fix(security): bump jetty-http 12.1.6 → 12.1.7 + pac4j-core 5.7.0 → 5.7.10 (1.13)

[sonika-shah]

Summary

Cherry-picks three existing Dependabot bumps from main to fix security findings missed by #27940 on 1.13.

• 8c89a99 — Bump org.eclipse.jetty:jetty-http in /openmetadata-service 12.1.6 → 12.1.7 (cherry-pick of Chore(deps): Bump org.eclipse.jetty:jetty-http from 12.1.6 to 12.1.7 in /openmetadata-service #27372)
• 4060391 — Bump org.eclipse.jetty:jetty-http in /openmetadata-mcp 12.1.6 → 12.1.7 (cherry-pick of Chore(deps): Bump org.eclipse.jetty:jetty-http from 12.1.6 to 12.1.7 in /openmetadata-mcp #27373)
• 01f0713 — Bump org.pac4j:pac4j-core in /openmetadata-service 5.7.0 → 5.7.10 (cherry-pick of Chore(deps): Bump org.pac4j:pac4j-core from 5.7.0 to 5.7.10 in /openmetadata-service #27503)

Vulnerabilities resolved

Severity	Module	Issue
CRITICAL	org.eclipse.jetty:jetty-http 12.1.6	HTTP Request Smuggling — HTTP/1.1 parser improperly terminated quoted strings in chunked transfer encoding. Fixed in 12.0.33 / 12.1.7.
HIGH	org.pac4j:pac4j-core 5.7.0	CSRF — deterministic String.hashCode() allowed a forged token whose hash collides with the legitimate CSRF token to perform unauthorized state-changing actions (profile updates, password changes, account linking). Fixed in 5.7.10 / 6.4.1.

Why these were missed

#27940 (commit 4c1ec72 on 1.13) bumped <jetty.version> only in the root pom.xml. On main that was sufficient because three child-module Dependabot PRs had already landed:

• Chore(deps): Bump org.eclipse.jetty:jetty-http from 12.1.6 to 12.1.7 in /openmetadata-service #27372 — jetty-http in /openmetadata-service
• Chore(deps): Bump org.eclipse.jetty:jetty-http from 12.1.6 to 12.1.7 in /openmetadata-mcp #27373 — jetty-http in /openmetadata-mcp
• Chore(deps): Bump org.pac4j:pac4j-core from 5.7.0 to 5.7.10 in /openmetadata-service #27503 — pac4j-core in /openmetadata-service

None of those were cherry-picked to 1.13, so the child modules still redeclared the older versions as local properties:

• openmetadata-service/pom.xml:24 — <pac4j.version>5.7.0</pac4j.version>
• openmetadata-service/pom.xml:29 — <jetty.version>12.1.6</jetty.version>
• openmetadata-mcp/pom.xml:20 — <jetty.version>12.1.6</jetty.version>

Maven property resolution gives the child module's local property precedence over the parent's, so every jetty-* artifact pulled in by openmetadata-service or openmetadata-mcp was still resolving to 12.1.6 at build time, and pac4j-core was still resolving to 5.7.0. The published JARs in /opt/openmetadata/libs/ therefore still contained the vulnerable versions, and Snyk's May 8 scan against the 1.13 image correctly flagged them.

Remaining gaps on 1.13 (out of scope for this PR — separate follow-ups)

• HIGH io.netty:netty-bom@4.1.132.Final (4 findings — data amplification ×2, poison null byte, allocation throttling). Needs to land on main first since main is also still on 4.1.132.Final. Tracked in fix(security): bump netty-bom 4.1.132.Final → 4.1.133.Final (4 HIGH CVEs) #27981.
• HIGH org.apache.logging.log4j:log4j-core@2.25.3 (3 findings — Rfc5424Layout, XmlLayout, Log4j1XmlLayout). No upstream release available yet — Apache has only fixed in master. Recommend a Snyk policy ignore until Apache cuts a 2.25.4+ release.
• 80 Snyk Code "Unsafe Reflection" findings — separate static-analysis work on ReflectionUtil.createConnectionConfigClass.

Test plan

• mvn dependency:tree | grep jetty-http resolves to 12.1.7 in both openmetadata-service and openmetadata-mcp
• mvn dependency:tree | grep pac4j-core resolves to 5.7.10 in openmetadata-service
• Re-run Snyk scan on a freshly built 1.13 image; CRITICAL jetty-http and HIGH pac4j-core CSRF findings should be gone

🤖 Generated with Claude Code

[github-actions]

The Python checkstyle failed.

Please run make py_format and py_format_check in the root of your repository and commit the changes to this PR.
You can also use pre-commit to automate the Python code formatting.

You can install the pre-commit hooks with make install_test precommit_install.

[gitar-bot]

Code Review ✅ Approved

Bumps jetty-http to 12.1.7 in service and mcp child modules to resolve the critical HTTP Request Smuggling vulnerability. No issues found.

Options

Display: compact → Showing less information.

Comment with these commands to change:

Compact

gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[github-actions]

The Python checkstyle failed.

Please run make py_format and py_format_check in the root of your repository and commit the changes to this PR.
You can also use pre-commit to automate the Python code formatting.

You can install the pre-commit hooks with make install_test precommit_install.

[sonarqubecloud]

Quality Gate passed for 'open-metadata-ingestion'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🟡 Playwright Results — all passed (15 flaky)

✅ 3740 passed · ❌ 0 failed · 🟡 15 flaky · ⏭️ 79 skipped

Shard	Passed	Failed	Flaky	Skipped
✅ Shard 1	290	0	0	4
🟡 Shard 2	698	0	3	7
🟡 Shard 3	724	0	2	1
🟡 Shard 4	711	0	2	24
🟡 Shard 5	670	0	3	35
🟡 Shard 6	647	0	5	8

🟡 15 flaky test(s) (passed on retry)

• Features/BulkEditEntity.spec.ts › Glossary (shard 2, 1 retry)
• Features/CustomMetric.spec.ts › Table custom metric (shard 2, 1 retry)
• Features/IncidentManager.spec.ts › Complete Incident lifecycle with table owner (shard 2, 1 retry)
• Features/Permissions/GlossaryPermissions.spec.ts › Team-based permissions work correctly (shard 3, 1 retry)
• Flow/PersonaFlow.spec.ts › Set default persona for team should work properly (shard 3, 1 retry)
• Pages/Domains.spec.ts › Rename domain with owners and experts preserves assignments (shard 4, 1 retry)
• Pages/Entity.spec.ts › User as Owner Add, Update and Remove (shard 4, 1 retry)
• Pages/Entity.spec.ts › User as Owner with unsorted list (shard 5, 1 retry)
• Pages/Entity.spec.ts › User as Owner with unsorted list (shard 5, 1 retry)
• Pages/EntityDataConsumer.spec.ts › Tier Add, Update and Remove (shard 5, 1 retry)
• Pages/Lineage/LineageFilters.spec.ts › Verify lineage schema filter selection (shard 6, 1 retry)
• Pages/Lineage/LineageRightPanel.spec.ts › Verify custom properties tab IS visible for supported type: searchIndex (shard 6, 1 retry)
• Pages/Lineage/PlatformLineage.spec.ts › Verify domain platform view (shard 6, 1 retry)
• Pages/ODCSImportExport.spec.ts › Multi-object ODCS contract - object selector shows all schema objects (shard 6, 1 retry)
• Pages/Users.spec.ts › Permissions for table details page for Data Consumer (shard 6, 1 retry)

📦 Download artifacts

How to debug locally

# Download playwright-test-results-<shard> artifact and unzip
npx playwright show-trace path/to/trace.zip    # view trace