Upgrade multiple deps including bc-fips jars and transport-reactor-netty4 #19222

cwperks · 2025-09-02T19:42:24Z

Description

This PR contains the following updates:

Bump io.projectreactor.netty:reactor_netty from 1.2.5 to 1.2.9
Bump org.bouncycastle:bouncycastle_jce from 2.0.0 to 2.1.1
Bump org.bouncycastle:bouncycastle_tls from 2.0.20 to 2.1.20
Bump org.bouncycastle:bouncycastle_pkix from 2.0.8 to 2.1.9
Bump org.bouncycastle:bouncycastle_pg from 2.0.11 to 2.1.11
Bump org.bouncycastle:bouncycastle_util from 2.0.3 to 2.1.4

Related Issues

Resolves CVE-2025-22227 and CVE-2025-8916

Check List

Functionality includes testing.
API changes companion pull request created, if applicable.
Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

…tty4 Signed-off-by: Craig Perkins <[email protected]>

github-actions · 2025-09-02T19:53:39Z

❌ Gradle check result for 6f251c6: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

Signed-off-by: Craig Perkins <[email protected]>

github-actions · 2025-09-02T21:12:10Z

❌ Gradle check result for c699e1c: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

reta

Thanks @cwperks !

Signed-off-by: Craig Perkins <[email protected]>

cwperks · 2025-09-03T01:06:35Z

@reta I pushed a new commit because there are tests failing due to thread leak detection: https://build.ci.opensearch.org/job/gradle-check/63211/

The leaked threads are:

1) Thread[id=70, name=BC Disposal Daemon, state=WAITING, group=TGRP-PemUtilsTests]
2) Thread[id=78, name=BC Cleanup Executor, state=WAITING, group=TGRP-PemUtilsTests]

github-actions · 2025-09-03T01:34:13Z

❌ Gradle check result for 2c9d269: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

reta · 2025-09-03T02:12:53Z

@reta I pushed a new commit because there are tests failing due to thread leak detection: https://build.ci.opensearch.org/job/gradle-check/63211/

@cwperks by setting org.bouncycastle.native.cleanup_delay system property value to 0 we should be able to disable cleanup entirely.

This reverts commit 2c9d269. Signed-off-by: Craig Perkins <[email protected]>

Signed-off-by: Craig Perkins <[email protected]>

cwperks · 2025-09-03T14:28:34Z

@cwperks by setting org.bouncycastle.native.cleanup_delay system property value to 0 we should be able to disable cleanup entirely.

TY @reta. Pushed another commit to set this system prop in OpenSearchTestCase.

github-actions · 2025-09-03T14:41:33Z

❌ Gradle check result for a854320: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

cwperks · 2025-09-03T14:58:06Z

@cwperks by setting org.bouncycastle.native.cleanup_delay system property value to 0 we should be able to disable cleanup entirely.

This didn't seem to work. Did I configure it correctly?

The ThreadFilter worked, but I needed to apply it to some more tests. Lmk which method would be preferable here.

test/framework/src/main/java/org/opensearch/test/OpenSearchTestCase.java

github-actions · 2025-09-04T03:40:56Z

❌ Gradle check result for 697fb4c: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

github-actions · 2025-09-04T04:28:49Z

❌ Gradle check result for 1ac363d: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

reta · 2025-09-04T04:31:44Z

❌ Gradle check result for 1ac363d: FAILURE

Hmm... needs more time :(, will take a look tomorrow

github-actions · 2025-09-04T11:49:21Z

❌ Gradle check result for dc011de: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

reta · 2025-09-04T14:18:12Z

❌ Gradle check result for dc011de: FAILURE

@cwperks my apologies, I derailed you here, the change that actually disables BC cleanup turned out to be very recent and comes with the next release (2.1.2), sorry about that, I was very surprised as well to discover it.

The filter seems to be the only way for 2.1
1 to move forward, we could also stay om 2.0.x (it has all CVE fixes) and migrate to 2.1.x later on, as an option .

cwperks · 2025-09-04T14:23:54Z

❌ Gradle check result for dc011de: FAILURE

@cwperks my apologies, I derailed you here, the change that actually disables BC cleanup turned out to be very recent and comes with the next release (2.1.2), sorry about that, I was very surprised as well to discover it.

The filter seems to be the only way for 2.1 1 to move forward, we could also stay om 2.0.x (it has all CVE fixes) and migrate to 2.1.x later on, as an option .

Thank you for checking @reta! I'll add the filter back in and create a GH issue to track its removal once 2.1.2 is released.

This reverts commit dc011de. Signed-off-by: Craig Perkins <[email protected]>

Signed-off-by: Craig Perkins <[email protected]>

github-actions · 2025-09-04T16:12:06Z

❌ Gradle check result for a7faba9: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

github-actions · 2025-09-04T19:18:50Z

❌ Gradle check result for a7faba9: null

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

github-actions · 2025-09-05T00:09:42Z

❌ Gradle check result for a7faba9: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

github-actions · 2025-09-05T01:42:00Z

✅ Gradle check result for a7faba9: SUCCESS

codecov · 2025-09-05T01:42:22Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.82%. Comparing base (3f86407) to head (a7faba9).
⚠️ Report is 15 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #19222      +/-   ##
============================================
- Coverage     72.87%   72.82%   -0.05%     
+ Complexity    69698    69625      -73     
============================================
  Files          5656     5656              
  Lines        319999   319999              
  Branches      46335    46335              
============================================
- Hits         233207   233052     -155     
- Misses        67946    68083     +137     
- Partials      18846    18864      +18

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

cwperks · 2025-09-05T11:23:14Z

@reta would you mind re-approving?

…tty4 (opensearch-project#19222) * Upgrade multiple deps including bc-fips jars and transport-reactor-netty4 Signed-off-by: Craig Perkins <[email protected]> * Add to CHANGELOG Signed-off-by: Craig Perkins <[email protected]> * Create BouncyCastleThreadFilter Signed-off-by: Craig Perkins <[email protected]> * Revert "Create BouncyCastleThreadFilter" This reverts commit 2c9d269. Signed-off-by: Craig Perkins <[email protected]> * Set org.bouncycastle.native.cleanup_delay to 0 for testing Signed-off-by: Craig Perkins <[email protected]> * Revert "Revert "Create BouncyCastleThreadFilter"" This reverts commit dc011de. Signed-off-by: Craig Perkins <[email protected]> * Re-add BouncyCastleThreadFilter Signed-off-by: Craig Perkins <[email protected]> --------- Signed-off-by: Craig Perkins <[email protected]>

…tty4 (opensearch-project#19222) * Upgrade multiple deps including bc-fips jars and transport-reactor-netty4 Signed-off-by: Craig Perkins <[email protected]> * Add to CHANGELOG Signed-off-by: Craig Perkins <[email protected]> * Create BouncyCastleThreadFilter Signed-off-by: Craig Perkins <[email protected]> * Revert "Create BouncyCastleThreadFilter" This reverts commit 2c9d269. Signed-off-by: Craig Perkins <[email protected]> * Set org.bouncycastle.native.cleanup_delay to 0 for testing Signed-off-by: Craig Perkins <[email protected]> * Revert "Revert "Create BouncyCastleThreadFilter"" This reverts commit dc011de. Signed-off-by: Craig Perkins <[email protected]> * Re-add BouncyCastleThreadFilter Signed-off-by: Craig Perkins <[email protected]> --------- Signed-off-by: Craig Perkins <[email protected]> Signed-off-by: Ankit Jain <[email protected]>

…tty4 (opensearch-project#19222) * Upgrade multiple deps including bc-fips jars and transport-reactor-netty4 Signed-off-by: Craig Perkins <[email protected]> * Add to CHANGELOG Signed-off-by: Craig Perkins <[email protected]> * Create BouncyCastleThreadFilter Signed-off-by: Craig Perkins <[email protected]> * Revert "Create BouncyCastleThreadFilter" This reverts commit 2c9d269. Signed-off-by: Craig Perkins <[email protected]> * Set org.bouncycastle.native.cleanup_delay to 0 for testing Signed-off-by: Craig Perkins <[email protected]> * Revert "Revert "Create BouncyCastleThreadFilter"" This reverts commit dc011de. Signed-off-by: Craig Perkins <[email protected]> * Re-add BouncyCastleThreadFilter Signed-off-by: Craig Perkins <[email protected]> --------- Signed-off-by: Craig Perkins <[email protected]>

Upgrade multiple deps including bc-fips jars and transport-reactor-ne…

6f251c6

…tty4 Signed-off-by: Craig Perkins <[email protected]>

cwperks requested a review from a team as a code owner September 2, 2025 19:42

cwperks added 2 commits September 2, 2025 16:32

Add to CHANGELOG

429bde4

Signed-off-by: Craig Perkins <[email protected]>

Merge branch 'main' into update-bc-deps

c699e1c

reta approved these changes Sep 2, 2025

View reviewed changes

Create BouncyCastleThreadFilter

2c9d269

Signed-off-by: Craig Perkins <[email protected]>

cwperks added 2 commits September 3, 2025 10:23

Revert "Create BouncyCastleThreadFilter"

dc011de

This reverts commit 2c9d269. Signed-off-by: Craig Perkins <[email protected]>

Set org.bouncycastle.native.cleanup_delay to 0 for testing

a854320

Signed-off-by: Craig Perkins <[email protected]>

reta reviewed Sep 4, 2025

View reviewed changes

test/framework/src/main/java/org/opensearch/test/OpenSearchTestCase.java Outdated Show resolved Hide resolved

reta force-pushed the update-bc-deps branch from 1ac363d to dc011de Compare September 4, 2025 11:28

cwperks added 2 commits September 4, 2025 10:25

Revert "Revert "Create BouncyCastleThreadFilter""

ca4c71c

This reverts commit dc011de. Signed-off-by: Craig Perkins <[email protected]>

Re-add BouncyCastleThreadFilter

a7faba9

Signed-off-by: Craig Perkins <[email protected]>

cwperks mentioned this pull request Sep 4, 2025

[BUG] Use system prop org.bouncycastle.native.cleanup_delay with value 0 to disable BC cleanup for tests after upgrade to 2.1.2 #19238

Open

reta approved these changes Sep 5, 2025

View reviewed changes

cwperks merged commit 53f428c into opensearch-project:main Sep 5, 2025
34 of 40 checks passed

cwperks mentioned this pull request Sep 10, 2025

Remove errantly added file #19268

Merged

3 tasks

dbwiddis mentioned this pull request Oct 12, 2025

fix: issue-19148 - bump commons-lang3, bcprov-jdk18on, bouncycastle #19155

Merged

BrewTestBot mentioned this pull request Oct 15, 2025

opensearch 3.3.0 Homebrew/homebrew-core#249627

Merged

Upgrade multiple deps including bc-fips jars and transport-reactor-netty4 #19222

Upgrade multiple deps including bc-fips jars and transport-reactor-netty4 #19222

Uh oh!

Conversation

cwperks commented Sep 2, 2025

Description

Related Issues

Check List

Uh oh!

github-actions bot commented Sep 2, 2025

Uh oh!

github-actions bot commented Sep 2, 2025

Uh oh!

reta left a comment

Choose a reason for hiding this comment

Uh oh!

cwperks commented Sep 3, 2025

Uh oh!

github-actions bot commented Sep 3, 2025

Uh oh!

reta commented Sep 3, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

cwperks commented Sep 3, 2025

Uh oh!

github-actions bot commented Sep 3, 2025

Uh oh!

cwperks commented Sep 3, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

github-actions bot commented Sep 4, 2025

Uh oh!

github-actions bot commented Sep 4, 2025

Uh oh!

reta commented Sep 4, 2025

Uh oh!

github-actions bot commented Sep 4, 2025

Uh oh!

reta commented Sep 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

cwperks commented Sep 4, 2025

Uh oh!

github-actions bot commented Sep 4, 2025

Uh oh!

github-actions bot commented Sep 4, 2025

Uh oh!

github-actions bot commented Sep 5, 2025

Uh oh!

github-actions bot commented Sep 5, 2025

Uh oh!

codecov bot commented Sep 5, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

cwperks commented Sep 5, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

reta commented Sep 3, 2025 •

edited

Loading

cwperks commented Sep 3, 2025 •

edited

Loading

reta commented Sep 4, 2025 •

edited

Loading

codecov bot commented Sep 5, 2025 •

edited

Loading