Replace commons-lang with org.apache.commons:commons-lang3

[markwu-sde]

Description

Make build.gradle use the version library for commons-lang3 and slf4j. This should fix the vulnerability CVE-2025-48924 and avoid us having to bump versions to be the same with core.

Related Issues

Resolves CVE-2025-48924

Check List

• Commits are signed per the DCO using --signoff.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[dbwiddis]

Hey @markwu-sde this broke other plugins that depend on both neural-search and knn:

> Task :integTest FAILED
Exec output and error:
| Output for ./bin/opensearch-plugin:-> Installing file:/Users/widdisd/.gradle/caches/modules-2/files-2.1/org.opensearch.plugin/opensearch-job-scheduler/3.3.0.0-SNAPSHOT/fd92668c28b5c0130c74bc7c11923ab581f84996/opensearch-job-scheduler-3.3.0.0-SNAPSHOT.zip
| -> Downloading file:/Users/widdisd/.gradle/caches/modules-2/files-2.1/org.opensearch.plugin/opensearch-job-scheduler/3.3.0.0-SNAPSHOT/fd92668c28b5c0130c74bc7c11923ab581f84996/opensearch-job-scheduler-3.3.0.0-SNAPSHOT.zip
| -> Installed opensearch-job-scheduler with folder name opensearch-job-scheduler
| -> Installing file:/Users/widdisd/.gradle/caches/modules-2/files-2.1/org.opensearch.plugin/opensearch-ml-plugin/3.3.0.0-SNAPSHOT/63fc78b25f2322826087989958d7eb3a3bc02a11/opensearch-ml-plugin-3.3.0.0-SNAPSHOT.zip
| -> Downloading file:/Users/widdisd/.gradle/caches/modules-2/files-2.1/org.opensearch.plugin/opensearch-ml-plugin/3.3.0.0-SNAPSHOT/63fc78b25f2322826087989958d7eb3a3bc02a11/opensearch-ml-plugin-3.3.0.0-SNAPSHOT.zip
| @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
| @     WARNING: plugin requires additional permissions     @
| @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
| * java.io.FilePermission /Users/widdisd/.aws/- read
| * java.io.FilePermission <<ALL FILES>> read
| * java.lang.RuntimePermission accessDeclaredMembers
| * java.lang.RuntimePermission accessUserInformation
| * java.lang.RuntimePermission createClassLoader
| * java.lang.RuntimePermission getClassLoader
| * java.lang.RuntimePermission getFileSystemAttributes
| * java.lang.RuntimePermission loadLibrary.*
| * java.lang.RuntimePermission setContextClassLoader
| * java.lang.RuntimePermission shutdownHooks
| * java.net.NetPermission accessUnixDomainSocket
| * java.net.SocketPermission * connect,resolve
| * java.util.PropertyPermission * read,write
| * java.util.PropertyPermission DJL_CACHE_DIR read,write
| * java.util.PropertyPermission PYTORCH_PRECXX11 read,write
| * java.util.PropertyPermission java.library.path read,write
| See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
| for descriptions of what these permissions allow and the associated risks.
| -> Installed opensearch-ml with folder name opensearch-ml
| -> Installing file:/Users/widdisd/.gradle/caches/modules-2/files-2.1/org.opensearch.plugin/opensearch-knn/3.3.0.0-SNAPSHOT/b766f272d3918b140cede7d46fac918441b72618/opensearch-knn-3.3.0.0-SNAPSHOT.zip
| -> Downloading file:/Users/widdisd/.gradle/caches/modules-2/files-2.1/org.opensearch.plugin/opensearch-knn/3.3.0.0-SNAPSHOT/b766f272d3918b140cede7d46fac918441b72618/opensearch-knn-3.3.0.0-SNAPSHOT.zip
| @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
| @     WARNING: plugin requires additional permissions     @
| @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
| * java.io.FilePermission /proc/cpuinfo read
| * java.lang.RuntimePermission accessDeclaredMembers
| * java.lang.RuntimePermission loadLibrary.opensearchknn_common
| * java.lang.RuntimePermission loadLibrary.opensearchknn_faiss
| * java.lang.RuntimePermission loadLibrary.opensearchknn_faiss_avx2
| * java.lang.RuntimePermission loadLibrary.opensearchknn_faiss_avx512
| * java.lang.RuntimePermission loadLibrary.opensearchknn_faiss_avx512_spr
| * java.lang.RuntimePermission loadLibrary.opensearchknn_nmslib
| * java.net.SocketPermission * connect,resolve
| See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
| for descriptions of what these permissions allow and the associated risks.
| -> Installed opensearch-knn with folder name opensearch-knn
| -> Installing file:/Users/widdisd/.gradle/caches/modules-2/files-2.1/org.opensearch.plugin/neural-search/3.3.0.0-SNAPSHOT/290b3d5a700a6aac43d2327f479881ab20cc4f26/neural-search-3.3.0.0-SNAPSHOT.zip
| -> Downloading file:/Users/widdisd/.gradle/caches/modules-2/files-2.1/org.opensearch.plugin/neural-search/3.3.0.0-SNAPSHOT/290b3d5a700a6aac43d2327f479881ab20cc4f26/neural-search-3.3.0.0-SNAPSHOT.zip
| -> Failed installing file:/Users/widdisd/.gradle/caches/modules-2/files-2.1/org.opensearch.plugin/neural-search/3.3.0.0-SNAPSHOT/290b3d5a700a6aac43d2327f479881ab20cc4f26/neural-search-3.3.0.0-SNAPSHOT.zip
| -> Rolling back opensearch-job-scheduler
| -> Rolled back opensearch-job-scheduler
| -> Rolling back opensearch-ml
| -> Rolled back opensearch-ml
| -> Rolling back opensearch-knn
| -> Rolled back opensearch-knn
| -> Rolling back file:/Users/widdisd/.gradle/caches/modules-2/files-2.1/org.opensearch.plugin/neural-search/3.3.0.0-SNAPSHOT/290b3d5a700a6aac43d2327f479881ab20cc4f26/neural-search-3.3.0.0-SNAPSHOT.zip
| -> Rolled back file:/Users/widdisd/.gradle/caches/modules-2/files-2.1/org.opensearch.plugin/neural-search/3.3.0.0-SNAPSHOT/290b3d5a700a6aac43d2327f479881ab20cc4f26/neural-search-3.3.0.0-SNAPSHOT.zip
| Exception in thread "main" java.lang.IllegalStateException: failed to load plugin opensearch-neural-search due to jar hell
|       at org.opensearch.plugins.PluginsService.checkBundleJarHell(PluginsService.java:765)
|       at org.opensearch.plugins.PluginsService.checkJarHellForPlugin(PluginsService.java:406)
|       at org.opensearch.tools.cli.plugin.InstallPluginCommand.jarHellCheck(InstallPluginCommand.java:834)
|       at org.opensearch.tools.cli.plugin.InstallPluginCommand.loadPluginInfo(InstallPluginCommand.java:811)
|       at org.opensearch.tools.cli.plugin.InstallPluginCommand.installPlugin(InstallPluginCommand.java:846)
|       at org.opensearch.tools.cli.plugin.InstallPluginCommand.execute(InstallPluginCommand.java:277)
|       at org.opensearch.tools.cli.plugin.InstallPluginCommand.execute(InstallPluginCommand.java:251)
|       at org.opensearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:110)
|       at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
|       at org.opensearch.cli.MultiCommand.execute(MultiCommand.java:104)
|       at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
|       at org.opensearch.cli.Command.main(Command.java:101)
|       at org.opensearch.tools.cli.plugin.PluginCli.main(PluginCli.java:66)
| Caused by: java.lang.IllegalStateException: jar hell!
| class: org.apache.commons.lang3.AnnotationUtils$1
| jar1: /Users/widdisd/git/flow-framework/build/testclusters/integTest-0/distro/3.3.0-ARCHIVE/plugins/opensearch-knn/commons-lang3-3.18.0.jar
| jar2: /Users/widdisd/git/flow-framework/build/testclusters/integTest-0/distro/3.3.0-ARCHIVE/plugins/.installing-692171699714963621/commons-lang3-3.18.0.jar
|       at org.opensearch.common.bootstrap.JarHell.checkClass(JarHell.java:316)
|       at org.opensearch.common.bootstrap.JarHell.checkJarHell(JarHell.java:215)
|       at org.opensearch.plugins.PluginsService.checkBundleJarHell(PluginsService.java:751)
|       ... 12 more

I think this dependency needs to be compileOnly rather than api.

[markwu-sde]

Yeah - previously we were using the legacy common lang package and so we weren't running into compile issues since I think neural plugin already moved over to common-lang3 a while ago. I'll send out another PR for this.

[dbwiddis]

No worries and no great rush. Might want to look at your other api dependencies while you're at it. :)

[owaiskazi19]

@markwu-sde neural plugin is also failing with jar hell

[markwu-sde]

@owaiskazi19 can we have the neural-plugin reference the version catalog library instead? I'm not sure exactly why we're extending the common-lang library so will need to do a little more digging on that

[opensearch-trigger-bot]

The backport to 2.19 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.19 2.19
# Navigate to the new working tree
cd .worktrees/backport-2.19
# Create a new branch
git switch --create backport/backport-2863-to-2.19
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 61f0d18401fdb2d3a018a1c13ef8c867e2e60b97
# Push it to GitHub
git push --set-upstream origin backport/backport-2863-to-2.19
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.19

Then, create a pull request where the base branch is 2.19 and the compare/head branch is backport/backport-2863-to-2.19.

[gaiksaya]

Hi folks,
Can we please backport this change to 2.19 branch as well? Looks like CVE is present there as well for commons-lang version.
Thanks!

[navneet1v]

@VijayanB please check this

[VijayanB]

@navneet1v @gaiksaya Will do manual backport and update here