groupId>com.nimbusds</groupId>
+                <artifactId>nimbus-jose-jwt</artifactId>
+                <version>9.37.2</version>
+            </dependency>
+
+            <!-- Snappy Java - Fix CVEs -->
+            <dependency>
+                <groupId>org.xerial.snappy</groupId>
+                <artifactId>snappy-java</artifactId>
+                <version>1.1.10.4</version>
+            </dependency>
+
+            <!-- DNS Java - Fix CVEs -->
+            <dependency>
+                <groupId>dnsjava</groupId>
+                <artifactId>dnsjava</artifactId>
+                <version>3.6.0</version>
+            </dependency>
+
             <!-- Jetty - Pin version for transitive dependencies from Spark/Hadoop -->
             <dependency>
                 <groupId>org.eclipse.jetty</groupId>