[PLUGIN-1918] [PLUGIN-1907] [PLUGIN-1904] CVE Fix for commons-lang3, logback-classic and org.json

sgarg-CS · sgarg-CS · commit 015f134f1b68 · 2025-08-12T21:07:44.000+05:30
Upgrade commons-lang3 from v3.8.1 to v3.18.0, logback-classic from v1.2.8 to v1.2.13 and org.json from v20180813 to v20231013
diff --git a/pom.xml b/pom.xml
@@ -65,15 +65,15 @@
     <hadoop.version>2.10.2</hadoop.version>
     <spark2.version>2.1.3</spark2.version>
     <hydrator.version>2.10.0</hydrator.version>
-    <commons.version>3.8.1</commons.version>
+    <commons.version>3.18.0</commons.version>
     <salesforce.api.version>53.0.0</salesforce.api.version>
     <cometd.java.client.version>4.0.0</cometd.java.client.version>
     <antlr.version>4.7.2</antlr.version>
     <mockito.version>2.23.0</mockito.version>
     <commons.csv.version>1.6</commons.csv.version>
     <jackson.version>1.9.13</jackson.version>
     <jackson2.version>2.17.1</jackson2.version>
-    <json.version>20180813</json.version>
+    <json.version>20231013</json.version>
     <awaitility.version>3.1.6</awaitility.version>
     <commons-logging.version>1.2</commons-logging.version>
     <testSourceLocation>${project.basedir}/src/test/java/</testSourceLocation>
@@ -94,7 +94,7 @@
     <dependency>
       <groupId>ch.qos.logback</groupId>
       <artifactId>logback-classic</artifactId>
-      <version>1.2.8</version>
+      <version>1.2.13</version>
     </dependency>
     <dependency>
       <groupId>io.cdap.cdap</groupId>
diff --git a/src/main/java/io/cdap/plugin/salesforce/plugin/source/streaming/SalesforceStreamingSourceUtil.java b/src/main/java/io/cdap/plugin/salesforce/plugin/source/streaming/SalesforceStreamingSourceUtil.java
@@ -33,6 +33,7 @@
 import org.slf4j.LoggerFactory;
 import scala.reflect.ClassTag$;
 
+import java.math.BigDecimal;
 import java.time.Instant;
 import java.time.LocalTime;
 import java.time.temporal.ChronoUnit;
@@ -147,6 +148,13 @@ private static Object convertValue(Object value, Schema.Field field) {
       }
     }
 
+    // NOTE: org.json >= 20230227 returns BigDecimal for all non-integer JSON numbers.
+    if (value instanceof BigDecimal && fieldSchemaType.equals(Schema.Type.DOUBLE)) {
+      // Avro Schema.Type.DOUBLE expects a Double instance (or primitive double) at serialization time,
+      // so converting BigDecimal → double for compatibility.
+      return ((BigDecimal) value).doubleValue();
+    }
+
     return value;
   }
 

Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,7 @@`
`33`	`33`	`import org.slf4j.LoggerFactory;`
`34`	`34`	`import scala.reflect.ClassTag$;`
`35`	`35`
	`36`	`+import java.math.BigDecimal;`
`36`	`37`	`import java.time.Instant;`
`37`	`38`	`import java.time.LocalTime;`
`38`	`39`	`import java.time.temporal.ChronoUnit;`
`@@ -147,6 +148,13 @@ private static Object convertValue(Object value, Schema.Field field) {`
`147`	`148`	`}`
`148`	`149`	`}`
`149`	`150`
	`151`	`+ // NOTE: org.json >= 20230227 returns BigDecimal for all non-integer JSON numbers.`
	`152`	`+ if (value instanceof BigDecimal && fieldSchemaType.equals(Schema.Type.DOUBLE)) {`
	`153`	`+ // Avro Schema.Type.DOUBLE expects a Double instance (or primitive double) at serialization time,`
	`154`	`+ // so converting BigDecimal → double for compatibility.`
	`155`	`+ return ((BigDecimal) value).doubleValue();`
	`156`	`+ }`
	`157`	`+`
`150`	`158`	`return value;`
`151`	`159`	`}`
`152`	`160`