wu-sheng opened a new pull request, #13921: URL: https://github.com/apache/skywalking/pull/13921
### Fix three open security alerts (1 Dependabot, 2 code-scanning) - [x] Add a unit test to verify that the fix works. - [x] Explain briefly why the bug exists and how to fix it. Clears all three open HIGH security alerts on the default branch. **1. Dependabot — `protobuf` CVE-2026-0994 (JSON recursion-depth DoS)** `test/e2e-v2/cases/airflow/mock/requirements-replay.txt` pinned `protobuf==4.25.8`. There is no patched 4.x release (fix line is `protobuf>=5.29.6`), and `opentelemetry-proto==1.24.0` caps `protobuf<5.0`, so both move together: - `protobuf` `4.25.8` → `5.29.6` - `opentelemetry-proto` `1.24.0` → `1.28.0` (earliest release allowing `protobuf>=5`) - `grpcio` / `flask` unchanged — `grpcio` has no protobuf runtime dependency (protobuf is only its optional `[protobuf]` extra), `flask` is unrelated. This is a **CI-only e2e mock** (a throwaway Flask/gRPC OTLP emitter), never shipped in the OAP — same class as the earlier test-fixture CVE cleanups (#13913 / #13915). **2 & 3. Code-scanning — `java/implicit-cast-in-compound-assignment`** In `SumHistogramPercentileFunction` and `AvgHistogramPercentileFunction`, the cumulative bucket counter was `int count`, but `count += value` adds a `Long` bucket count — promoting to `long`, then **silently narrowing back to `int`**. `total` (the same bucket sum) was already `long`, so the counter was inconsistent and could truncate above `Integer.MAX_VALUE`. - Fix: `int count` → `long count` in both functions. `count >= roof` (long ≥ int) still works; no other change needed. **Verification:** `SumHistogramPercentileFunctionTest` + `AvgHistogramPercentileFunctionTest` pass (12/12); server-core checkstyle and license headers clean. - [ ] If this pull request closes/resolves/fixes an existing issue, replace the issue number. Closes #<issue number>. - [x] Update the [`CHANGES` log](https://github.com/apache/skywalking/blob/master/docs/en/changes/changes.md). 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
