Skip to content

Upgrade AWS SDK v2 to 2.30 and other dependencies to fix high CVEs #451

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ezhang6811 merged 3 commits into from
Mar 27, 2026
+67 −21
Merged

Upgrade AWS SDK v2 to 2.30 and other dependencies to fix high CVEs #451

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e668103
fix high severity CVEs
Mar 26, 2026
77d804a
update trivyignore
Mar 26, 2026
b620723
fix SQL test to use JSON protocol
Mar 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions .github/dependency-check-suppressions.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,24 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!--False positive: aws-xray-recorder-sdk-sql-mysql is NOT MySQL Server.
The module wraps JDBC calls for tracing and has no MySQL dependency.
DependencyCheck matches it via the overly broad CPE cpe:2.3:a:mysql:mysql.-->
<suppress>
<notes><![CDATA[sql-mysql SDK module is not MySQL Server — CPE false positive]]></notes>
<filePath regex="true">.*aws-xray-recorder-sdk-sql-mysql.*</filePath>
<cpe>cpe:/a:mysql:mysql</cpe>
</suppress>
<suppress>
<notes><![CDATA[sql-mysql SDK module is not www-sql — CPE false positive]]></notes>
<filePath regex="true">.*aws-xray-recorder-sdk-sql-mysql.*</filePath>
<cpe>cpe:/a:www-sql_project:www-sql</cpe>
</suppress>
<!--False positive: CVE-2023-35116 is disputed/rejected by jackson-databind maintainers.
Requires caller to explicitly enable UNWRAP_SINGLE_VALUE_ARRAYS with untrusted input.
See: https://github.com/FasterXML/jackson-databind/issues/3972-->
<suppress>
<notes><![CDATA[CVE-2023-35116 is disputed — rejected by jackson-databind maintainers]]></notes>
<filePath regex="true">.*jackson-databind.*</filePath>
<cve>CVE-2023-35116</cve>
</suppress>
</suppressions>
25 changes: 23 additions & 2 deletions .github/trivy/daily-scan.trivyignore.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,33 @@
# SPDX-License-Identifier: Apache-2.0

# Trivy ignore file for daily scans.
# This file is intentionally empty. Daily scans should flag all CVEs.
# See: https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/

# Format:
# - id: <CVE-###>
# statement: "<Why are we excluding?> <link to CVE where we can track status>"
# expired_at: <required - YYYY-MM-DD>

vulnerabilities: []
vulnerabilities:
# The AWS SDK for Java v1 (com.amazonaws:aws-java-sdk-core:1.12.788) reached EOL
# on 2025-12-31 and will not receive further releases. Its published JARs embed POM
# metadata declaring jackson-core 2.12.7 as a dependency — this cannot be changed.
# The X-Ray SDK still supports AWS SDK v1 instrumentation via the
# aws-xray-recorder-sdk-aws-sdk module, but the actual jackson-core JAR resolved
# at runtime is 2.18.6 (provided by the X-Ray SDK's own jackson BOM). Maven
# dependency mediation ensures the higher version wins. These Trivy findings are
# from third-party POM metadata only, not the actual runtime JARs.
- id: CVE-2025-52999
paths:
- "META-INF/maven/com.amazonaws/aws-java-sdk-core/pom.xml"
- "META-INF/maven/com.amazonaws/aws-java-sdk-xray/pom.xml"
- "META-INF/maven/com.amazonaws/jmespath-java/pom.xml"
statement: "AWS SDK v1 EOL (1.12.788 is final release) — jackson-core 2.12.7 in POM metadata only. Actual runtime JAR is 2.18.6 via X-Ray SDK BOM."
expired_at: 2027-03-25
- id: GHSA-72hv-8253-57qq
paths:
- "META-INF/maven/com.amazonaws/aws-java-sdk-core/pom.xml"
- "META-INF/maven/com.amazonaws/aws-java-sdk-xray/pom.xml"
- "META-INF/maven/com.amazonaws/jmespath-java/pom.xml"
statement: "AWS SDK v1 EOL (1.12.788 is final release) — jackson-core 2.12.7 in POM metadata only. Actual runtime JAR is 2.18.6 via X-Ray SDK BOM."
expired_at: 2027-03-25
15 changes: 9 additions & 6 deletions aws-xray-recorder-sdk-aws-sdk-v2/build.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,17 @@ dependencies {

implementation(project(":aws-xray-recorder-sdk-aws-sdk-core"))

api("software.amazon.awssdk:aws-core:2.15.20")
api("software.amazon.awssdk:aws-core:2.30.31")

implementation("com.fasterxml.jackson.core:jackson-databind")
implementation("com.fasterxml.jackson.core:jackson-core")

testImplementation("org.skyscreamer:jsonassert:1.3.0")
testImplementation("software.amazon.awssdk:dynamodb:2.15.20")
testImplementation("software.amazon.awssdk:lambda:2.15.20")
testImplementation("software.amazon.awssdk:sqs:2.15.20")
testImplementation("software.amazon.awssdk:sns:2.15.20")
testImplementation("software.amazon.awssdk:s3:2.15.20")
testImplementation("software.amazon.awssdk:dynamodb:2.30.31")
testImplementation("software.amazon.awssdk:lambda:2.30.31")
testImplementation("software.amazon.awssdk:sqs:2.30.31")
testImplementation("software.amazon.awssdk:sns:2.30.31")
testImplementation("software.amazon.awssdk:s3:2.30.31")
}

tasks.jar {
Expand Down
17 changes: 9 additions & 8 deletions ...-sdk-aws-sdk-v2/src/test/java/com/amazonaws/xray/interceptors/TracingInterceptorTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,14 +173,15 @@ public void testResponseDescriptors() throws Exception {

@Test
public void testSqsSendMessageSubsegmentContainsQueueUrl() throws Exception {
SdkHttpClient mockClient = mockClientWithSuccessResponse(
"<SendMessageResponse>" +
"<SendMessageResult>" +
"<MD5OfMessageBody>b10a8db164e0754105b7a99be72e3fe5</MD5OfMessageBody>" +
"<MessageId>abc-def-ghi</MessageId>" +
"</SendMessageResult>" +
"<ResponseMetadata><RequestId>123-456-789</RequestId></ResponseMetadata>" +
"</SendMessageResponse>"
SdkHttpResponse mockResponse = SdkHttpResponse.builder()
.statusCode(200)
.putHeader("x-amzn-RequestId", "123-456-789")
.build();
SdkHttpClient mockClient = mockSdkHttpClient(mockResponse,
"{" +
"\"MD5OfMessageBody\":\"b10a8db164e0754105b7a99be72e3fe5\"," +
"\"MessageId\":\"abc-def-ghi\"" +
"}"
);
SqsClient client = sqsClient(mockClient);

Expand Down
6 changes: 3 additions & 3 deletions aws-xray-recorder-sdk-spring/build.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,9 @@ dependencies {
api("org.aspectj:aspectjrt:1.8.11")

// TODO(anuraaga): Remove most of these? Seems only Configurable annotation is used
implementation("org.springframework:spring-context-support:5.3.18")
implementation("org.springframework:spring-context:5.3.18")
implementation("org.springframework:spring-aspects:5.3.18")
implementation("org.springframework:spring-context-support:5.3.39")
implementation("org.springframework:spring-context:5.3.39")
implementation("org.springframework:spring-aspects:5.3.39")

compileOnly("org.springframework.data:spring-data-commons:2.6.3")
}
Expand Down
4 changes: 2 additions & 2 deletions dependencyManagement/build.gradle.kts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,14 @@ plugins {
data class DependencySet(val group: String, val version: String, val modules: List<String>)

val DEPENDENCY_BOMS = listOf(
"com.fasterxml.jackson:jackson-bom:2.12.0",
"com.fasterxml.jackson:jackson-bom:2.18.6",
"org.junit:junit-bom:5.8.2"
)

val DEPENDENCY_SETS = listOf(
DependencySet(
"com.fasterxml.jackson.datatype",
"2.12.0",
"2.18.6",
listOf("jackson-datatype-jsr310")
),
DependencySet(
Expand Down
Loading