Merge pull request #16108 from cdapio/cherrypick/sidhdirenge-vuln-fix

sidhdirenge · web-flow · commit a62f7b93ff90 · 2026-04-08T12:36:33.000+05:30
[cherry-pick]Fix security vulnerabilities introduced by io.kubernetes:client-java:16.0.2
diff --git a/cdap-credential-ext-gcp-wi/pom.xml b/cdap-credential-ext-gcp-wi/pom.xml
@@ -54,6 +54,34 @@
       <groupId>io.kubernetes</groupId>
       <artifactId>client-java</artifactId>
       <version>${k8s.version}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>commons-io</groupId>
+          <artifactId>commons-io</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>org.apache.commons</groupId>
+          <artifactId>commons-compress</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>org.bitbucket.b_c</groupId>
+          <artifactId>jose4j</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    <!-- Fixes CVE-2021-35515, CVE-2023-31582, CVE-2024-47554 -->
+    <dependency>
+      <groupId>commons-io</groupId>
+      <artifactId>commons-io</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-compress</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.bitbucket.b_c</groupId>
+      <artifactId>jose4j</artifactId>
+      <version>${bitbucket.jose4j.version}</version>
     </dependency>
     <dependency>
       <groupId>com.squareup.okhttp3</groupId>
diff --git a/cdap-kubernetes/pom.xml b/cdap-kubernetes/pom.xml
@@ -68,6 +68,34 @@
       <groupId>io.kubernetes</groupId>
       <artifactId>client-java</artifactId>
       <version>${k8s.version}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>commons-io</groupId>
+          <artifactId>commons-io</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>org.apache.commons</groupId>
+          <artifactId>commons-compress</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>org.bitbucket.b_c</groupId>
+          <artifactId>jose4j</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    <!-- Fixes CVE-2021-35515, CVE-2023-31582, CVE-2024-47554 -->
+    <dependency>
+      <groupId>commons-io</groupId>
+      <artifactId>commons-io</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-compress</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.bitbucket.b_c</groupId>
+      <artifactId>jose4j</artifactId>
+      <version>${bitbucket.jose4j.version}</version>
     </dependency>
     <dependency>
       <groupId>io.kubernetes</groupId>
diff --git a/pom.xml b/pom.xml
@@ -112,7 +112,9 @@
     <cdap.client.version>1.4.0</cdap.client.version>
     <commons.cli.version>1.2</commons.cli.version>
     <commons.collections.version>3.2.2</commons.collections.version>
-    <commons.compress.version>1.22</commons.compress.version>
+    <commons.io.version>2.15.1</commons.io.version>
+    <commons.compress.version>1.26.1</commons.compress.version>
+    <bitbucket.jose4j.version>0.9.3</bitbucket.jose4j.version>
     <commons.lang3.version>3.12.0</commons.lang3.version>
     <commons-configuration2.version>2.10.1</commons-configuration2.version>
     <dropwizard.version>3.1.2</dropwizard.version>
@@ -213,6 +215,16 @@
         <artifactId>jul-to-slf4j</artifactId>
         <version>${slf4j.version}</version>
       </dependency>
+      <dependency>
+        <groupId>commons-io</groupId>
+        <artifactId>commons-io</artifactId>
+        <version>${commons.io.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.commons</groupId>
+        <artifactId>commons-compress</artifactId>
+        <version>${commons.compress.version}</version>
+      </dependency>
       <dependency>
         <groupId>io.cdap.common</groupId>
         <artifactId>common-cli</artifactId>
