[CVE-2026-24400] Upgrade assertj-core to 3.27.7

[RyanL1997]

Description

[CVE] Upgrade assertj-core to 3.27.7

Related Issues

• Resolve https://advisories.opensearch.org/advisory/CVE-2026-24400

Check List

• New functionality includes testing.
• New functionality has been documented.
• New functionality has javadoc added.
• New functionality has a user manual doc added.
• New PPL command checklist all confirmed.
• API changes companion pull request created.
• Commits are signed per the DCO using --signoff or -s.
• Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates AssertJ test dependency from 3.9.1 to 3.27.7 and adds a corresponding maintenance note in the 3.5.0.0 release notes. No functional code or public API changes.

Changes

Cohort / File(s)	Summary
Dependency Version Update common/build.gradle	Bumps org.assertj:assertj-core test dependency from 3.9.1 to 3.27.7.
Release Notes release-notes/opensearch-sql.release-notes-3.5.0.0.md	Adds a Maintenance entry documenting the AssertJ upgrade ([#5100]).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• opensearch-project/sql#5092 — also updates the 3.5 release notes with the AssertJ 3.27.7 maintenance entry.

Suggested labels

maintenance

Suggested reviewers

• ps48
• kavithacm
• derek-ho
• penghuo
• qianheng-aws

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description is directly related to the changeset, explaining the CVE upgrade, referencing the related security advisory, and providing a properly formatted checklist.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title directly and specifically addresses the main change: upgrading assertj-core to 3.27.7 to resolve CVE-2026-24400, which is confirmed by both the file summaries and PR objectives.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[RyanL1997]

Some of the CI tasks has been cancelled by github, will ltrigger the re-run.

[RyanL1997]

All this CI tasks has been stucked at:

Job is waiting for a hosted runner to come online.
Evaluating security-it-linux.if
Evaluating: success()
Result: true
Job is about to start running on the hosted runner: GitHub Actions 1001943859
Requested labels: ubuntu-latest
Job defined at: opensearch-project/sql/.github/workflows/integ-tests-with-security.yml@refs/pull/5100/merge
Waiting for a runner to pick up this job...

[RyanL1997]

I have also confirmed with @rishabh6788 that we dont need to include this into the 3.5 release + this is a test related dependency. So im reverting the release note change and no backport needed as for now.

Also had a conversation with @peterzhuamazon, and it is actually better if we can fix this cve at current 3.5 release.

[RyanL1997]

The above CI error is due to the ongoing GHA outage : https://www.githubstatus.com/