fix: issue-19148 - bump commons-lang3, bcprov-jdk18on, bouncycastle (#19155)

* fix: security: bump commons-lang3, bcprov-jdk18on, bouncycastle

Signed-off-by: Archit Goyal <engg.archit19@gmail.com>

* Update SHAs

Signed-off-by: Daniel Widdis <widdis@gmail.com>

* Bump bc-fips to 2.1.2 and set cleanup delay to 0 to fix tests

Signed-off-by: Daniel Widdis <widdis@gmail.com>

* Suppress Thread Leak warning on BouncyCastle daemon

Signed-off-by: Daniel Widdis <widdis@gmail.com>

---------

Signed-off-by: Archit Goyal <engg.archit19@gmail.com>
Signed-off-by: Daniel Widdis <widdis@gmail.com>
Co-authored-by: Daniel Widdis <widdis@gmail.com>

Author: Archiit19

CHANGELOG.md

@@ -12,6 +12,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Bump Apache Lucene to 9.12.3 ([#19444](https://github.com/opensearch-project/OpenSearch/pull/19444))
 - Bump `commons-beanutils:commons-beanutils` from 1.9.4 to 1.11.0 ([#18401](https://github.com/opensearch-project/OpenSearch/issues/18401))
 - Bump `org.apache.poi` version from 5.2.5 to 5.4.1 in /plugins/ingest-attachment ([#17887](https://github.com/opensearch-project/OpenSearch/pull/17887))
+- Bump `org.bouncycastle:bc-fips` from 2.0.0 to 2.1.2 ([#19155](https://github.com/opensearch-project/OpenSearch/pull/19155))
+- Bump `org.apache.commons:commons-lang3` from 3.14.0 to 3.18.0 ([#19155](https://github.com/opensearch-project/OpenSearch/pull/19155))
+- Bump `org.bouncycastle:bcprov-jdk18on` from 1.78 to 1.79 ([#19155](https://github.com/opensearch-project/OpenSearch/pull/19155))
+- Bump `org.bouncycastle:bcmail-jdk18on` from 1.78 to 1.79 ([#19155](https://github.com/opensearch-project/OpenSearch/pull/19155))
+- Bump `org.bouncycastle:bcpkix-jdk18on` from 1.78 to 1.79 ([#19155](https://github.com/opensearch-project/OpenSearch/pull/19155))
 - Bump `org.apache.tika` from 2.9.2 to 3.2.2 ([#19242](https://github.com/opensearch-project/OpenSearch/pull/19242))
 - Bump `org.apache.commons:commons-compress` from 1.26.1 to 1.28.0 ([#19125](https://github.com/opensearch-project/OpenSearch/pull/19242))
 - Bump `org.apache.commons:commonscodec` from 1.16.1 to 1.18.0 ([#19125](https://github.com/opensearch-project/OpenSearch/pull/19242))

build.gradle

@@ -425,6 +425,10 @@ gradle.projectsEvaluated {
 
     project.tasks.withType(Test) { task ->
       if (task != null) {
+        // BouncyCastle introduced cleanup daemon with 5-second delay giving thread leak failures
+        // See https://github.com/opensearch-project/OpenSearch/issues/19238
+        task.systemProperty('org.bouncycastle.native.cleanup_delay', '0')
+
         if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_17) {
           task.jvmArgs += ["-Djava.security.manager=allow"]
         }

distribution/tools/plugin-cli/build.gradle

@@ -38,7 +38,7 @@ dependencies {
   compileOnly project(":server")
   compileOnly project(":libs:opensearch-cli")
   api "org.bouncycastle:bcpg-fips:2.0.9"
-  api "org.bouncycastle:bc-fips:2.0.0"
+  api "org.bouncycastle:bc-fips:2.1.2"
   testImplementation project(":test:framework")
   testImplementation 'com.google.jimfs:jimfs:1.3.0'
   testRuntimeOnly("com.google.guava:guava:${versions.guava}") {

distribution/tools/plugin-cli/licenses/bc-fips-2.0.0.jar.sha1

@@ -0,0 +1 @@
+061fbe8383f70489dda95a11a2a4739eb818ff2c

distribution/tools/plugin-cli/licenses/bc-fips-2.1.2.jar.sha1

@@ -33,6 +33,7 @@
 package org.opensearch.plugins;
 
 import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakFilters;
 
 import com.google.common.jimfs.Configuration;
 import com.google.common.jimfs.Jimfs;
@@ -71,6 +72,7 @@
 import org.opensearch.env.Environment;
 import org.opensearch.env.TestEnvironment;
 import org.opensearch.semver.SemverRange;
+import org.opensearch.test.BouncyCastleThreadFilter;
 import org.opensearch.test.OpenSearchTestCase;
 import org.opensearch.test.PosixPermissionsResetter;
 import org.opensearch.test.VersionUtils;
@@ -134,6 +136,7 @@
 import static org.hamcrest.Matchers.startsWith;
 
 @LuceneTestCase.SuppressFileSystems("*")
+@ThreadLeakFilters(filters = BouncyCastleThreadFilter.class)
 public class InstallPluginCommandTests extends OpenSearchTestCase {
 
     private InstallPluginCommand skipJarHellCommand;

distribution/tools/plugin-cli/src/test/java/org/opensearch/plugins/InstallPluginCommandTests.java

@@ -76,7 +76,7 @@ dependencies {
   api "org.apache.commons:commons-compress:${versions.commonscompress}"
   api 'org.apache.commons:commons-configuration2:2.11.0'
   api "commons-io:commons-io:${versions.commonsio}"
-  api 'org.apache.commons:commons-lang3:3.17.0'
+  api 'org.apache.commons:commons-lang3:3.18.0'
   implementation 'com.google.re2j:re2j:1.8'
   api 'javax.servlet:servlet-api:2.5'
   api "org.slf4j:slf4j-api:${versions.slf4j}"

plugins/repository-hdfs/build.gradle

@@ -0,0 +1 @@
+fb14946f0e39748a6571de0635acbe44e7885491

plugins/repository-hdfs/licenses/commons-lang3-3.17.0.jar.sha1

@@ -0,0 +1,23 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.test;
+
+import com.carrotsearch.randomizedtesting.ThreadFilter;
+
+/**
+ * ThreadFilter to exclude ThreadLeak checks for BC’s global background threads
+ */
+public class BouncyCastleThreadFilter implements ThreadFilter {
+    @Override
+    public boolean reject(Thread t) {
+        String n = t.getName();
+        // Ignore BC’s global background threads
+        return "BC Disposal Daemon".equals(n) || "BC Cleanup Executor".equals(n);
+    }
+}