This is an automated email from the ASF dual-hosted git repository.
wu-sheng pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking.git
The following commit(s) were added to refs/heads/master by this push:
new e1acb44d1a Clear 3 security alerts: protobuf e2e fixture CVE-2026-0994
+ histogram count narrowing (#13921)
e1acb44d1a is described below
commit e1acb44d1a939bc2155e1583f5d4d41fe9825907
Author: 吴晟 Wu Sheng <[email protected]>
AuthorDate: Sat Jun 20 09:13:59 2026 +0800
Clear 3 security alerts: protobuf e2e fixture CVE-2026-0994 + histogram
count narrowing (#13921)
* Clear 3 security alerts: protobuf e2e fixture CVE + histogram count
narrowing
- Dependabot CVE-2026-0994: bump the Airflow e2e mock's pinned protobuf
4.25.8 -> 5.29.6 (no 4.x patch exists) and opentelemetry-proto 1.24.0 ->
1.28.0
(its protobuf<5.0 cap was the blocker). CI-only test fixture, never
shipped;
grpcio/flask unchanged.
- CodeQL java/implicit-cast-in-compound-assignment: widen the cumulative
`count`
accumulator from int to long in Sum/AvgHistogramPercentileFunction.
`count +=
value` silently narrowed a long bucket-count sum back to int; `total` was
already long.
---
docs/en/changes/changes.md | 1 +
.../analysis/meter/function/avg/AvgHistogramPercentileFunction.java | 2 +-
.../analysis/meter/function/sum/SumHistogramPercentileFunction.java | 2 +-
test/e2e-v2/cases/airflow/mock/requirements-replay.txt | 6 +++---
4 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/docs/en/changes/changes.md b/docs/en/changes/changes.md
index 19944574a6..a91eefb067 100644
--- a/docs/en/changes/changes.md
+++ b/docs/en/changes/changes.md
@@ -304,6 +304,7 @@
* Bump Apache Curator `4.3.0` → `5.9.0` and Apache ZooKeeper `3.5.7` → `3.9.5`
together to clear CVE-2023-44981 (the bundled ZooKeeper jar carried it; OAP is
a ZooKeeper client only, so the server-side bug was never reachable, but the
jar tripped Dependabot). The cluster-zookeeper and configuration-zookeeper
plugins use only stable Curator APIs, so no source changes were required.
Operator-facing change: the supported ZooKeeper server version is now 3.6+
(Curator 5.x uses ZooKeeper persi [...]
* Migrate the Consul cluster and configuration client from the abandoned
`com.orbitz.consul:consul-client` `1.5.3` to the maintained fork
`org.kiwiproject:consul-client` `0.9.0` to clear the okhttp CVE the old client
carried (CVE-2021-0341; the old client pinned okhttp `3.14.9`, fixed in okhttp
`4.9.2+`), so the BOM now pins okhttp to `4.12.0`. The fork's `0.9.x` line is
the last one built for JDK 11 (which SkyWalking still targets); `1.0.0+` is
compiled to JDK 17 bytecode, so the migrat [...]
* Bump test-scope assertj-core `3.20.2` → `3.27.7` to clear CVE-2026-24400
(XXE in `isXmlEqualTo`, not used by any test).
+* Clear three security alerts: bump the Airflow e2e mock's pinned `protobuf`
`4.25.8` → `5.29.6` (with `opentelemetry-proto` `1.24.0` → `1.28.0`, whose
`protobuf<5.0` cap was the blocker, and `grpcio` `1.62.2` → `1.63.2`, required
because `opentelemetry-proto` `1.28.0`'s gRPC stubs call
`unary_unary(_registered_method=...)`) to clear CVE-2026-0994 — a CI-only test
fixture, never shipped; and widen the cumulative `count` accumulator from `int`
to `long` in `SumHistogramPercentileFunction` [...]
* Fix: continuous profiling policy validation now rejects a threshold / count
of `0` to match the error messages and rover's `value >= threshold` trigger
semantics (a `0` threshold would always trigger). CPU percent and HTTP error
rate are tightened from `[0-100]` to `(0-100]`.
* Fix wrong BanyanDB resource options in record data.
* Align the default BanyanDB stage `segmentInterval` values so each coarser
stage is an integer multiple of the finer one (`records` cold `3` → `4`,
`metricsMinute` cold `5` → `6`, `metricsHour` warm `7` → `10` and cold `15` →
`20`), keeping hot → warm → cold lifecycle migration on the cheap whole-segment
fast path.
diff --git
a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/avg/AvgHistogramPercentileFunction.java
b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/avg/AvgHistogramPercentileFunction.java
index c018a2e7c1..fd3002e03a 100644
---
a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/avg/AvgHistogramPercentileFunction.java
+++
b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/avg/AvgHistogramPercentileFunction.java
@@ -248,7 +248,7 @@ public abstract class AvgHistogramPercentileFunction
extends Meter implements Ac
roofs[i] = Math.round(total * ranks.get(i) * 1.0f /
100);
}
- int count = 0;
+ long count = 0;
final List<String> sortedKeys =
subDataset.sortedKeys(Comparator.comparingLong(Long::parseLong));
int loopIndex = 0;
diff --git
a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/sum/SumHistogramPercentileFunction.java
b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/sum/SumHistogramPercentileFunction.java
index 5d94a5f55f..b743597059 100644
---
a/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/sum/SumHistogramPercentileFunction.java
+++
b/oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/analysis/meter/function/sum/SumHistogramPercentileFunction.java
@@ -214,7 +214,7 @@ public abstract class SumHistogramPercentileFunction
extends Meter implements Ac
roofs[i] = Math.round(total * ranks.get(i) * 1.0f /
100);
}
- int count = 0;
+ long count = 0;
final List<String> sortedKeys =
subDataset.sortedKeys(Comparator.comparingLong(Long::parseLong));
int loopIndex = 0;
diff --git a/test/e2e-v2/cases/airflow/mock/requirements-replay.txt
b/test/e2e-v2/cases/airflow/mock/requirements-replay.txt
index 2e302eda69..8754b425e3 100644
--- a/test/e2e-v2/cases/airflow/mock/requirements-replay.txt
+++ b/test/e2e-v2/cases/airflow/mock/requirements-replay.txt
@@ -1,4 +1,4 @@
flask==3.1.3
-grpcio==1.62.2
-protobuf==4.25.8
-opentelemetry-proto==1.24.0
+grpcio==1.63.2
+protobuf==5.29.6
+opentelemetry-proto==1.28.0