fix(security): bump netty-bom 4.1.132.Final → 4.1.133.Final (4 HIGH CVEs)

[sonika-shah]

Summary

Bumps io.netty:netty-bom from 4.1.132.Final → 4.1.133.Final to resolve four HIGH-severity Snyk findings observed in the May 8 2026 scan of the 1.13 image. A single bump on the netty-bom import propagates the version to every netty artifact pulled in transitively (codec, codec-http2, codec-dns, etc.), so this one-line change retires all four CVEs.

Vulnerabilities resolved

Severity	Module	CWE / Issue
HIGH	io.netty:netty-codec-http2	Improper Handling of Highly Compressed Data — HttpContentDecompressor / DelegatingDecompressorFrameListener accept br/zstd/snappy payloads that bypass the configured decompression limit (data amplification → DoS)
HIGH	io.netty:netty-codec-dns	Null Byte Interaction Error — encodeDomainName / decodeDomainName inadequately validate domain-label lengths, enabling DNS cache poisoning, domain validation bypass, and excessive memory allocation
HIGH	io.netty:netty-codec	Allocation of Resources Without Limits or Throttling — Lz4FrameDecoder over-allocates on crafted compressed frames with manipulated header fields (resource exhaustion → DoS)
HIGH	io.netty:netty-codec	Improper Handling of Highly Compressed Data — same data-amplification class as above, in the base codec

All four are fixed in 4.1.133.Final (Snyk-recommended remediation: "Upgrade io.netty:netty-* to 4.1.133.Final or higher").

Why this is needed on main

The May 8 Snyk report against the 1.13 OSS image flagged 9 vulnerable dependency paths. The previous security cherry-pick (#27940 → 1.13 commit 4c1ec72) covered jetty-http, BouncyCastle, postgresql, jackson, spring, gson, httpcore5-h2 and commons-compress — but did not touch netty. main is also still on 4.1.132.Final, so this gap exists here as well; the bump has to land on main first before it can be cherry-picked into 1.13.x.

Other findings from the same Snyk report (tracked separately, not in this PR)

• CRITICAL org.eclipse.jetty:jetty-http@12.1.6 — already fixed on main via Dependabot Chore(deps): Bump org.eclipse.jetty:jetty-http from 12.1.6 to 12.1.7 in /openmetadata-service #27372 (/openmetadata-service) and Chore(deps): Bump org.eclipse.jetty:jetty-http from 12.1.6 to 12.1.7 in /openmetadata-mcp #27373 (/openmetadata-mcp). Cherry-picked to 1.13 in fix(security): bump jetty-http 12.1.6 → 12.1.7 + pac4j-core 5.7.0 → 5.7.10 (1.13) #27980.
• HIGH org.pac4j:pac4j-core@5.7.0 (CSRF) — already fixed on main via Dependabot Chore(deps): Bump org.pac4j:pac4j-core from 5.7.0 to 5.7.10 in /openmetadata-service #27503 → 5.7.10. Needs a separate cherry-pick to 1.13.
• HIGH org.apache.logging.log4j:log4j-core@2.25.3 × 3 (Rfc5424Layout / XmlLayout / Log4j1XmlLayout). No upstream release available — the Apache advisory states the fix is only in master. Recommend a Snyk policy ignore until Apache cuts a 2.25.4+ release.
• 80 Snyk Code "Unsafe Reflection" findings, all flowing from ReflectionUtil.createConnectionConfigClass → Class.forName(clazzName) driven by user-supplied connectionType. This is a static-analysis finding on OpenMetadata's own code, separate from dependency CVEs, and is best addressed by replacing Class.forName with an allowlist of registered service-type → class mappings.

Test plan

• mvn dependency:tree resolves io.netty:netty-codec, io.netty:netty-codec-http2, and io.netty:netty-codec-dns to 4.1.133.Final in openmetadata-service and openmetadata-mcp
• Full backend build passes (mvn clean package -DskipTests)
• Re-run Snyk scan against a fresh build and confirm all four netty findings are gone
• Smoke test: HTTP/2 traffic, DNS resolution, and any Lz4-compressed paths still function

🤖 Generated with Claude Code

---

Summary by Gitar

• UI/UX improvements:
  • Migrated ColumnProfileTable from antd to core components Table.

_{This will update automatically on new commits.}

[Copilot]

Pull request overview

Updates the root Maven dependency management to import io.netty:netty-bom 4.1.133.Final, ensuring all Netty artifacts resolve to the patched version across the build to address reported HIGH-severity CVEs.

Changes:

• Bump io.netty:netty-bom from 4.1.132.Final → 4.1.133.Final in the root pom.xml dependency management import.

[github-actions]

🔴 Playwright Results — 1 failure(s), 13 flaky

✅ 4014 passed · ❌ 1 failed · 🟡 13 flaky · ⏭️ 86 skipped

Shard	Passed	Failed	Flaky	Skipped
🟡 Shard 1	297	0	2	4
🟡 Shard 2	750	0	5	8
🔴 Shard 3	757	1	1	7
🟡 Shard 4	787	0	3	18
✅ Shard 5	687	0	0	41
🟡 Shard 6	736	0	2	8

Genuine Failures (failed on all attempts)

❌ Flow/ObservabilityAlerts.spec.ts › Alert operations for a user with and without permissions (shard 3)

�[31mTest timeout of 60000ms exceeded.�[39m

🟡 13 flaky test(s) (passed on retry)

• Pages/AuditLogs.spec.ts › should apply both User and EntityType filters simultaneously (shard 1, 1 retry)
• Pages/UserCreationWithPersona.spec.ts › Create user with persona and verify on profile (shard 1, 1 retry)
• Features/ActivityAPI.spec.ts › Activity event shows the actor who made the change (shard 2, 1 retry)
• Features/BulkEditEntity.spec.ts › Glossary (shard 2, 1 retry)
• Features/DataProductRenameConsolidation.spec.ts › Multiple rename + update cycles - assets should be preserved (shard 2, 1 retry)
• Features/Glossary/GlossaryWorkflow.spec.ts › should display correct status badge color and icon (shard 2, 1 retry)
• Features/IncidentManager.spec.ts › Next, Previous and page indicator (shard 2, 1 retry)
• Features/RTL.spec.ts › Verify Following widget functionality (shard 3, 1 retry)
• Pages/CustomProperties.spec.ts › Time (shard 4, 1 retry)
• Pages/DataContracts.spec.ts › Add and update Security and SLA tabs (shard 4, 1 retry)
• Pages/DomainDataProductsRightPanel.spec.ts › Should edit owners for data product from domain context (shard 4, 1 retry)
• Pages/Lineage/LineageFilters.spec.ts › Verify lineage schema filter selection (shard 6, 1 retry)
• Pages/Users.spec.ts › Create and Delete user (shard 6, 1 retry)

📦 Download artifacts

How to debug locally

# Download playwright-test-results-<shard> artifact and unzip
npx playwright show-trace path/to/trace.zip    # view trace

[gitar-bot]

Code Review ✅ Approved

Bumps netty-bom to 4.1.133.Final to address four high-severity vulnerabilities in netty-codec, netty-codec-http2, and netty-codec-dns. No issues found.

Options

Display: compact → Showing less information.

Comment with these commands to change:

Compact

gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[sonarqubecloud]

Quality Gate passed for 'open-metadata-ingestion'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud