From 6e6b8f502a2ee296fdbd8ff6125adc3f5ee548bf Mon Sep 17 00:00:00 2001 From: Milton Ortegon Date: Mon, 16 Mar 2026 11:04:27 -0500 Subject: [PATCH 1/2] Fix critical vulnerabilities --- drone-fly-app/pom.xml | 71 +++++++++++++++++++ drone-fly-core/pom.xml | 18 +++-- .../dronefly/core/DroneFlyCoreTest.java | 2 +- .../core/integration/DummyListener.java | 2 +- pom.xml | 24 +++++++ 5 files changed, 109 insertions(+), 8 deletions(-) diff --git a/drone-fly-app/pom.xml b/drone-fly-app/pom.xml index a91311b..982f276 100644 --- a/drone-fly-app/pom.xml +++ b/drone-fly-app/pom.xml @@ -15,10 +15,16 @@ 1.11.532 0.2.5 4.0.1 + 1.11.4 + 2.0.1 8008 + + org.springframework.boot + spring-boot-starter-web + com.expediagroup drone-fly-core @@ -88,8 +94,30 @@ jdk.tools jdk.tools + + org.apache.logging.log4j + log4j-1.2-api + + + org.apache.avro + avro + + + org.apache.kerby + kerb-admin + + + org.apache.avro + avro + ${avro.version} + + org.apache.hive hive-standalone-metastore-server @@ -131,6 +159,14 @@ tomcat jasper-runtime + + org.apache.hadoop + hadoop-common + + + org.apache.logging.log4j + log4j-1.2-api + @@ -155,12 +191,32 @@ org.apache.hadoop hadoop-client-runtime 3.3.6 + + + org.apache.avro + avro + + + org.apache.kerby + kerb-admin + + org.apache.hadoop hadoop-mapreduce-client-core 3.3.6 test + + + org.apache.avro + avro + + + org.apache.kerby + kerb-admin + + org.springframework @@ -177,6 +233,21 @@ awaitility test + + org.apache.tomcat.embed + tomcat-embed-core + ${tomcat.embeded.version} + + + org.apache.tomcat.embed + tomcat-embed-el + ${tomcat.embeded.version} + + + org.apache.tomcat.embed + tomcat-embed-websocket + ${tomcat.embeded.version} + diff --git a/drone-fly-core/pom.xml b/drone-fly-core/pom.xml index 50aefcc..d5e51d9 100644 --- a/drone-fly-core/pom.xml +++ b/drone-fly-core/pom.xml @@ -26,12 +26,18 @@ org.springframework.boot spring-boot-starter-web - - - org.springframework.boot - spring-boot-starter-logging - - + + + org.apache.tomcat.embed + tomcat-embed-core + + + org.apache.tomcat.embed + tomcat-embed-el + + + org.apache.tomcat.embed + tomcat-embed-websocket org.springframework diff --git a/drone-fly-core/src/test/java/com/expediagroup/dataplatform/dronefly/core/DroneFlyCoreTest.java b/drone-fly-core/src/test/java/com/expediagroup/dataplatform/dronefly/core/DroneFlyCoreTest.java index a0ce34e..7355572 100644 --- a/drone-fly-core/src/test/java/com/expediagroup/dataplatform/dronefly/core/DroneFlyCoreTest.java +++ b/drone-fly-core/src/test/java/com/expediagroup/dataplatform/dronefly/core/DroneFlyCoreTest.java @@ -1,5 +1,5 @@ /** - * Copyright (C) 2020 Expedia, Inc. + * Copyright (C) 2020-2026 Expedia, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/drone-fly-integration-tests/src/test/java/com/expediagroup/dataplatform/dronefly/core/integration/DummyListener.java b/drone-fly-integration-tests/src/test/java/com/expediagroup/dataplatform/dronefly/core/integration/DummyListener.java index 1ff92bd..9dfaa06 100644 --- a/drone-fly-integration-tests/src/test/java/com/expediagroup/dataplatform/dronefly/core/integration/DummyListener.java +++ b/drone-fly-integration-tests/src/test/java/com/expediagroup/dataplatform/dronefly/core/integration/DummyListener.java @@ -1,5 +1,5 @@ /** - * Copyright (C) 2020 Expedia, Inc. + * Copyright (C) 2020-2026 Expedia, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/pom.xml b/pom.xml index 00accf7..d32770b 100644 --- a/pom.xml +++ b/pom.xml @@ -39,6 +39,7 @@ 3.2.12 3.2.4 3.4.3 + 10.1.50 amazoncorretto 21-al2023 ${docker.from.image}:${docker.from.tag} @@ -68,6 +69,29 @@ pom import + + org.springframework.boot + spring-boot-starter-web + ${springframework.boot.version} + + + org.springframework.boot + spring-boot-starter-logging + + + org.apache.tomcat.embed + tomcat-embed-core + + + org.apache.tomcat.embed + tomcat-embed-el + + + org.apache.tomcat.embed + tomcat-embed-websocket + + + From efb9c263f8123efae4a4d0ef87750ed35470ac18 Mon Sep 17 00:00:00 2001 From: Milton Ortegon Date: Mon, 16 Mar 2026 11:52:51 -0500 Subject: [PATCH 2/2] Fix Avro/Kerby vulnerabilities by upgrading Hadoop to 3.4.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Upgrading hadoop-client-runtime from 3.3.6 to 3.4.2 resolves vulnerable libraries bundled inside the shaded JAR that Maven exclusions cannot reach: - Avro 1.7.7 → 1.11.3 (CVE-2023-39410, bundled via HADOOP-18880) - Kerby 1.0.1 → 2.0.3 (CVE-2023-25613, bundled via HADOOP-18956) Also removes the now-unnecessary explicit avro/kerb-admin dependency declarations and exclusions that were working around the same issue. Co-Authored-By: Claude Sonnet 4.6 --- drone-fly-app/pom.xml | 45 +++---------------------------------------- 1 file changed, 3 insertions(+), 42 deletions(-) diff --git a/drone-fly-app/pom.xml b/drone-fly-app/pom.xml index 982f276..2acac08 100644 --- a/drone-fly-app/pom.xml +++ b/drone-fly-app/pom.xml @@ -15,8 +15,7 @@ 1.11.532 0.2.5 4.0.1 - 1.11.4 - 2.0.1 + 3.4.2 8008 @@ -98,26 +97,8 @@ org.apache.logging.log4j log4j-1.2-api - - org.apache.avro - avro - - - org.apache.kerby - kerb-admin - - - org.apache.avro - avro - ${avro.version} - - org.apache.hive hive-standalone-metastore-server @@ -190,33 +171,13 @@ org.apache.hadoop hadoop-client-runtime - 3.3.6 - - - org.apache.avro - avro - - - org.apache.kerby - kerb-admin - - + ${hadoop.version} org.apache.hadoop hadoop-mapreduce-client-core - 3.3.6 + ${hadoop.version} test - - - org.apache.avro - avro - - - org.apache.kerby - kerb-admin - - org.springframework