[Snyk] Fixed vulnerabilities

distribution/server/src/assemble/LICENSE.bin.txt

@@ -590,7 +590,7 @@ CDDL-1.1 -- ../licenses/LICENSE-CDDL-1.1.txt
  * Jersey
     - org.glassfish.jersey.containers-jersey-container-servlet-2.42.jar
     - org.glassfish.jersey.containers-jersey-container-servlet-core-2.42.jar
-    - org.glassfish.jersey.core-jersey-client-2.42.jar
+    - org.glassfish.jersey.core-jersey-client-2.46.jar
     - org.glassfish.jersey.core-jersey-common-2.42.jar
     - org.glassfish.jersey.core-jersey-server-2.42.jar
     - org.glassfish.jersey.ext-jersey-entity-filtering-2.42.jar

distribution/shell/src/assemble/LICENSE.bin.txt

@@ -440,7 +440,7 @@ CDDL-1.1 -- ../licenses/LICENSE-CDDL-1.1.txt
     - aopalliance-repackaged-2.6.1.jar
     - osgi-resource-locator-1.0.3.jar
  * Jersey
-    - jersey-client-2.42.jar
+    - jersey-client-2.46.jar
     - jersey-common-2.42.jar
     - jersey-entity-filtering-2.42.jar
     - jersey-media-json-jackson-2.42.jar

pom.xml

@@ -190,6 +190,7 @@ flexible messaging model and an intuitive client API.</description>
     <jetty.version>9.4.58.v20250814</jetty.version>
     <conscrypt.version>2.5.2</conscrypt.version>
     <jersey.version>2.42</jersey.version>
+    <jersey-client.version>2.46</jersey-client.version>
     <athenz.version>1.10.62</athenz.version>
     <prometheus.version>0.16.0</prometheus.version>
     <vertx.version>4.5.22</vertx.version>
@@ -227,6 +228,7 @@ flexible messaging model and an intuitive client API.</description>
     <cassandra.version>3.11.2</cassandra.version>
     <aerospike-client.version>4.5.0</aerospike-client.version>
     <kafka-client.version>3.9.1</kafka-client.version>
+    <lz4-java.version>1.10.1</lz4-java.version>
     <rabbitmq-client.version>5.28.0</rabbitmq-client.version>
     <aws-sdk.version>1.12.788</aws-sdk.version>
     <aws-sdk2.version>2.32.28</aws-sdk2.version>
@@ -243,9 +245,11 @@ flexible messaging model and an intuitive client API.</description>
     <json-smart.version>2.5.2</json-smart.version>
     <opensearch.version>2.19.4</opensearch.version>
     <debezium.version>3.2.0.Final</debezium.version>
+    <mssql-jdbc.version>12.4.3.jre8</mssql-jdbc.version>
     <elasticsearch-java.version>8.15.3</elasticsearch-java.version>
     <debezium.postgresql.version>42.7.7</debezium.postgresql.version>
     <debezium.mysql.version>9.3.0</debezium.mysql.version>
+    <mysql-connector-j.version>9.3.0</mysql-connector-j.version>
     <!-- Override version that brings CVE-2022-3143 with debezium -->
     <wildfly-elytron.version>1.15.16.Final</wildfly-elytron.version>
     <jsonwebtoken.version>0.11.1</jsonwebtoken.version>
@@ -892,7 +896,7 @@ flexible messaging model and an intuitive client API.</description>
       <dependency>
         <groupId>org.glassfish.jersey.core</groupId>
         <artifactId>jersey-client</artifactId>
-        <version>${jersey.version}</version>
+        <version>${jersey-client.version}</version>
       </dependency>
 
       <dependency>

pulsar-io/debezium/core/pom.xml

@@ -81,6 +81,13 @@
           <artifactId>jose4j</artifactId>
           <groupId>org.bitbucket.b_c</groupId>
         </exclusion>
+        <!-- Exclude lz4-java as 1.10.1 fixes the vulnerability but pulsar-client:3.9.1 has 1.8.0
+             and project is migrated to at.yawk.lz4
+             TODO: Review this exclusion while doing version upgrade for kafka -->
+        <exclusion>
+          <groupId>org.lz4</groupId>
+          <artifactId>lz4-java</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
@@ -112,6 +119,19 @@
       <version>${debezium.version}</version>
       <scope>test</scope>
     </dependency>
+    <!-- Override the mysql-connector-j version which gets pulled transitively in debezium-connector-mysql -->
+    <dependency>
+      <groupId>com.mysql</groupId>
+      <artifactId>mysql-connector-j</artifactId>
+      <version>${mysql-connector-j.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <!-- Override the lz4-java version which gets pulled transitively in connect-runtime -->
+    <dependency>
+      <groupId>at.yawk.lz4</groupId>
+      <artifactId>lz4-java</artifactId>
+      <version>${lz4-java.version}</version>
+    </dependency>
 
     <dependency>
       <groupId>${project.groupId}</groupId>

pulsar-io/debezium/mssql/pom.xml

@@ -50,6 +50,12 @@
       <artifactId>debezium-connector-sqlserver</artifactId>
       <version>${debezium.version}</version>
     </dependency>
+    <!-- Override the mssql-jdbc version which gets pulled transitively in debezium-connector-sqlserver -->
+    <dependency>
+      <groupId>com.microsoft.sqlserver</groupId>
+      <artifactId>mssql-jdbc</artifactId>
+      <version>${mssql-jdbc.version}</version>
+    </dependency>
 
   </dependencies>
 

pulsar-io/debezium/mysql/pom.xml

@@ -50,6 +50,13 @@
       <version>${debezium.version}</version>
     </dependency>
 
+    <!-- Override the mysql-connector-j version which gets pulled transitively in debezium-connector-mysql -->
+    <dependency>
+      <groupId>com.mysql</groupId>
+      <artifactId>mysql-connector-j</artifactId>
+      <version>${mysql-connector-j.version}</version>
+    </dependency>
+
   </dependencies>
 
   <dependencyManagement>
@@ -59,6 +66,12 @@
         <artifactId>mysql-connector-java</artifactId>
         <version>${debezium.mysql.version}</version>
       </dependency>
+      <!-- Override the mysql-connector-j version which gets pulled transitively in debezium-connector-mysql -->
+      <dependency>
+        <groupId>com.mysql</groupId>
+        <artifactId>mysql-connector-j</artifactId>
+        <version>${mysql-connector-j.version}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 

pulsar-io/kafka/pom.xml

@@ -42,6 +42,12 @@
         <artifactId>jakarta.el</artifactId>
         <version>3.0.4</version>
       </dependency>
+      <!-- Override the lz4-java version which gets pulled transitively in kafka-clients -->
+      <dependency>
+        <groupId>at.yawk.lz4</groupId>
+        <artifactId>lz4-java</artifactId>
+        <version>${lz4-java.version}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 
@@ -89,8 +95,20 @@
           <artifactId>jose4j</artifactId>
           <groupId>org.bitbucket.b_c</groupId>
         </exclusion>
+        <!-- Exclude lz4-java as 1.10.1 fixes the vulnerability but pulsar-client:3.9.1 has 1.8.0
+             and project is migrated to at.yawk.lz4
+             TODO: Review this exclusion while doing version upgrade for kafka -->
+        <exclusion>
+          <groupId>org.lz4</groupId>
+          <artifactId>lz4-java</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
+    <!-- Override the lz4-java version which gets pulled transitively -->
+    <dependency>
+      <groupId>at.yawk.lz4</groupId>
+      <artifactId>lz4-java</artifactId>
+    </dependency>
 
     <dependency>
       <groupId>io.confluent</groupId>

pulsar-io/kinesis/pom.xml

@@ -39,11 +39,26 @@
 
   <dependencyManagement>
     <dependencies>
-      <!-- enforce kafka client version that gets pulled transitively -->
+      <!-- enforce kafka client version that gets pulled transitively  -->
       <dependency>
         <groupId>org.apache.kafka</groupId>
         <artifactId>kafka-clients</artifactId>
         <version>${kafka-client.version}</version>
+        <!-- Exclude lz4-java as 1.10.1 fixes the vulnerability but pulsar-client:3.9.1 has 1.8.0
+             and project is migrated to at.yawk.lz4
+             TODO: Review this exclusion while doing version upgrade for kafka -->
+        <exclusions>
+          <exclusion>
+            <groupId>org.lz4</groupId>
+            <artifactId>lz4-java</artifactId>
+          </exclusion>
+        </exclusions>
+      </dependency>
+      <!-- Override the lz4-java version which gets pulled transitively -->
+      <dependency>
+        <groupId>at.yawk.lz4</groupId>
+        <artifactId>lz4-java</artifactId>
+        <version>${lz4-java.version}</version>
       </dependency>
     </dependencies>
   </dependencyManagement>