Skip to content

MCP-440 Update dependencies resolution#361

Merged
nquinquenel merged 1 commit intomasterfrom
task/nq/fix-vuln
Apr 27, 2026
Merged

MCP-440 Update dependencies resolution#361
nquinquenel merged 1 commit intomasterfrom
task/nq/fix-vuln

Conversation

@nquinquenel
Copy link
Copy Markdown
Member

@nquinquenel nquinquenel commented Apr 25, 2026

No description provided.

@hashicorp-vault-sonar-prod hashicorp-vault-sonar-prod Bot changed the title Update dependencies resolution MCP-440 Update dependencies resolution Apr 25, 2026
@hashicorp-vault-sonar-prod
Copy link
Copy Markdown

hashicorp-vault-sonar-prod Bot commented Apr 25, 2026
edited by atlassian Bot
Loading

MCP-440

@nquinquenel
Copy link
Copy Markdown
Member Author

nquinquenel commented Apr 26, 2026

@sonar-review-alpha review

@sonar-review-alpha
Copy link
Copy Markdown

sonar-review-alpha Bot commented Apr 26, 2026
edited
Loading

Summary

This PR fixes security vulnerabilities by enforcing patched versions of transitive dependencies that are pulled in indirectly through the build chain.

Changes:

What reviewers should know

For reviewers:

  • The approach uses Gradle's resolutionStrategy.eachDependency to force safe versions of libraries pulled in transitively (e.g., via xodus-entity-store, mcp-json-jackson2, sonarlint-rpc-impl, sonarlint-core)
  • Each override includes a CVE/advisory reference in a because() comment for traceability
  • The overrides apply globally across all configurations in both the main build and integration tests
  • This is a non-invasive way to address transitive dependency vulnerabilities without requiring upstream projects to update first

Things to check:

  • Verify the chosen versions (2.2.0, 2.21.1, 3.1.2, 1.28.0) are indeed patched versions addressing the cited CVEs
  • Confirm these versions are compatible with the code and don't introduce any breaking changes
  • The mcp-server bump may be related to this fix—check the changelog if available
  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

sonar-review-alpha[bot]

This comment was marked as outdated.

Sign in to view

@nquinquenel nquinquenel marked this pull request as ready for review April 27, 2026 07:33
sonar-review-alpha[bot]

This comment was marked as resolved.

Sign in to view

sophio-japharidze-sonarsource
sophio-japharidze-sonarsource approved these changes Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sophio-japharidze-sonarsource sophio-japharidze-sonarsource left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔥 🧯 🧑‍🚒

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 27, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonar-review-alpha[bot]
sonar-review-alpha Bot reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown

@sonar-review-alpha sonar-review-alpha Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! ✅

The commons-compress duplication flagged in the previous review round is still present — the two blocks now have identical because() text (that part is addressed), but the structural duplication across build.gradle.kts and its/build.gradle.kts remains, meaning a version bump still requires two-place edits.

🗣️ Give feedback

@nquinquenel nquinquenel merged commit 43f46b1 into master Apr 27, 2026
13 checks passed
@nquinquenel nquinquenel deleted the task/nq/fix-vuln branch April 27, 2026 08:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

@sophio-japharidze-sonarsource sophio-japharidze-sonarsource sophio-japharidze-sonarsource approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nquinquenel @sophio-japharidze-sonarsource