Skip to content

fix(deps, v1.2): upgrade bouncycastle to fix CVE-2025-14813#6316

Open
Yicong-Huang wants to merge 1 commit into
apache:release/v1.2from
Yicong-Huang:backport/bouncycastle-184-v1.2
Open

fix(deps, v1.2): upgrade bouncycastle to fix CVE-2025-14813#6316
Yicong-Huang wants to merge 1 commit into
apache:release/v1.2from
Yicong-Huang:backport/bouncycastle-184-v1.2

Conversation

@Yicong-Huang

Copy link
Copy Markdown
Contributor

What changes were proposed in this PR?

Backport of #6286 to release/v1.2.

Pins the Bouncy Castle JDK 18 artifacts to 1.84 through shared sbt dependencyOverrides:

Artifact Version
org.bouncycastle:bcpkix-jdk18on 1.84
org.bouncycastle:bcprov-jdk18on 1.84
org.bouncycastle:bcutil-jdk18on 1.84

It also updates computing-unit-managing-service/LICENSE-binary to match the resolved bundled jar versions.

Adaptation note: main has a refactored build.sbt with a commonModuleSettings aggregate that #6286 hooked into. release/v1.2 has no such aggregate — every module applies asfLicensingSettings / asfLicensingSettingsWithVendored directly — so the overrides are appended to those two instead. Functionally equivalent.

Any related issues, documentation, discussions?

Related security report: https://github.com/apache/texera/security/dependabot/782

How was this PR tested?

JAVA_HOME=$(/usr/libexec/java_home -v 17) sbt 'show ComputingUnitManagingService / dependencyOverrides' 'show ComputingUnitManagingService / update' | rg 'bouncycastle|bcprov|bcpkix|bcutil|\[success\]|\[error\]'

Confirmed bcpkix-jdk18on, bcprov-jdk18on, and bcutil-jdk18on all resolve to 1.84.

Was this PR authored or co-authored using generative AI tooling?

Generated-by: Claude (Opus 4.8)

🤖 Generated with Claude Code

Backport of apache#6286 to release/v1.2.

Pins the Bouncy Castle JDK 18 artifacts to 1.84 via shared sbt
dependencyOverrides (bcpkix/bcprov/bcutil-jdk18on), and updates
computing-unit-managing-service/LICENSE-binary to match the resolved
bundled jar versions.

Adapted to the v1.2 build.sbt structure: v1.2 has no commonModuleSettings
aggregate, so the overrides are appended to asfLicensingSettings and
asfLicensingSettingsWithVendored, which every module applies.

Related security report:
https://github.com/apache/texera/security/dependabot/782

Verified with:
JAVA_HOME=$(/usr/libexec/java_home -v 17) sbt 'show ComputingUnitManagingService / dependencyOverrides' 'show ComputingUnitManagingService / update'
All three artifacts resolve to 1.84.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot added dependencies Pull requests that update a dependency file common platform Non-amber Scala service paths labels Jul 10, 2026
@github-actions

Copy link
Copy Markdown
Contributor

Automated Reviewer Suggestions

Based on the git blame history of the changed files, we recommend the following reviewers:

  • Contributors with relevant context: @aglinxinyuan
    You can notify them by mentioning @aglinxinyuan in a comment.

@Yicong-Huang Yicong-Huang changed the title fix(deps): upgrade bouncycastle to fix CVE-2025-14813 (#6286) [v1.2 backport] fix(deps, v1.2): upgrade bouncycastle to fix CVE-2025-14813 Jul 10, 2026
@codecov-commenter

codecov-commenter commented Jul 10, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 52.33%. Comparing base (21119c7) to head (0c58ddf).

Additional details and impacted files
@@                Coverage Diff                 @@
##             release/v1.2    #6316      +/-   ##
==================================================
- Coverage           52.34%   52.33%   -0.02%     
+ Complexity           2492     2488       -4     
==================================================
  Files                1074     1074              
  Lines               42121    42121              
  Branches             4535     4535              
==================================================
- Hits                22047    22042       -5     
- Misses              18771    18774       +3     
- Partials             1303     1305       +2     
Flag Coverage Δ *Carryforward flag
access-control-service 64.61% <ø> (ø)
agent-service 34.36% <ø> (ø) Carriedforward from 21119c7
amber 52.47% <ø> (-0.04%) ⬇️
computing-unit-managing-service 1.65% <ø> (ø)
config-service 56.06% <ø> (ø)
file-service 58.59% <ø> (ø)
frontend 47.13% <ø> (ø) Carriedforward from 21119c7
pyamber 90.81% <ø> (ø) Carriedforward from 21119c7
python 90.74% <ø> (ø) Carriedforward from 21119c7
workflow-compiling-service 58.69% <ø> (ø)

*This pull request uses carry forward flags. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@xuang7 xuang7 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

common dependencies Pull requests that update a dependency file platform Non-amber Scala service paths

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants