minor: fix several CVE

extensions-contrib/druid-ranger-security/pom.xml

@@ -139,6 +139,22 @@
             <version>${apache.ranger.version}</version>
             <scope>compile</scope>
             <exclusions>
+                <exclusion>
+                    <groupId>org.apache.hadoop</groupId>
+                    <artifactId>hadoop-client-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.hadoop</groupId>
+                    <artifactId>hadoop-client-runtime</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>javax.xml.bind</groupId>
+                    <artifactId>jaxb-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>com.sun.xml.bind</groupId>
+                    <artifactId>jaxb-core</artifactId>
+                </exclusion>
                 <exclusion>
                     <groupId>org.apache.hadoop</groupId>
                     <artifactId>hadoop-common</artifactId>
@@ -189,6 +205,14 @@
             <artifactId>ranger-audit-dest-hdfs</artifactId>
             <version>${apache.ranger.version}</version>
             <exclusions>
+                <exclusion>
+                    <groupId>org.apache.hadoop</groupId>
+                    <artifactId>hadoop-client-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.hadoop</groupId>
+                    <artifactId>hadoop-client-runtime</artifactId>
+                </exclusion>
                 <exclusion>
                     <groupId>org.apache.hadoop</groupId>
                     <artifactId>hadoop-common</artifactId>

licenses.yaml

@@ -2242,7 +2242,7 @@ name: Plexus Common Utilities
 license_category: binary
 module: java-core
 license_name: Apache License version 2.0
-version: 3.1.0
+version: 3.6.1
 libraries:
   - org.codehaus.plexus: plexus-utils
 notices:
@@ -2264,7 +2264,7 @@ name: Jetty
 license_category: binary
 module: java-core
 license_name: Eclipse Public License 2.0
-version: 12.0.30
+version: 12.1.8
 libraries:
   - org.eclipse.jetty: jetty-alpn-client
   - org.eclipse.jetty: jetty-client
@@ -2275,6 +2275,8 @@ libraries:
   - org.eclipse.jetty: jetty-server
   - org.eclipse.jetty: jetty-session
   - org.eclipse.jetty: jetty-util
+  - org.eclipse.jetty.compression: jetty-compression-common
+  - org.eclipse.jetty.compression: jetty-compression-gzip
   - org.eclipse.jetty.ee8: jetty-ee8-nested
   - org.eclipse.jetty.ee8: jetty-ee8-proxy
   - org.eclipse.jetty.ee8: jetty-ee8-security
@@ -3502,7 +3504,7 @@ name: aircompressor
 license_category: binary
 module: extensions/druid-parquet-extensions
 license_name: Apache License version 2.0
-version: "2.0.2"
+version: "2.0.3"
 libraries:
   - io.airlift: aircompressor
 
@@ -4150,7 +4152,7 @@ name: aircompressor
 license_category: binary
 module: extensions/druid-orc-extensions
 license_name: Apache License version 2.0
-version: "2.0.2"
+version: "2.0.3"
 libraries:
   - io.airlift: aircompressor
 
@@ -4885,7 +4887,7 @@ notice: |
 
 name: org.apache.ranger ranger-plugins-audit-dest-es
 license_category: binary
-version: 2.7.0
+version: 2.8.0
 module: druid-ranger-security
 license_name: Apache License version 2.0
 libraries:
@@ -4895,7 +4897,7 @@ libraries:
 
 name: org.apache.ranger ranger-plugins-audit-dest-hdfs
 license_category: binary
-version: 2.7.0
+version: 2.8.0
 module: druid-ranger-security
 license_name: Apache License version 2.0
 libraries:
@@ -4905,7 +4907,7 @@ libraries:
 
 name: org.apache.ranger ranger-plugins-common
 license_category: binary
-version: 2.7.0
+version: 2.8.0
 module: druid-ranger-security
 license_name: Apache License version 2.0
 libraries:
@@ -5660,7 +5662,7 @@ license_category: binary
 module: web-console
 license_name: MIT License
 copyright: Matt Zabriskie
-version: 1.12.2
+version: 1.15.0
 license_file_path: licenses/bin/axios.MIT
 
 ---

owasp-dependency-check-suppressions.xml

@@ -264,6 +264,8 @@
     <cve>CVE-2025-55163</cve> <!-- Netty 3.x not affected; HTTP/2 issues only in 4.x -->
     <cve>CVE-2025-58056</cve>
     <cve>CVE-2025-58057</cve> <!-- Netty 3.x not affected; compression issue only in 4.x -->
+    <cve>CVE-2026-33870</cve> <!-- We don't use HttpPostRequestDecoder -->
+    <cve>CVE-2026-33871</cve> <!-- Netty 3.x not affected; HTTP/2 issues only in 4.x -->
   </suppress>
 
   <suppress>
@@ -476,6 +478,16 @@
     <cve>CVE-2022-4244</cve>
   </suppress>
 
+  <!--  CVE-2025-67030 affects plexus-utils in all versions prior to 4.0.3, but our usage does not exercise the vulnerable functionality and we are not impacted in practice;
+    upgrading to 4.0.3+ would require significant effort due to breaking changes and likely a full migration to Maven 4 and aligned ecosystem components -->
+  <suppress>
+    <notes><![CDATA[
+      file name: plexus-utils-*.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-utils@.*$</packageUrl>
+    <cve>CVE-2025-67030</cve>
+  </suppress>
+
   <!-- CVE-2023-5072 has a too broad CPE that seems to be flagging dependencies like json-*. Neither Druid nor any of its
     ~ transitive dependency use json-java which contains the vulnerability-->
   <suppress base="true">

pom.xml

@@ -77,8 +77,8 @@
         <apache.curator.version>5.8.0</apache.curator.version>
         <apache.kafka.version>3.9.1</apache.kafka.version>
         <!-- when updating apache ranger, verify the usage of aws-bundle-sdk vs aws-logs-sdk
-        and update as needed in extensions-core/druid-ranger-security/pm.xml  -->
-        <apache.ranger.version>2.7.0</apache.ranger.version>
+        and update as needed in extensions-contrib/druid-ranger-security/pom.xml  -->
+        <apache.ranger.version>2.8.0</apache.ranger.version>
         <antlr4.version>4.5.3</antlr4.version>
         <gson.version>2.13.2</gson.version>
         <scala.library.version>2.13.16</scala.library.version>
@@ -102,7 +102,7 @@
         <guava.version>32.1.3-jre</guava.version>
         <guice.version>6.0.0</guice.version>
         <hamcrest.version>2.2</hamcrest.version>
-        <jetty.version>12.0.30</jetty.version>
+        <jetty.version>12.1.8</jetty.version>
         <jersey.version>1.19.4</jersey.version>
         <jackson.version>2.20.2</jackson.version>
         <codehaus.jackson.version>1.9.13</codehaus.jackson.version>
@@ -1123,7 +1123,7 @@
             <dependency>
                 <groupId>io.airlift</groupId>
                 <artifactId>aircompressor</artifactId>
-                <version>2.0.2</version>
+                <version>2.0.3</version>
             </dependency>
             <dependency>
                 <groupId>org.checkerframework</groupId>
@@ -1203,7 +1203,7 @@
             <dependency>
                 <groupId>org.codehaus.plexus</groupId>
                 <artifactId>plexus-utils</artifactId>
-                <version>3.1.0</version>
+                <version>3.6.1</version>
             </dependency>
             <dependency>
                 <groupId>com.github.ben-manes.caffeine</groupId>