Upgrade netty to 4.1.77

[cwperks]

Signed-off-by: Craig Perkins [email protected]

Description

[Describe what this change achieves]

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)

First PR! 🥇 This upgrades Netty to address a CVE in 4.1.73. This resolves 1831

• Why these changes are required?
• What is the old behavior before changes and new behavior after changes?

Issues Resolved

• 1831

Is this a backport? If so, please add backport PR # and/or commits #

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]

This passes CI

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov-commenter]

Codecov Report

Merging #1926 (5c8f9b7) into main (1904db5) will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff            @@
##               main    #1926   +/-   ##
=========================================
  Coverage     60.99%   60.99%           
  Complexity     3233     3233           
=========================================
  Files           256      256           
  Lines         18088    18088           
  Branches       3224     3224           
=========================================
  Hits          11033    11033           
  Misses         5471     5471           
  Partials       1584     1584           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1904db5...5c8f9b7. Read the comment docs.

[peternied]

Thanks for the contribution, WhiteSource detected the fixes are in, thanks.

[cliu123]

The CVE points to netty-common-4.1.73.Final. Is it possible only to upgrade the version of io.netty:netty-common?

[cwperks]

@peternied I just noticed that netty is defined in core's version.properties here: https://github.com/opensearch-project/OpenSearch/blob/aa6f782dd58aa5019bcb16009182c9fc1ec9fa0e/buildSrc/version.properties

Should the security plugin use the version from this properties file? The build.gradle for security references versions.jackson and versions.jackson_databind which I believe get resolved with the values in this file at build time.

[peternied]

@cwperks Good investigation, I think as we've done with capturing the jackson dependencies version from OpenSearch's versions - we should follow suite with netty. This also means that we should make sure that the CVE is addressed in the OpenSearch codebase - can you make the pull request there as well?

[cwperks]

@peternied Will do. I'll update this thread with the PR into core when I've opened it.

[cliu123]

@cwperks Could you please sign the 2nd commits too?

[cwperks]

@cliu123 I shortened it to one commit and signed off.

[cwperks]

Created a PR against core to update this across the board: opensearch-project/OpenSearch#3772