Skip to content

Upgrade commons-text to fix CVE-2025-48924 #4241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 2, 2025
Merged

Upgrade commons-text to fix CVE-2025-48924 #4241

merged 1 commit into from
Oct 2, 2025

Conversation

@nathaliellenaa
Copy link
Contributor

@nathaliellenaa nathaliellenaa commented Oct 2, 2025

Description

commons-text versions 1.10.0 - 1.13.0 have a transitive dependency on commons-lang3 < 3.18.0 (ref), which causes this CVE-2025-48924. Upgrading commons-text to 1.14.0 should fix this issue.

Related Issues

Resolves opensearch-project/opensearch-build#5693

Check List

  • New functionality includes testing.
  • New functionality has been documented.
  • API changes companion pull request created.
  • Commits are signed per the DCO using --signoff.
  • Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@nathaliellenaa
Upgrade commons-text
c1453cd 
Signed-off-by: Nathalie Jonathan <nathhjo@amazon.com>
@nathaliellenaa nathaliellenaa temporarily deployed to ml-commons-cicd-env-require-approval October 2, 2025 00:05 — with GitHub Actions Inactive
@nathaliellenaa nathaliellenaa had a problem deploying to ml-commons-cicd-env-require-approval October 2, 2025 00:05 — with GitHub Actions Error
@nathaliellenaa nathaliellenaa temporarily deployed to ml-commons-cicd-env-require-approval October 2, 2025 00:05 — with GitHub Actions Inactive
@nathaliellenaa nathaliellenaa had a problem deploying to ml-commons-cicd-env-require-approval October 2, 2025 00:05 — with GitHub Actions Failure
@dhrubo-os
Copy link
Collaborator

dhrubo-os commented Oct 2, 2025

Can you please add the output of dependency insight for this library to see right now which version is it picking up?

@pyek-bot
Copy link
Collaborator

pyek-bot commented Oct 2, 2025

Reference PR: #4062
Some commands here you can use for the dependency insight

@nathaliellenaa
Copy link
Contributor Author

nathaliellenaa commented Oct 2, 2025

Can you please add the output of dependency insight for this library to see right now which version is it picking up?

It's using the correct one now commons-lang3:3.18.0

% ./gradlew opensearch-ml-algorithms:dependencyInsight --dependency commons-lang3
=======================================
OpenSearch Build Hamster says Hello!
  Gradle Version        : 8.14.3
  OS Info               : Mac OS X 15.5 (aarch64)
  JDK Version           : 21 (Homebrew JDK)
  JAVA_HOME             : /opt/homebrew/Cellar/openjdk@21/21.0.5/libexec/openjdk.jdk/Contents/Home
  Random Testing Seed   : 7CDC19A17419A284
  Crypto Standard       : any-supported
=======================================

> Task :opensearch-ml-algorithms:dependencyInsight
org.apache.commons:commons-lang3:3.18.0
  Variant compile:
    | Attribute Name                 | Provided | Requested    |
    |--------------------------------|----------|--------------|
    | org.gradle.status              | release  |              |
    | org.gradle.category            | library  | library      |
    | org.gradle.libraryelements     | jar      | classes      |
    | org.gradle.usage               | java-api | java-api     |
    | org.gradle.dependency.bundling |          | external     |
    | org.gradle.jvm.environment     |          | standard-jvm |
    | org.gradle.jvm.version         |          | 21           |
   Selection reasons:
      - By conflict resolution: between versions 3.18.0, 3.12.0 and 3.11

org.apache.commons:commons-lang3:3.18.0
\--- org.apache.commons:commons-text:1.14.0
     +--- compileClasspath
     \--- com.opencsv:opencsv:5.4 (requested org.apache.commons:commons-text:1.9)
          \--- org.tribuo:tribuo-data:4.2.1
               +--- org.tribuo:tribuo-clustering-kmeans:4.2.1
               |    \--- compileClasspath
               +--- org.tribuo:tribuo-regression-sgd:4.2.1
               |    \--- compileClasspath
               +--- org.tribuo:tribuo-classification-sgd:4.2.1
               |    \--- compileClasspath
               +--- org.tribuo:tribuo-common-sgd:4.2.1
               |    +--- org.tribuo:tribuo-regression-sgd:4.2.1 (*)
               |    \--- org.tribuo:tribuo-classification-sgd:4.2.1 (*)
               +--- org.tribuo:tribuo-anomaly-core:4.2.1
               |    \--- org.tribuo:tribuo-anomaly-libsvm:4.2.1
               |         \--- compileClasspath
               \--- org.tribuo:tribuo-common-tree:4.2.1
                    \--- org.tribuo:tribuo-classification-core:4.2.1
                         \--- org.tribuo:tribuo-classification-sgd:4.2.1 (*)

org.apache.commons:commons-lang3:3.11 -> 3.18.0
\--- com.opencsv:opencsv:5.4
     \--- org.tribuo:tribuo-data:4.2.1
          +--- org.tribuo:tribuo-clustering-kmeans:4.2.1
          |    \--- compileClasspath
          +--- org.tribuo:tribuo-regression-sgd:4.2.1
          |    \--- compileClasspath
          +--- org.tribuo:tribuo-classification-sgd:4.2.1
          |    \--- compileClasspath
          +--- org.tribuo:tribuo-common-sgd:4.2.1
          |    +--- org.tribuo:tribuo-regression-sgd:4.2.1 (*)
          |    \--- org.tribuo:tribuo-classification-sgd:4.2.1 (*)
          +--- org.tribuo:tribuo-anomaly-core:4.2.1
          |    \--- org.tribuo:tribuo-anomaly-libsvm:4.2.1
          |         \--- compileClasspath
          \--- org.tribuo:tribuo-common-tree:4.2.1
               \--- org.tribuo:tribuo-classification-core:4.2.1
                    \--- org.tribuo:tribuo-classification-sgd:4.2.1 (*)

org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
\--- com.amazonaws:aws-encryption-sdk-java:2.4.1
     \--- compileClasspath

I tried running the same command without this change (from main branch) and see it's using commons-lang3:3.12.0

% ./gradlew opensearch-ml-algorithms:dependencyInsight --dependency commons-lang3
=======================================
OpenSearch Build Hamster says Hello!
  Gradle Version        : 8.14.3
  OS Info               : Mac OS X 15.5 (aarch64)
  JDK Version           : 21 (Homebrew JDK)
  JAVA_HOME             : /opt/homebrew/Cellar/openjdk@21/21.0.5/libexec/openjdk.jdk/Contents/Home
  Random Testing Seed   : 4979B624A65044DF
  Crypto Standard       : any-supported
=======================================

> Task :opensearch-ml-algorithms:dependencyInsight
org.apache.commons:commons-lang3:3.12.0
  Variant compile:
    | Attribute Name                 | Provided | Requested    |
    |--------------------------------|----------|--------------|
    | org.gradle.status              | release  |              |
    | org.gradle.category            | library  | library      |
    | org.gradle.libraryelements     | jar      | classes      |
    | org.gradle.usage               | java-api | java-api     |
    | org.gradle.dependency.bundling |          | external     |
    | org.gradle.jvm.environment     |          | standard-jvm |
    | org.gradle.jvm.version         |          | 21           |
   Selection reasons:
      - By conflict resolution: between versions 3.12.0 and 3.11

org.apache.commons:commons-lang3:3.12.0
+--- com.amazonaws:aws-encryption-sdk-java:2.4.1
|    \--- compileClasspath
\--- org.apache.commons:commons-text:1.10.0
     +--- compileClasspath
     \--- com.opencsv:opencsv:5.4 (requested org.apache.commons:commons-text:1.9)
          \--- org.tribuo:tribuo-data:4.2.1
               +--- org.tribuo:tribuo-clustering-kmeans:4.2.1
               |    \--- compileClasspath
               +--- org.tribuo:tribuo-regression-sgd:4.2.1
               |    \--- compileClasspath
               +--- org.tribuo:tribuo-classification-sgd:4.2.1
               |    \--- compileClasspath
               +--- org.tribuo:tribuo-common-sgd:4.2.1
               |    +--- org.tribuo:tribuo-regression-sgd:4.2.1 (*)
               |    \--- org.tribuo:tribuo-classification-sgd:4.2.1 (*)
               +--- org.tribuo:tribuo-anomaly-core:4.2.1
               |    \--- org.tribuo:tribuo-anomaly-libsvm:4.2.1
               |         \--- compileClasspath
               \--- org.tribuo:tribuo-common-tree:4.2.1
                    \--- org.tribuo:tribuo-classification-core:4.2.1
                         \--- org.tribuo:tribuo-classification-sgd:4.2.1 (*)

org.apache.commons:commons-lang3:3.11 -> 3.12.0
\--- com.opencsv:opencsv:5.4
     \--- org.tribuo:tribuo-data:4.2.1
          +--- org.tribuo:tribuo-clustering-kmeans:4.2.1
          |    \--- compileClasspath
          +--- org.tribuo:tribuo-regression-sgd:4.2.1
          |    \--- compileClasspath
          +--- org.tribuo:tribuo-classification-sgd:4.2.1
          |    \--- compileClasspath
          +--- org.tribuo:tribuo-common-sgd:4.2.1
          |    +--- org.tribuo:tribuo-regression-sgd:4.2.1 (*)
          |    \--- org.tribuo:tribuo-classification-sgd:4.2.1 (*)
          +--- org.tribuo:tribuo-anomaly-core:4.2.1
          |    \--- org.tribuo:tribuo-anomaly-libsvm:4.2.1
          |         \--- compileClasspath
          \--- org.tribuo:tribuo-common-tree:4.2.1
               \--- org.tribuo:tribuo-classification-core:4.2.1
                    \--- org.tribuo:tribuo-classification-sgd:4.2.1 (*)

@codecov
Copy link

codecov bot commented Oct 2, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.54%. Comparing base (8047b01) to head (c1453cd).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff            @@
##               main    #4241   +/-   ##
=========================================
  Coverage     79.54%   79.54%           
  Complexity     9690     9690           
=========================================
  Files           833      833           
  Lines         43027    43027           
  Branches       4946     4946           
=========================================
  Hits          34226    34226           
  Misses         6715     6715           
  Partials       2086     2086
Flag Coverage Δ
ml-commons 79.54% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@nathaliellenaa nathaliellenaa had a problem deploying to ml-commons-cicd-env-require-approval October 2, 2025 01:50 — with GitHub Actions Failure
@nathaliellenaa nathaliellenaa had a problem deploying to ml-commons-cicd-env-require-approval October 2, 2025 01:50 — with GitHub Actions Failure
@dhrubo-os dhrubo-os merged commit b5a312f into opensearch-project:main Oct 2, 2025
10 of 14 checks passed
@peterzhuamazon peterzhuamazon mentioned this pull request Oct 2, 2025
Closed
66 tasks
@opensearch-trigger-bot
Copy link
Contributor

opensearch-trigger-bot bot commented Oct 2, 2025

The backport to 3.3 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-3.3 3.3
# Navigate to the new working tree
cd .worktrees/backport-3.3
# Create a new branch
git switch --create backport/backport-4241-to-3.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 b5a312f9d5a5776812ab96099ebae548a9d865c7
# Push it to GitHub
git push --set-upstream origin backport/backport-4241-to-3.3
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-3.3

Then, create a pull request where the base branch is 3.3 and the compare/head branch is backport/backport-4241-to-3.3.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ylwu-amzn ylwu-amzn ylwu-amzn approved these changes

@dhrubo-os dhrubo-os dhrubo-os approved these changes

@b4sjoo b4sjoo Awaiting requested review from b4sjoo b4sjoo is a code owner

@mingshl mingshl Awaiting requested review from mingshl mingshl is a code owner

@jngz-es jngz-es Awaiting requested review from jngz-es jngz-es is a code owner

@model-collapse model-collapse Awaiting requested review from model-collapse model-collapse is a code owner

@rbhavna rbhavna Awaiting requested review from rbhavna rbhavna is a code owner

@zane-neo zane-neo Awaiting requested review from zane-neo zane-neo is a code owner

@Zhangxunmt Zhangxunmt Awaiting requested review from Zhangxunmt Zhangxunmt is a code owner

@austintlee austintlee Awaiting requested review from austintlee austintlee is a code owner

@HenryL27 HenryL27 Awaiting requested review from HenryL27 HenryL27 is a code owner

@sam-herman sam-herman Awaiting requested review from sam-herman sam-herman is a code owner

@xinyual xinyual Awaiting requested review from xinyual xinyual is a code owner

@pyek-bot pyek-bot Awaiting requested review from pyek-bot pyek-bot is a code owner

Assignees

No one assigned

Labels

backport 3.3

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[RELEASE] Release version 3.3.0

5 participants

@nathaliellenaa @dhrubo-os @pyek-bot @ylwu-amzn @peterzhuamazon