[Sec] Pulsar-client's common-collections:common-collections is flagged as vulnerable to sonatype-2024-3350 with a high cvss score

[ZachChuba]

Search before reporting

• I searched in the issues and found nothing similar.

Read release policy

• I understand that unsupported versions don't get bug fixes. I will attempt to reproduce the issue on a supported version of Pulsar client and Pulsar broker.

User environment

Pulsar-Client version [4.0.6,4.1.+]

Issue Description

pulsar-client shades in commons-collections:commons-collections 3.2.2 which is vulnerable to sonatype-2024-3350 DOS attack. bookkeeper 4.17.2 introduces this dependency by shading in commons-beanutils 1.11.0. Exploitability on pulsar appears non-existent, but this is coming up in enterprise security scan reports and becomes a headache for organizations with low risk tolerance.

Error messages

Reproducing the issue

Classpath analysis

Additional information

No response

Are you willing to submit a PR?

• I'm willing to submit a PR!

[ZachChuba]

I will raise a PR that removes the remaining pulsar code references to commons-collections 3, but completely removing this from the classpath depends on either downgrading the bookkeeper version or waiting for commons-beanutils to go out of the MC cycle for version 2.0.0, which upgrades the other commons dependencies. Waiting seems to be preferable to downgrades.