From 2141b759ed4c7296a8c9181d6ea401644e92884e Mon Sep 17 00:00:00 2001
From: Nick Cross <ncross@redhat.com>
Date: Mon, 20 Oct 2025 12:28:56 +0100
Subject: [PATCH 1/2] Update versions.

Updates parent, web-commons, jhhtpc, otel and undertow. Use versions from web-commons-bom.
---
 .github/workflows/maven-build.yml             |  2 +-
 .../o11yphant/metrics/util/NameUtils.java     |  2 +-
 pom.xml                                       | 34 +++----------------
 .../trace/impl/EnvSpanFieldsInjector.java     |  2 +-
 4 files changed, 8 insertions(+), 32 deletions(-)

diff --git a/.github/workflows/maven-build.yml b/.github/workflows/maven-build.yml
index 6187f369..667dae68 100644
--- a/.github/workflows/maven-build.yml
+++ b/.github/workflows/maven-build.yml
@@ -41,7 +41,7 @@ jobs:
       with:
         servers: |
           [{
-              "id": "sonatype-nexus-snapshots",
+              "id": "central-portal-snapshots",
               "username": "${{ secrets.SONATYPE_BOT_USERNAME }}",
               "password": "${{ secrets.SONATYPE_BOT_TOKEN }}"
           }]
diff --git a/metrics/api/src/main/java/org/commonjava/o11yphant/metrics/util/NameUtils.java b/metrics/api/src/main/java/org/commonjava/o11yphant/metrics/util/NameUtils.java
index 924a01dd..f10a3f6b 100644
--- a/metrics/api/src/main/java/org/commonjava/o11yphant/metrics/util/NameUtils.java
+++ b/metrics/api/src/main/java/org/commonjava/o11yphant/metrics/util/NameUtils.java
@@ -17,7 +17,7 @@
 
 import org.commonjava.o11yphant.metrics.MetricsConstants;
 
-import static org.apache.commons.lang.StringUtils.isBlank;
+import static org.apache.commons.lang3.StringUtils.isBlank;
 
 public class NameUtils
 {
diff --git a/pom.xml b/pom.xml
index 22e38573..8852f1d0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -22,7 +22,7 @@
   <parent>
     <groupId>org.commonjava</groupId>
     <artifactId>commonjava</artifactId>
-    <version>18</version>
+    <version>21</version>
   </parent>
 
   <groupId>org.commonjava.util</groupId>
@@ -53,14 +53,12 @@
     <javaVersion>11</javaVersion>
     <test-forkCount>1</test-forkCount>
     <metricsVersion>4.2.21</metricsVersion>
-    <otelVersion>1.19.0</otelVersion>
+    <otelVersion>1.32.0</otelVersion>
     <prometheusVersion>0.16.0</prometheusVersion>
-    <logbackVersion>1.2.12</logbackVersion>
-    <undertowVersion>2.2.28.Final</undertowVersion>
+    <undertowVersion>2.2.38.Final</undertowVersion>
     <agroalVersion>1.16</agroalVersion>
     <datastaxVersion>3.11.5</datastaxVersion>
-    <httpclientVersion>4.5.13</httpclientVersion>
-    <jhttpcVersion>1.12</jhttpcVersion>
+    <jhttpcVersion>1.16</jhttpcVersion>
   </properties>
 
   <dependencyManagement>
@@ -68,7 +66,7 @@
       <dependency>
         <groupId>org.commonjava.boms</groupId>
         <artifactId>web-commons-bom</artifactId>
-        <version>29</version>
+        <version>30</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
@@ -185,17 +183,6 @@
         <version>${prometheusVersion}</version>
       </dependency>
 
-      <dependency>
-        <groupId>ch.qos.logback</groupId>
-        <artifactId>logback-classic</artifactId>
-        <version>${logbackVersion}</version>
-      </dependency>
-      <dependency>
-        <groupId>ch.qos.logback</groupId>
-        <artifactId>logback-core</artifactId>
-        <version>${logbackVersion}</version>
-      </dependency>
-
       <dependency>
         <groupId>org.commonjava.util</groupId>
         <artifactId>jhttpc</artifactId>
@@ -214,12 +201,6 @@
         <version>${datastaxVersion}</version>
       </dependency>
 
-      <dependency>
-        <groupId>org.apache.httpcomponents</groupId>
-        <artifactId>httpclient</artifactId>
-        <version>${httpclientVersion}</version>
-      </dependency>
-
       <dependency>
         <groupId>com.google.code.findbugs</groupId>
         <artifactId>jsr305</artifactId>
@@ -263,14 +244,9 @@
       <groupId>commons-io</groupId>
       <artifactId>commons-io</artifactId>
     </dependency>
-    <dependency>
-      <groupId>commons-lang</groupId>
-      <artifactId>commons-lang</artifactId>
-    </dependency>
     <dependency>
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-lang3</artifactId>
-      <version>3.12.0</version>
     </dependency>
     <dependency>
       <groupId>commons-codec</groupId>
diff --git a/trace/core/src/main/java/org/commonjava/o11yphant/trace/impl/EnvSpanFieldsInjector.java b/trace/core/src/main/java/org/commonjava/o11yphant/trace/impl/EnvSpanFieldsInjector.java
index a5086f56..62b71241 100644
--- a/trace/core/src/main/java/org/commonjava/o11yphant/trace/impl/EnvSpanFieldsInjector.java
+++ b/trace/core/src/main/java/org/commonjava/o11yphant/trace/impl/EnvSpanFieldsInjector.java
@@ -15,7 +15,7 @@
  */
 package org.commonjava.o11yphant.trace.impl;
 
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.commonjava.o11yphant.trace.TracerConfiguration;
 import org.commonjava.o11yphant.trace.spi.SpanFieldsInjector;
 import org.commonjava.o11yphant.trace.spi.adapter.SpanAdapter;

From 72a0f480ad9a62f5cf48b72f7190f27703c5c131 Mon Sep 17 00:00:00 2001
From: Nick Cross <ncross@redhat.com>
Date: Mon, 20 Oct 2025 12:54:35 +0100
Subject: [PATCH 2/2] Update cassandra and avoid vulnerable versions

---
 pom.xml            | 25 +++++++++++++++++++++----
 trace/core/pom.xml | 10 +++++++++-
 2 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/pom.xml b/pom.xml
index 8852f1d0..d1218f96 100644
--- a/pom.xml
+++ b/pom.xml
@@ -57,16 +57,23 @@
     <prometheusVersion>0.16.0</prometheusVersion>
     <undertowVersion>2.2.38.Final</undertowVersion>
     <agroalVersion>1.16</agroalVersion>
-    <datastaxVersion>3.11.5</datastaxVersion>
+    <cassandraVersion>3.12.1</cassandraVersion>
     <jhttpcVersion>1.16</jhttpcVersion>
   </properties>
 
   <dependencyManagement>
     <dependencies>
+      <!-- Managing vulnerable versions of netty from cassandra to avoid CVE -->
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-handler</artifactId>
+        <version>4.1.118.Final</version>
+      </dependency>
+
       <dependency>
         <groupId>org.commonjava.boms</groupId>
         <artifactId>web-commons-bom</artifactId>
-        <version>30</version>
+        <version>31</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
@@ -196,9 +203,19 @@
       </dependency>
 
       <dependency>
-        <groupId>com.datastax.cassandra</groupId>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-handler</artifactId>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.cassandra</groupId>
         <artifactId>cassandra-driver-core</artifactId>
-        <version>${datastaxVersion}</version>
+        <version>${cassandraVersion}</version>
+          <exclusions>
+              <exclusion>
+                  <groupId>io.netty</groupId>
+                  <artifactId>netty-handler</artifactId>
+              </exclusion>
+          </exclusions>
       </dependency>
 
       <dependency>
diff --git a/trace/core/pom.xml b/trace/core/pom.xml
index 9d7b2057..0d7082c3 100644
--- a/trace/core/pom.xml
+++ b/trace/core/pom.xml
@@ -30,6 +30,14 @@
   <name>o11yphant :: Tracers :: Core</name>
 
   <dependencies>
+    <dependency>
+      <groupId>com.google.guava</groupId>
+      <artifactId>guava</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-handler</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.commonjava.util</groupId>
       <artifactId>o11yphant-trace-api</artifactId>
@@ -47,7 +55,7 @@
       <artifactId>agroal-api</artifactId>
     </dependency>
     <dependency>
-      <groupId>com.datastax.cassandra</groupId>
+      <groupId>org.apache.cassandra</groupId>
       <artifactId>cassandra-driver-core</artifactId>
     </dependency>
   </dependencies>