Skip to content

Fix CVE-2025-53864 and CVE-2025-22227 by updating vulnerable dependencies #101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
+177 −86
Draft

Fix CVE-2025-53864 and CVE-2025-22227 by updating vulnerable dependencies #101

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
38b62ae
Initial plan
Copilot Jul 23, 2025
c8f99cf
Fix CVE-2025-53864 and CVE-2025-22227 by updating vulnerable dependen…
Copilot Jul 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
258 changes: 173 additions & 85 deletions agent/agent-tooling/gradle.lockfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,89 +1,177 @@
# This is a Gradle generated file for dependency locking.
# Manual edits can break the build and are not advised.
# This file is expected to be part of source control.
ch.qos.logback.contrib:logback-json-classic:0.1.5=runtimeClasspath
ch.qos.logback.contrib:logback-json-core:0.1.5=runtimeClasspath
ch.qos.logback:logback-classic:1.3.15=runtimeClasspath
ch.qos.logback:logback-core:1.3.15=runtimeClasspath
com.azure:azure-core-http-netty:1.15.12=runtimeClasspath
com.azure:azure-core:1.55.4=runtimeClasspath
com.azure:azure-identity:1.16.2=runtimeClasspath
com.azure:azure-json:1.5.0=runtimeClasspath
com.azure:azure-monitor-opentelemetry-autoconfigure:1.2.0=runtimeClasspath
com.azure:azure-sdk-bom:1.2.36=runtimeClasspath
com.azure:azure-storage-blob:12.30.1=runtimeClasspath
com.azure:azure-storage-common:12.29.1=runtimeClasspath
com.azure:azure-storage-internal-avro:12.15.1=runtimeClasspath
com.azure:azure-xml:1.2.0=runtimeClasspath
com.fasterxml.jackson.core:jackson-annotations:2.19.2=runtimeClasspath
com.fasterxml.jackson.core:jackson-core:2.19.2=runtimeClasspath
com.fasterxml.jackson.core:jackson-databind:2.19.2=runtimeClasspath
com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.19.2=runtimeClasspath
com.fasterxml.jackson:jackson-bom:2.19.2=runtimeClasspath
com.github.oshi:oshi-core:6.8.2=runtimeClasspath
com.github.stephenc.jcip:jcip-annotations:1.0-1=runtimeClasspath
com.google.errorprone:error_prone_annotations:2.40.0=runtimeClasspath
com.microsoft.azure:msal4j-persistence-extension:1.3.0=runtimeClasspath
com.microsoft.azure:msal4j:1.21.0=runtimeClasspath
com.nimbusds:content-type:2.3=runtimeClasspath
com.nimbusds:lang-tag:1.7=runtimeClasspath
com.nimbusds:nimbus-jose-jwt:10.0.1=runtimeClasspath
com.nimbusds:oauth2-oidc-sdk:11.23=runtimeClasspath
commons-codec:commons-codec:1.18.0=runtimeClasspath
io.netty:netty-bom:4.2.3.Final=runtimeClasspath
io.netty:netty-buffer:4.2.3.Final=runtimeClasspath
io.netty:netty-codec-base:4.2.3.Final=runtimeClasspath
io.netty:netty-codec-compression:4.2.3.Final=runtimeClasspath
io.netty:netty-codec-dns:4.2.3.Final=runtimeClasspath
io.netty:netty-codec-http2:4.2.3.Final=runtimeClasspath
io.netty:netty-codec-http:4.2.3.Final=runtimeClasspath
io.netty:netty-codec-marshalling:4.2.3.Final=runtimeClasspath
io.netty:netty-codec-protobuf:4.2.3.Final=runtimeClasspath
io.netty:netty-codec-socks:4.2.3.Final=runtimeClasspath
io.netty:netty-codec:4.2.3.Final=runtimeClasspath
io.netty:netty-common:4.2.3.Final=runtimeClasspath
io.netty:netty-handler-proxy:4.2.3.Final=runtimeClasspath
io.netty:netty-handler:4.2.3.Final=runtimeClasspath
io.netty:netty-resolver-dns-classes-macos:4.2.3.Final=runtimeClasspath
io.netty:netty-resolver-dns-native-macos:4.2.3.Final=runtimeClasspath
io.netty:netty-resolver-dns:4.2.3.Final=runtimeClasspath
io.netty:netty-resolver:4.2.3.Final=runtimeClasspath
io.netty:netty-tcnative-boringssl-static:2.0.72.Final=runtimeClasspath
io.netty:netty-tcnative-classes:2.0.72.Final=runtimeClasspath
io.netty:netty-transport-classes-epoll:4.2.3.Final=runtimeClasspath
io.netty:netty-transport-classes-kqueue:4.2.3.Final=runtimeClasspath
io.netty:netty-transport-native-epoll:4.2.3.Final=runtimeClasspath
io.netty:netty-transport-native-kqueue:4.2.3.Final=runtimeClasspath
io.netty:netty-transport-native-unix-common:4.2.3.Final=runtimeClasspath
io.netty:netty-transport:4.2.3.Final=runtimeClasspath
io.opentelemetry.contrib:opentelemetry-jfr-connection:1.47.0-alpha=runtimeClasspath
io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha:2.18.1-alpha=runtimeClasspath
io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom:2.18.1=runtimeClasspath
io.opentelemetry:opentelemetry-api:1.52.0=runtimeClasspath
io.opentelemetry:opentelemetry-bom-alpha:1.52.0-alpha=runtimeClasspath
io.opentelemetry:opentelemetry-bom:1.52.0=runtimeClasspath
io.opentelemetry:opentelemetry-common:1.52.0=runtimeClasspath
io.opentelemetry:opentelemetry-context:1.52.0=runtimeClasspath
io.opentelemetry:opentelemetry-sdk-common:1.52.0=runtimeClasspath
io.opentelemetry:opentelemetry-sdk-extension-autoconfigure-spi:1.52.0=runtimeClasspath
io.opentelemetry:opentelemetry-sdk-extension-autoconfigure:1.52.0=runtimeClasspath
io.opentelemetry:opentelemetry-sdk-logs:1.52.0=runtimeClasspath
io.opentelemetry:opentelemetry-sdk-metrics:1.52.0=runtimeClasspath
io.opentelemetry:opentelemetry-sdk-trace:1.52.0=runtimeClasspath
io.opentelemetry:opentelemetry-sdk:1.52.0=runtimeClasspath
io.opentelemetry:opentelemetry-semconv:1.30.1-alpha=runtimeClasspath
io.projectreactor.netty:reactor-netty-core:1.0.48=runtimeClasspath
io.projectreactor.netty:reactor-netty-http:1.0.48=runtimeClasspath
io.projectreactor:reactor-core:3.4.41=runtimeClasspath
net.java.dev.jna:jna-platform:5.17.0=runtimeClasspath
net.java.dev.jna:jna:5.17.0=runtimeClasspath
net.minidev:accessors-smart:2.5.2=runtimeClasspath
net.minidev:json-smart:2.5.2=runtimeClasspath
org.apache.commons:commons-lang3:3.17.0=runtimeClasspath
org.apache.commons:commons-text:1.13.1=runtimeClasspath
org.junit:junit-bom:5.13.3=runtimeClasspath
org.reactivestreams:reactive-streams:1.0.4=runtimeClasspath
org.slf4j:jcl-over-slf4j:2.0.17=runtimeClasspath
org.slf4j:slf4j-api:2.0.17=runtimeClasspath
org.testcontainers:testcontainers-bom:1.21.3=runtimeClasspath
ch.qos.logback.contrib:logback-json-classic:0.1.5=runtimeClasspath,testRuntimeClasspath
ch.qos.logback.contrib:logback-json-core:0.1.5=runtimeClasspath,testRuntimeClasspath
ch.qos.logback:logback-classic:1.3.15=runtimeClasspath,testRuntimeClasspath
ch.qos.logback:logback-core:1.3.15=runtimeClasspath,testRuntimeClasspath
codes.rafael.asmjdkbridge:asm-jdk-bridge:0.0.10=testRuntimeClasspath
com.azure:azure-core-http-netty:1.15.12=runtimeClasspath,testRuntimeClasspath
com.azure:azure-core-test:1.26.2=testRuntimeClasspath
com.azure:azure-core:1.55.4=runtimeClasspath,testRuntimeClasspath
com.azure:azure-identity:1.16.2=runtimeClasspath,testRuntimeClasspath
com.azure:azure-json:1.5.0=runtimeClasspath,testRuntimeClasspath
com.azure:azure-monitor-opentelemetry-autoconfigure:1.2.0=runtimeClasspath,testRuntimeClasspath
com.azure:azure-sdk-bom:1.2.36=runtimeClasspath,testRuntimeClasspath
com.azure:azure-storage-blob:12.30.1=runtimeClasspath,testRuntimeClasspath
com.azure:azure-storage-common:12.29.1=runtimeClasspath,testRuntimeClasspath
com.azure:azure-storage-internal-avro:12.15.1=runtimeClasspath,testRuntimeClasspath
com.azure:azure-xml:1.2.0=runtimeClasspath,testRuntimeClasspath
com.fasterxml.jackson.core:jackson-annotations:2.19.2=runtimeClasspath,testRuntimeClasspath
com.fasterxml.jackson.core:jackson-core:2.19.2=runtimeClasspath,testRuntimeClasspath
com.fasterxml.jackson.core:jackson-databind:2.19.2=runtimeClasspath,testRuntimeClasspath
com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.19.2=testRuntimeClasspath
com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.19.2=testRuntimeClasspath
com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.19.2=runtimeClasspath,testRuntimeClasspath
com.fasterxml.jackson:jackson-bom:2.19.2=runtimeClasspath,testRuntimeClasspath
com.fasterxml.woodstox:woodstox-core:7.1.1=testRuntimeClasspath
com.github.oshi:oshi-core:6.8.2=runtimeClasspath,testRuntimeClasspath
com.github.stephenc.jcip:jcip-annotations:1.0-1=runtimeClasspath,testRuntimeClasspath
com.google.cloud.opentelemetry:detector-resources-support:0.36.0=testRuntimeClasspath
com.google.errorprone:error_prone_annotations:2.40.0=runtimeClasspath,testRuntimeClasspath
com.microsoft.azure:msal4j-persistence-extension:1.3.0=runtimeClasspath,testRuntimeClasspath
com.microsoft.azure:msal4j:1.21.0=runtimeClasspath,testRuntimeClasspath
com.nimbusds:content-type:2.3=runtimeClasspath,testRuntimeClasspath
com.nimbusds:lang-tag:1.7=runtimeClasspath,testRuntimeClasspath
com.nimbusds:nimbus-jose-jwt:10.3=runtimeClasspath,testRuntimeClasspath
com.nimbusds:oauth2-oidc-sdk:11.23=runtimeClasspath,testRuntimeClasspath
com.squareup.okhttp3:okhttp-jvm:5.1.0=testRuntimeClasspath
com.squareup.okhttp3:okhttp:5.1.0=testRuntimeClasspath
com.squareup.okio:okio-jvm:3.15.0=testRuntimeClasspath
com.squareup.okio:okio:3.15.0=testRuntimeClasspath
commons-codec:commons-codec:1.18.0=runtimeClasspath,testRuntimeClasspath
commons-io:commons-io:2.15.1=testRuntimeClasspath
io.netty:netty-bom:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-buffer:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-codec-base:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-codec-compression:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-codec-dns:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-codec-http2:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-codec-http:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-codec-marshalling:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-codec-protobuf:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-codec-socks:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-codec:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-common:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-handler-proxy:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-handler:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-resolver-dns-classes-macos:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-resolver-dns-native-macos:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-resolver-dns:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-resolver:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-tcnative-boringssl-static:2.0.72.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-tcnative-classes:2.0.72.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-transport-classes-epoll:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-transport-classes-kqueue:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-transport-native-epoll:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-transport-native-kqueue:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-transport-native-unix-common:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.netty:netty-transport:4.2.3.Final=runtimeClasspath,testRuntimeClasspath
io.opentelemetry.contrib:opentelemetry-aws-resources:1.47.0-alpha=testRuntimeClasspath
io.opentelemetry.contrib:opentelemetry-aws-xray-propagator:1.47.0-alpha=testRuntimeClasspath
io.opentelemetry.contrib:opentelemetry-azure-resources:1.47.0-alpha=testRuntimeClasspath
io.opentelemetry.contrib:opentelemetry-baggage-processor:1.47.0-alpha=testRuntimeClasspath
io.opentelemetry.contrib:opentelemetry-cloudfoundry-resources:1.47.0-alpha=testRuntimeClasspath
io.opentelemetry.contrib:opentelemetry-gcp-resources:1.47.0-alpha=testRuntimeClasspath
io.opentelemetry.contrib:opentelemetry-jfr-connection:1.47.0-alpha=runtimeClasspath,testRuntimeClasspath
io.opentelemetry.instrumentation:opentelemetry-instrumentation-annotations-support:2.18.1-alpha=testRuntimeClasspath
io.opentelemetry.instrumentation:opentelemetry-instrumentation-api-incubator:2.18.1-alpha=testRuntimeClasspath
io.opentelemetry.instrumentation:opentelemetry-instrumentation-api:2.18.1=testRuntimeClasspath
io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha:2.18.1-alpha=runtimeClasspath,testRuntimeClasspath
io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom:2.18.1=runtimeClasspath,testRuntimeClasspath
io.opentelemetry.instrumentation:opentelemetry-sdk-autoconfigure-support:2.18.1-alpha=testRuntimeClasspath
io.opentelemetry.javaagent:opentelemetry-javaagent-bootstrap:2.18.1-alpha=testRuntimeClasspath
io.opentelemetry.javaagent:opentelemetry-javaagent-extension-api:2.18.1-alpha=testRuntimeClasspath
io.opentelemetry.javaagent:opentelemetry-javaagent-tooling-java9:2.18.1-alpha=testRuntimeClasspath
io.opentelemetry.javaagent:opentelemetry-javaagent-tooling:2.18.1-alpha=testRuntimeClasspath
io.opentelemetry.javaagent:opentelemetry-muzzle:2.18.1-alpha=testRuntimeClasspath
io.opentelemetry.semconv:opentelemetry-semconv-incubating:1.34.0-alpha=testRuntimeClasspath
io.opentelemetry.semconv:opentelemetry-semconv:1.34.0=testRuntimeClasspath
io.opentelemetry:opentelemetry-api-incubator:1.52.0-alpha=testRuntimeClasspath
io.opentelemetry:opentelemetry-api:1.52.0=runtimeClasspath,testRuntimeClasspath
io.opentelemetry:opentelemetry-bom-alpha:1.52.0-alpha=runtimeClasspath,testRuntimeClasspath
io.opentelemetry:opentelemetry-bom:1.52.0=runtimeClasspath,testRuntimeClasspath
io.opentelemetry:opentelemetry-common:1.52.0=runtimeClasspath,testRuntimeClasspath
io.opentelemetry:opentelemetry-context:1.52.0=runtimeClasspath,testRuntimeClasspath
io.opentelemetry:opentelemetry-exporter-common:1.52.0=testRuntimeClasspath
io.opentelemetry:opentelemetry-exporter-logging-otlp:1.52.0=testRuntimeClasspath
io.opentelemetry:opentelemetry-exporter-logging:1.52.0=testRuntimeClasspath
io.opentelemetry:opentelemetry-exporter-otlp-common:1.52.0=testRuntimeClasspath
io.opentelemetry:opentelemetry-exporter-otlp:1.52.0=testRuntimeClasspath
io.opentelemetry:opentelemetry-exporter-prometheus:1.52.0-alpha=testRuntimeClasspath
io.opentelemetry:opentelemetry-exporter-sender-okhttp:1.52.0=testRuntimeClasspath
io.opentelemetry:opentelemetry-exporter-zipkin:1.52.0=testRuntimeClasspath
io.opentelemetry:opentelemetry-extension-kotlin:1.52.0=testRuntimeClasspath
io.opentelemetry:opentelemetry-extension-trace-propagators:1.52.0=testRuntimeClasspath
io.opentelemetry:opentelemetry-sdk-common:1.52.0=runtimeClasspath,testRuntimeClasspath
io.opentelemetry:opentelemetry-sdk-extension-autoconfigure-spi:1.52.0=runtimeClasspath,testRuntimeClasspath
io.opentelemetry:opentelemetry-sdk-extension-autoconfigure:1.52.0=runtimeClasspath,testRuntimeClasspath
io.opentelemetry:opentelemetry-sdk-extension-incubator:1.52.0-alpha=testRuntimeClasspath
io.opentelemetry:opentelemetry-sdk-extension-jaeger-remote-sampler:1.52.0=testRuntimeClasspath
io.opentelemetry:opentelemetry-sdk-logs:1.52.0=runtimeClasspath,testRuntimeClasspath
io.opentelemetry:opentelemetry-sdk-metrics:1.52.0=runtimeClasspath,testRuntimeClasspath
io.opentelemetry:opentelemetry-sdk-testing:1.52.0=testRuntimeClasspath
io.opentelemetry:opentelemetry-sdk-trace:1.52.0=runtimeClasspath,testRuntimeClasspath
io.opentelemetry:opentelemetry-sdk:1.52.0=runtimeClasspath,testRuntimeClasspath
io.opentelemetry:opentelemetry-semconv:1.30.1-alpha=runtimeClasspath,testRuntimeClasspath
io.projectreactor.netty:reactor-netty-core:1.2.8=runtimeClasspath,testRuntimeClasspath
io.projectreactor.netty:reactor-netty-http:1.2.8=runtimeClasspath,testRuntimeClasspath
io.projectreactor:reactor-core:3.7.8=runtimeClasspath,testRuntimeClasspath
io.projectreactor:reactor-test:3.4.38=testRuntimeClasspath
io.prometheus:prometheus-metrics-config:1.3.8=testRuntimeClasspath
io.prometheus:prometheus-metrics-exporter-common:1.3.8=testRuntimeClasspath
io.prometheus:prometheus-metrics-exporter-httpserver:1.3.8=testRuntimeClasspath
io.prometheus:prometheus-metrics-exposition-textformats:1.3.8=testRuntimeClasspath
io.prometheus:prometheus-metrics-model:1.3.8=testRuntimeClasspath
io.zipkin.reporter2:zipkin-reporter:3.5.1=testRuntimeClasspath
io.zipkin.reporter2:zipkin-sender-okhttp3:3.5.1=testRuntimeClasspath
io.zipkin.zipkin2:zipkin:2.27.1=testRuntimeClasspath
javax.servlet:javax.servlet-api:3.1.0=testRuntimeClasspath
net.bytebuddy:byte-buddy-agent:1.12.19=testRuntimeClasspath
net.bytebuddy:byte-buddy-dep:1.17.6=testRuntimeClasspath
net.java.dev.jna:jna-platform:5.17.0=runtimeClasspath,testRuntimeClasspath
net.java.dev.jna:jna:5.17.0=runtimeClasspath,testRuntimeClasspath
net.minidev:accessors-smart:2.5.2=runtimeClasspath,testRuntimeClasspath
net.minidev:json-smart:2.5.2=runtimeClasspath,testRuntimeClasspath
org.apache.commons:commons-compress:1.26.0=testRuntimeClasspath
org.apache.commons:commons-lang3:3.17.0=runtimeClasspath,testRuntimeClasspath
org.apache.commons:commons-text:1.13.1=runtimeClasspath,testRuntimeClasspath
org.assertj:assertj-core:3.27.3=testRuntimeClasspath
org.awaitility:awaitility:4.3.0=testRuntimeClasspath
org.codehaus.woodstox:stax2-api:4.2.2=testRuntimeClasspath
org.eclipse.jetty:jetty-http:9.4.54.v20240208=testRuntimeClasspath
org.eclipse.jetty:jetty-io:9.4.54.v20240208=testRuntimeClasspath
org.eclipse.jetty:jetty-security:9.4.54.v20240208=testRuntimeClasspath
org.eclipse.jetty:jetty-server:9.4.54.v20240208=testRuntimeClasspath
org.eclipse.jetty:jetty-servlet:9.4.54.v20240208=testRuntimeClasspath
org.eclipse.jetty:jetty-util-ajax:9.4.54.v20240208=testRuntimeClasspath
org.eclipse.jetty:jetty-util:9.4.54.v20240208=testRuntimeClasspath
org.hamcrest:hamcrest:2.1=testRuntimeClasspath
org.jetbrains.kotlin:kotlin-bom:2.1.21=testRuntimeClasspath
org.jetbrains.kotlin:kotlin-stdlib:2.2.0=testRuntimeClasspath
org.jetbrains:annotations:13.0=testRuntimeClasspath
org.junit.jupiter:junit-jupiter-api:5.13.3=testRuntimeClasspath
org.junit.jupiter:junit-jupiter-engine:5.13.3=testRuntimeClasspath
org.junit.jupiter:junit-jupiter-params:5.13.3=testRuntimeClasspath
org.junit.jupiter:junit-jupiter:5.13.3=testRuntimeClasspath
org.junit.platform:junit-platform-commons:1.13.3=testRuntimeClasspath
org.junit.platform:junit-platform-engine:1.13.3=testRuntimeClasspath
org.junit.platform:junit-platform-launcher:1.13.3=testRuntimeClasspath
org.junit:junit-bom:5.13.3=runtimeClasspath,testRuntimeClasspath
org.mockito:mockito-core:4.11.0=testRuntimeClasspath
org.objenesis:objenesis:3.3=testRuntimeClasspath
org.opentest4j:opentest4j:1.3.0=testRuntimeClasspath
org.ow2.asm:asm-analysis:9.8=testRuntimeClasspath
org.ow2.asm:asm-commons:9.8=testRuntimeClasspath
org.ow2.asm:asm-tree:9.8=testRuntimeClasspath
org.ow2.asm:asm-util:9.8=testRuntimeClasspath
org.ow2.asm:asm:9.8=testRuntimeClasspath
org.reactivestreams:reactive-streams:1.0.4=runtimeClasspath,testRuntimeClasspath
org.slf4j:jcl-over-slf4j:2.0.17=runtimeClasspath,testRuntimeClasspath
org.slf4j:jul-to-slf4j:2.0.17=testRuntimeClasspath
org.slf4j:log4j-over-slf4j:2.0.17=testRuntimeClasspath
org.slf4j:slf4j-api:2.0.17=runtimeClasspath,testRuntimeClasspath
org.snakeyaml:snakeyaml-engine:2.9=testRuntimeClasspath
org.testcontainers:testcontainers-bom:1.21.3=runtimeClasspath,testRuntimeClasspath
org.yaml:snakeyaml:2.4=testRuntimeClasspath
empty=
5 changes: 4 additions & 1 deletion dependencyManagement/build.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,10 @@ val DEPENDENCIES = listOf(
"io.opentelemetry.contrib:opentelemetry-jfr-connection:${otelContribVersion}-alpha",
"io.opentelemetry.contrib:opentelemetry-runtime-attach-core:${otelContribVersion}-alpha",
"com.google.code.findbugs:jsr305:3.0.2",
"com.github.spotbugs:spotbugs-annotations:4.9.3"
"com.github.spotbugs:spotbugs-annotations:4.9.3",
// Security updates for CVEs
"com.nimbusds:nimbus-jose-jwt:10.3", // CVE-2025-53864 fix
"io.projectreactor.netty:reactor-netty-http:1.2.8" // CVE-2025-22227 fix
Comment on lines +74 to +75
Copy link
Owner

@trask trask Jul 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot what are the transitive dependencies pulling this in?

Copy link
Owner

@trask trask Jul 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://gh.io/copilot-coding-agent-docs what are the transitive dependencies pulling these in?

Copy link
Author

Copilot AI Jul 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on the dependency insight, here are the transitive dependencies pulling these in:

nimbus-jose-jwt 10.0.1 (CVE-2025-53864):

  • com.azure:azure-identitycom.microsoft.azure:msal4j:1.21.0com.nimbusds:oauth2-oidc-sdk:11.23com.nimbusds:nimbus-jose-jwt:10.0.1

reactor-netty-http 1.0.48 (CVE-2025-22227):

  • Multiple Azure SDK components via com.azure:azure-core-http-netty:1.15.12:
    • com.azure:azure-monitor-opentelemetry-autoconfigure:1.2.0
    • com.azure:azure-identity:1.16.2
    • com.azure:azure-storage-blob:12.30.1
    • com.azure:azure-storage-common:12.29.1

The dependency constraints I added force these to the secure versions (10.3 and 1.2.8 respectively).

Copy link
Owner

@trask trask Jul 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what are the versions of these two dependencies currently?

Copy link
Author

Copilot AI Jul 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on the dependency insight, here are the current versions:

Before my changes:

  • nimbus-jose-jwt: 10.0.1 (vulnerable)
  • reactor-netty-http: 1.0.48 (vulnerable)

After my changes:

  • nimbus-jose-jwt: 10.3 (secure)
  • reactor-netty-http: 1.2.8 (secure)

The dependency constraints I added in lines 74-75 force these to the secure versions.

)

javaPlatform {
Expand Down
Loading