Skip to content

Clear 3 security alerts: protobuf e2e fixture CVE-2026-0994 + histogram count narrowing#13921

Merged
wu-sheng merged 2 commits into
masterfrom
fix/clear-security-alerts
Jun 20, 2026
Merged

Clear 3 security alerts: protobuf e2e fixture CVE-2026-0994 + histogram count narrowing#13921
wu-sheng merged 2 commits into
masterfrom
fix/clear-security-alerts

Conversation

@wu-sheng

@wu-sheng wu-sheng commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Member

Fix three open security alerts (1 Dependabot, 2 code-scanning)

  • Add a unit test to verify that the fix works.
  • Explain briefly why the bug exists and how to fix it.

Clears all three open HIGH security alerts on the default branch.

1. Dependabot — protobuf CVE-2026-0994 (JSON recursion-depth DoS)
test/e2e-v2/cases/airflow/mock/requirements-replay.txt pinned protobuf==4.25.8. There is no patched 4.x release (fix line is protobuf>=5.29.6), so the OTLP-replay mock's dependency set moves to a coherent protobuf-5 combination:

  • protobuf 4.25.85.29.6
  • opentelemetry-proto 1.24.01.28.0 — required: 1.24.0 caps protobuf<5.0; 1.28.0 is the earliest release allowing protobuf>=5.
  • grpcio 1.62.21.63.2 — required: opentelemetry-proto 1.28.0's generated gRPC stubs (built with grpcio-tools>=1.63) call channel.unary_unary(_registered_method=True), which grpcio 1.62.2 rejects with TypeError, breaking MetricsServiceStub. (flask unchanged.)

This is a CI-only e2e mock (a throwaway Flask/gRPC OTLP emitter), never shipped in the OAP — same class as the earlier test-fixture CVE cleanups (#13913 / #13915).

Verified in python:3.11-slim against the real mock-data: json_format.Parse (protobuf 5.29.6) + MetricsServiceStub construction + stub.Export all work with this set; the prior grpcio 1.62.2 pin raised TypeError: Channel.unary_unary() got an unexpected keyword argument '_registered_method'.

2 & 3. Code-scanning — java/implicit-cast-in-compound-assignment
In SumHistogramPercentileFunction and AvgHistogramPercentileFunction, the cumulative bucket counter was int count, but count += value adds a Long bucket count — promoting to long, then silently narrowing back to int. total (the same bucket sum) was already long, so the counter was inconsistent and could truncate above Integer.MAX_VALUE.

  • Fix: int countlong count in both functions. count >= roof (long ≥ int) still works; no other change needed.

Verification: SumHistogramPercentileFunctionTest + AvgHistogramPercentileFunctionTest pass (12/12); server-core checkstyle and license headers clean; airflow mock dependency set verified to import + parse + build the gRPC stub in the python:3.11-slim runtime image.

  • If this pull request closes/resolves/fixes an existing issue, replace the issue number. Closes #.
  • Update the CHANGES log.

🤖 Generated with Claude Code

@wu-sheng
Clear 3 security alerts: protobuf e2e fixture CVE + histogram count n…
dffbeb2 
…arrowing

- Dependabot CVE-2026-0994: bump the Airflow e2e mock's pinned protobuf
  4.25.8 -> 5.29.6 (no 4.x patch exists) and opentelemetry-proto 1.24.0 -> 1.28.0
  (its protobuf<5.0 cap was the blocker). CI-only test fixture, never shipped;
  grpcio/flask unchanged.
- CodeQL java/implicit-cast-in-compound-assignment: widen the cumulative `count`
  accumulator from int to long in Sum/AvgHistogramPercentileFunction. `count +=
  value` silently narrowed a long bucket-count sum back to int; `total` was
  already long.

Verified: Sum/AvgHistogramPercentileFunctionTest pass (12/12); checkstyle + license clean.
@wu-sheng wu-sheng added the dependencies Pull requests that update a dependency file label Jun 19, 2026
@wu-sheng wu-sheng added this to the 11.0.0 milestone Jun 19, 2026
@wu-sheng wu-sheng added the bug Something isn't working and you are sure it's a bug! label Jun 19, 2026
@wu-sheng
Fix airflow e2e mock: bump grpcio to 1.63.2 for opentelemetry-proto 1…
b28d5e1 
….28.0 stubs

opentelemetry-proto 1.28.0's generated gRPC stubs are produced by grpcio-tools
>=1.63 and call channel.unary_unary(_registered_method=True), which grpcio 1.62.2
does not accept -> MetricsServiceStub(channel) raised
"TypeError: Channel.unary_unary() got an unexpected keyword argument '_registered_method'",
so the OTLP replay mock could not build the stub or send metrics. Bump
grpcio 1.62.2 -> 1.63.2.

Reproduced + verified in python:3.11-slim against the real mock-data:
json_format.Parse (protobuf 5.29.6) + MetricsServiceStub construction +
stub.Export all work (Export reaches the wire; UNAVAILABLE only because no
server is listening). The earlier commit's claim that grpcio was unchanged
was wrong.
@wu-sheng wu-sheng merged commit e1acb44 into master Jun 20, 2026
436 of 439 checks passed
@wu-sheng wu-sheng deleted the fix/clear-security-alerts branch June 20, 2026 01:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wankai123 wankai123 wankai123 approved these changes

Assignees

No one assigned

Labels

bug Something isn't working and you are sure it's a bug! dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

11.0.0

Development

Successfully merging this pull request may close these issues.

2 participants

@wu-sheng @wankai123