Skip to content

Update dependency org.eclipse.jetty:jetty-server to v11.0.24#138

Merged
seankao-az merged 1 commit intoopensearch-project:mainfrom
dai-chen:update-jetty-server-to-v12
Apr 29, 2025
Merged

Update dependency org.eclipse.jetty:jetty-server to v11.0.24#138
seankao-az merged 1 commit intoopensearch-project:mainfrom
dai-chen:update-jetty-server-to-v12

Conversation

@dai-chen
Copy link
Copy Markdown
Collaborator

@dai-chen dai-chen commented Apr 18, 2025
edited
Loading

Description

This PR contains the following updates:

Package Type Update Change
org.eclipse.jetty:jetty-server (source) dependencies major 11.0.19 -> 11.0.24

Issues Resolved

By merging this PR, the issue #133 will be automatically resolved and closed:

Severity CVSS Score CVE
Medium Medium 5.9 CVE-2024-8184
Low Low 3.7 CVE-2024-6763
Low Low 3.7 CVE-2024-6763

Check List

  • New functionality includes testing.
    • All tests pass, including unit test, integration test and doctest
  • New functionality has been documented.
    • New functionality has javadoc added
    • New functionality has user manual doc added
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@dai-chen dai-chen added the security fix Security fix generated by Mend label Apr 18, 2025
@dai-chen dai-chen self-assigned this Apr 18, 2025
@dai-chen dai-chen mentioned this pull request Apr 18, 2025
Closed
1 task
@dai-chen
Copy link
Copy Markdown
Collaborator Author

dai-chen commented Apr 18, 2025
edited
Loading

CI failed with JDK 11. Jetty server v12 requires JDK 17+: https://jetty.org/docs/jetty/12/index.html

Since this is only for test code and CVE is medium and low, I'm thinking should we stick with v11 and JDK 8?

@dai-chen
Updated jetty server to v11.0.24
0bf162e 
Signed-off-by: Chen Dai <daichen@amazon.com>
@dai-chen dai-chen force-pushed the update-jetty-server-to-v12 branch from 7e42e12 to 0bf162e Compare April 22, 2025 18:09
@dai-chen dai-chen changed the title Update dependency org.eclipse.jetty:jetty-server to v12 Update dependency org.eclipse.jetty:jetty-server to v11.0.24 Apr 22, 2025
@dai-chen
Copy link
Copy Markdown
Collaborator Author

dai-chen commented Apr 22, 2025

Security Report

 You have successfully remediated 3 vulnerabilities, but introduced 2 new vulnerabilities in this branch.

❌ New vulnerabilities:

CVE | Severity | CVSS Score | Vulnerable Library | Suggested Fix | Issue -- | -- | -- | -- | -- | -- CVE-2024-6763 | Low | 3.7 | jetty-http-11.0.24.jar | Upgrade to version: org.eclipse.jetty:jetty-http:12.0.12;org.eclipse.jetty:jetty-server:12.0.12 | None CVE-2024-6763 | Low | 3.7 | jetty-server-11.0.24.jar | Upgrade to version: org.eclipse.jetty:jetty-http:12.0.12;org.eclipse.jetty:jetty-server:12.0.12 | None

Security Report
You have successfully remediated 3 vulnerabilities, but introduced 2 new vulnerabilities in this branch.

❌ New vulnerabilities:

CVE Severity CVSS Score Vulnerable Library Suggested Fix Issue
CVE-2024-6763
Low 3.7 jetty-http-11.0.24.jar Upgrade to version: org.eclipse.jetty:jetty-http:12.0.12;org.eclipse.jetty:jetty-server:12.0.12 None
CVE-2024-6763
Low 3.7 jetty-server-11.0.24.jar Upgrade to version: org.eclipse.jetty:jetty-http:12.0.12;org.eclipse.jetty:jetty-server:12.0.12 None
✔️ Remediated vulnerabilities:

CVE Vulnerable Library
CVE-2024-6763 jetty-http-11.0.19.jar
CVE-2024-6763 jetty-server-11.0.19.jar
CVE-2024-8184 jetty-server-11.0.19.jar

@dai-chen dai-chen marked this pull request as ready for review April 22, 2025 18:18
@dai-chen
Copy link
Copy Markdown
Collaborator Author

dai-chen commented Apr 22, 2025

Upgrading to new version in v11 instead of v12 to avoid bump JDK version to 17. As the security report from CI, this code change can fix 1 medium and 2 low vulnerabilities, though end up with another 2 low vulnerabilities that can only be fixed in v12.

@seankao-az seankao-az merged commit b520f9f into opensearch-project:main Apr 29, 2025
9 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@seankao-az seankao-az seankao-az approved these changes

@ps48 ps48 Awaiting requested review from ps48 ps48 is a code owner

@kavithacm kavithacm Awaiting requested review from kavithacm kavithacm is a code owner

@derek-ho derek-ho Awaiting requested review from derek-ho derek-ho is a code owner

@joshuali925 joshuali925 Awaiting requested review from joshuali925 joshuali925 is a code owner

@YANG-DB YANG-DB Awaiting requested review from YANG-DB YANG-DB is a code owner

@mengweieric mengweieric Awaiting requested review from mengweieric mengweieric is a code owner

@Swiddis Swiddis Awaiting requested review from Swiddis Swiddis is a code owner

@penghuo penghuo Awaiting requested review from penghuo penghuo is a code owner

@MaxKsyunz MaxKsyunz Awaiting requested review from MaxKsyunz MaxKsyunz is a code owner

@Yury-Fridlyand Yury-Fridlyand Awaiting requested review from Yury-Fridlyand Yury-Fridlyand is a code owner

@anirudha anirudha Awaiting requested review from anirudha anirudha is a code owner

@forestmvey forestmvey Awaiting requested review from forestmvey forestmvey is a code owner

@acarbonetto acarbonetto Awaiting requested review from acarbonetto acarbonetto is a code owner

@GumpacG GumpacG Awaiting requested review from GumpacG GumpacG is a code owner

Assignees

@dai-chen dai-chen

Labels

security fix Security fix generated by Mend

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dai-chen @seankao-az