Skip to content

[Snyk] Fix for 2 vulnerabilities #547

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ISGA wants to merge 1 commit into
base: main
Choose a base branch
from
+4 −4
Open

[Snyk] Fix for 2 vulnerabilities #547

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@
<org.glassfish.jaxb.xsom.version>2.3.3-b02</org.glassfish.jaxb.xsom.version>
<undertow.version>${undertow-legacy.version}</undertow.version>
<undertow-legacy.version>2.2.24.Final</undertow-legacy.version>
<undertow-jakarta.version>2.3.2.Final</undertow-jakarta.version>
<undertow-jakarta.version>2.3.21.Final</undertow-jakarta.version>
Comment on lines 124 to +126
Copy link
Copy Markdown
Contributor

@codeant-ai codeant-ai bot Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: The new Undertow Jakarta version property is declared but not wired into the undertow.version property, so io.undertow:undertow-servlet and undertow-core still resolve to the legacy 2.2.24.Final line and the intended security upgrade to 2.3.21.Final never takes effect. [security]

Severity Level: Critical 🚨 
- ❌ Undertow-servlet remains vulnerable at 2.2.24.Final.
- ❌ Undertow-core remains vulnerable at 2.2.24.Final.
- ⚠️ Snyk security upgrade does not take effect.
- ⚠️ Runtime uses legacy Undertow on server startup.
Suggested change
<undertow.version>${undertow-legacy.version}</undertow.version>
<undertow-legacy.version>2.2.24.Final</undertow-legacy.version>
<undertow-jakarta.version>2.3.2.Final</undertow-jakarta.version>
<undertow-jakarta.version>2.3.21.Final</undertow-jakarta.version>
<undertow-legacy.version>2.2.24.Final</undertow-legacy.version>
<undertow-jakarta.version>2.3.21.Final</undertow-jakarta.version>
<undertow.version>${undertow-jakarta.version}</undertow.version>
Steps of Reproduction ✅ 
1. Open the PR final file at pom.xml and inspect the properties block around lines 124-126
(the properties section where undertow versions are declared). The file contains:

   - line 124: <undertow.version>${undertow-legacy.version}</undertow.version>

   - line 125: <undertow-legacy.version>2.2.24.Final</undertow-legacy.version>

   - line 126: <undertow-jakarta.version>2.3.21.Final</undertow-jakarta.version>

2. Build the project (mvn -DskipTests package) or run mvn dependency:tree on the module
that uses these properties. Maven will resolve io.undertow:undertow-servlet and
io.undertow:undertow-core using ${undertow.version} (line 124), which expands to
${undertow-legacy.version} -> 2.2.24.Final. Expected outcome: undertow dependencies remain
at 2.2.24.Final.

3. Observe that the new property undertow-jakarta.version (line 126) is defined but not
referenced by undertow.version, so the intended update to 2.3.21.Final does not take
effect and the vulnerable Undertow artifact versions are still used at runtime.

4. Conclusion: The suggestion to wire undertow.version to undertow-jakarta.version ensures
mvn dependency resolution picks 2.3.21.Final; without that change the Snyk upgrade is
ineffective. This reproduction follows the real Maven resolution path and the actual
property names present in pom.xml.
Prompt for AI Agent 🤖 
This is a comment left during a code review.

**Path:** pom.xml
**Line:** 124:126
**Comment:**
	*Security: The new Undertow Jakarta version property is declared but not wired into the `undertow.version` property, so `io.undertow:undertow-servlet` and `undertow-core` still resolve to the legacy 2.2.24.Final line and the intended security upgrade to 2.3.21.Final never takes effect.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.

<wildfly-elytron.version>2.5.2.Final</wildfly-elytron.version>
<elytron.undertow-server.version>1.9.0.Final</elytron.undertow-server.version>
<woodstox.version>6.0.3</woodstox.version>
Expand Down Expand Up @@ -278,7 +278,7 @@
</developer>
</developers>

<contributors></contributors>
<contributors/>

<modules>
<module>boms</module>
Expand Down Expand Up @@ -1600,7 +1600,7 @@
<properties>
<ee.maven.groupId>org.jboss.eap</ee.maven.groupId>
<ee.maven.version>${eap8.version}</ee.maven.version>
<wildfly.version>${eap8.version}</wildfly.version>
<wildfly.version>39.0.0.Final</wildfly.version>
<wildfly.build-tools.version>${eap8.wildfly.build-tools.version}</wildfly.build-tools.version>
<wildfly.core.version>${eap8.wildfly.core.version}</wildfly.core.version>
</properties>
Expand All @@ -1615,7 +1615,7 @@
<properties>
<ee.maven.groupId>org.wildfly</ee.maven.groupId>
<ee.maven.version>${upstream.wildfly.version}</ee.maven.version>
<wildfly.version>${upstream.wildfly.version}</wildfly.version>
<wildfly.version>39.0.0.Final</wildfly.version>
<wildfly.build-tools.version>${upstream.wildfly.build-tools.version}</wildfly.build-tools.version>
<wildfly.core.version>${upstream.wildfly.core.version}</wildfly.core.version>
</properties>
Expand Down
Loading