Bump dependencies to address CVEs

[cwperks]

Description

Bump dependencies to address multiple CVEs:

CVE	Dependency	Fix
CVE-2026-2332 (HIGH)	jetty-http	Bumped 9.4.57 → 9.4.58 (latest public 9.4.x; no full fix available — 9.4.x is EOL, patched versions only via paid support)
CVE-2026-35554 (HIGH)	kafka-clients	Bumped 3.9.1 → 3.9.2
CVE-2025-67030 (HIGH)	plexus-utils	Upgraded maven-model 3.9.12 → 3.9.16, forced plexus-utils 4.0.3, added plexus-xml 3.0.1
CVE-2026-34480 (MEDIUM)	log4j-core	Forced log4j-core to 2.25.4 in buildSrc
CVE-2026-34478 (MEDIUM)	log4j-core	Same fix — forced to 2.25.4
CVE-2026-34477 (MEDIUM)	log4j-core	Same fix — forced to 2.25.4

Note on CVE-2026-2332: Jetty 9.4.x is EOL. The fix version (9.4.61) is only available through paid EOL support (Webtide/TuxCare/HeroDevs). We cannot upgrade to Jetty 10+ because Hadoop 3.5.0 is compiled against the Jetty 9.4 API. This dependency is test-scope only (hdfs-fixture for integration tests).

Issues Resolved

• Bump log4j-core to 2.25.4 to address CVE-2026-34480 #21215

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

Testing

• ./gradlew precommit passes
• ./gradlew :test:fixtures:hdfs-fixture:compileJava passes
• ./gradlew :plugins:repository-hdfs:compileJava passes
• ./gradlew :plugins:ingestion-kafka:compileJava passes

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 038f14f.

Path	Line	Severity	Description
buildSrc/build.gradle	134	high	New dependency added: org.codehaus.plexus:plexus-xml:3.0.1. New artifacts introduced to the build must be verified for authenticity and integrity.
buildSrc/build.gradle	164	high	Forced dependency version added for org.codehaus.plexus:plexus-utils:4.0.3. Forcing a transitive dependency version can override security-patched versions resolved elsewhere in the build graph.
buildSrc/build.gradle	165	high	Forced dependency version added for org.apache.logging.log4j:log4j-core using a property value. Forcing log4j-core to a specific version could pin it to a vulnerable release; the resolved version should be verified against known CVEs.
buildSrc/build.gradle	134	high	Version bump for org.apache.maven:maven-model from 3.9.12 to 3.9.16. Artifact authenticity of the new version must be independently verified.
plugins/ingestion-kafka/build.gradle	20	high	Kafka client version bumped from 3.9.1 to 3.9.2. The new artifact must be verified against the updated SHA1 file and official release checksums.
plugins/ingestion-kafka/licenses/kafka-clients-3.9.2.jar.sha1	1	high	New SHA1 checksum file introduced for kafka-clients-3.9.2.jar (a06edbaa01458ed2e8cf1be69a18c2f231fda6e0). This value must be cross-checked against the official Apache Kafka release to confirm it has not been tampered with.
test/fixtures/hdfs-fixture/build.gradle	54	high	Direct Jetty dependencies (jetty-server and javax-websocket-server-impl) removed and exclusion rules broadened to group-level. This changes the transitive Jetty artifacts that end up on the test classpath and should be verified to not introduce unintended vulnerable or unexpected Jetty versions via other transitive paths.

The table above displays the top 10 most important findings.

Total: 7 | Critical: 0 | High: 7 | Medium: 0 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Reviewer Guide 🔍

(Review updated until commit 1b00486)

Here are some key observations to aid the review process:

🧪 No relevant tests

🔒 No security concerns identified

✅ No TODO sections

🔀 No multiple PR themes

⚡ No major issues detected

[cwperks]

Added backport label even though backport bot is disabled. If CI passes (not sure due to new excludes rule in the hdfs fixture), then this would need to be manually backported.

The global force for log4j-core (needed to resolve transitive dep from gradle shadow plugin) and plexus-utils (gradle plugin transitive dep) should be ok.

[github-actions]

❌ Gradle check result for 038f14f: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

Persistent review updated to latest commit 1b00486

[github-actions]

❌ Gradle check result for 1b00486: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 1b00486: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

✅ Gradle check result for 1b00486: SUCCESS

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.44%. Comparing base (e0404f4) to head (1b00486).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #21879      +/-   ##
============================================
+ Coverage     73.36%   73.44%   +0.08%     
- Complexity    75430    75503      +73     
============================================
  Files          6034     6034              
  Lines        342604   342604              
  Branches      49279    49279              
============================================
+ Hits         251357   251634     +277     
+ Misses        71220    70970     -250     
+ Partials      20027    20000      -27     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.