security: add dependency overrides for vulnerable transitive deps

- Add commons-beanutils 1.11.0 (fixes CVE in 1.9.4) - Add protobuf-java 3.25.5 (compatible with Spark/Hadoop ecosystem) - Add nimbus-jose-jwt 9.37.2 (minimum secure version) - Add snappy-java 1.1.10.4 (fixes compression vulnerabilities) - Add dnsjava 3.6.0 (fixes DNS security issues) All dependencies are pulled transitively from Hadoop/Spark: - commons-beanutils: hadoop-common - protobuf-java: hadoop-common - nimbus-jose-jwt: hadoop-auth - snappy-java: spark-core - dnsjava: hadoop-common Verified with mvn dependency:tree that overrides are applied correctly.
4 weeks ago · e2e89b52b7
1 changed files with 33 additions and 0 deletions
--- a/test/java/spark/pom.xml
+++ b/test/java/spark/pom.xml
@ -136,6 +136,11 @@
                <artifactId>commons-io</artifactId>
                <version>2.15.1</version>
            </dependency>
+            <dependency>
+                <groupId>commons-beanutils</groupId>
+                <artifactId>commons-beanutils</artifactId>
+                <version>1.11.0</version>
+            </dependency>

            <!-- Guava - Fix CVEs -->
            <dependency>
@ -151,6 +156,34 @@
                <version>2.2</version>
            </dependency>

+            <!-- Protobuf - Fix CVEs -->
+            <dependency>
+                <groupId>com.google.protobuf</groupId>
+                <artifactId>protobuf-java</artifactId>
+                <version>3.25.5</version>
+            </dependency>
+
+            <!-- Nimbus JOSE JWT - Fix CVEs -->
+            <dependency>
+                <groupId>com.nimbusds</groupId>
+                <artifactId>nimbus-jose-jwt</artifactId>
+                <version>9.37.2</version>
+            </dependency>
+
+            <!-- Snappy Java - Fix CVEs -->
+            <dependency>
+                <groupId>org.xerial.snappy</groupId>
+                <artifactId>snappy-java</artifactId>
+                <version>1.1.10.4</version>
+            </dependency>
+
+            <!-- DNS Java - Fix CVEs -->
+            <dependency>
+                <groupId>dnsjava</groupId>
+                <artifactId>dnsjava</artifactId>
+                <version>3.6.0</version>
+            </dependency>
+
            <!-- Jetty - Pin version for transitive dependencies from Spark/Hadoop -->
            <dependency>
                <groupId>org.eclipse.jetty</groupId>