[fix][sec] Added Exclusions for tomcat-embed-core and derby and override mina-core to remediate CVEs

[guptas6est]

Motivation

This PR addresses multiple CVEs detected in transitive dependencies used in the Pulsar IO module flume.
The affected libraries are Apache Tomcat Embed Core, Apache MINA and Apache Derby, which were introducing vulnerabilities through indirect dependencies.

Vulnerabilities remediated include:

Apache Tomcat Embed Core

• CVE-2020-1938 – AJP File Read/Inclusion Vulnerability
• CVE-2019-12418 – Local Privilege Escalation
• CVE-2019-17563 – Session Fixation in FORM Authentication
• CVE-2021-25122 – Request Mix-up with h2c
• CVE-2021-25329 – Incomplete fix for CVE-2020-9484 (RCE via Session Persistence)
• CVE-2022-42252 – Request Smuggling
• CVE-2023-46589 – HTTP Request Smuggling via Malformed Trailer Headers
• CVE-2024-34750 – Improper Handling of Exceptional Conditions
• CVE-2024-50379 – RCE due to TOCTOU Issue in JSP Compilation
• CVE-2025-24813 – Potential RCE / Information Disclosure via Partial PUT Handling
• CVE-2025-31650 – DoS via Malformed HTTP/2 PRIORITY_UPDATE Frame
• CVE-2025-31651 – Rewrite Valve Rule Bypass
• CVE-2025-46701 – Security Constraint Bypass for CGI Scripts
• CVE-2025-48988 – DoS in Multipart Upload Handling
• CVE-2025-49125 – Security Constraint Bypass for Pre/Post Resources
• CVE-2024-24549 – HTTP/2 Header Handling DoS
• CVE-2023-41080 – Open Redirect Vulnerability in FORM Authentication
• CVE-2023-42795 – Information Leak via Recycled Object Handling
• CVE-2021-24122 – Information Disclosure on NTFS File Systems
• CVE-2024-21733 – Request Body Leakage in Default Error Page
• CVE-2023-44487 – HTTP/2 DDoS Attack (Rapid Reset)
• CVE-2023-45648 – HTTP Trailer Header Parsing Request Smuggling
• CVE-2020-1935 – Mishandling of Transfer-Encoding header → HTTP request smuggling

Apache MINA

• CVE-2024-52046 – Unbounded Deserialization Remote Code Execution

Apache Derby

• CVE-2022-46337 – LDAP Authentication Bypass

Modifications

Added exclusions for vulnerable transitive dependencies in:

• pulsar-io/flume/pom.xml → Excluded tomcat-embed-core and derby and override mina-core

Verifying this change

• Make sure that the change passes the CI checks.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

(or)

This change is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(example:)

• Added integration tests for end-to-end deployment with large payloads (10MB)
• Extended integration test for recovery after broker failure

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

• Dependencies (add or upgrade a dependency)
• The public API
• The schema
• The default values of configurations
• The threading model
• The binary protocol
• The REST endpoints
• The admin CLI options
• The metrics
• Anything that affects deployment

Documentation

• doc
• doc-required
• doc-not-needed
• doc-complete

Matching PR in forked repository

PR in forked repository: Nordix#10
(See the second-last commit for the GitHub Actions results.)

[lhotari]

Thanks for the PR and putting effort in resolving CVEs, @guptas6est.

One challenge is that the tests for Pulsar IO Flume connector don't currently contain end-to-end tests and only use an in-memory channel solution. Since Apache Flume isn't maintained anymore ("This project is not maintained anymore!" at https://flume.apache.org/, I think that this is a sufficient solution. There's no need to add additional tests.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.22%. Comparing base (c4f125c) to head (a9f10a9).
⚠️ Report is 24 commits behind head on master.

Additional details and impacted files

@@              Coverage Diff              @@
##             master   #24949       +/-   ##
=============================================
+ Coverage     38.77%   74.22%   +35.45%     
- Complexity    13380    33888    +20508     
=============================================
  Files          1856     1913       +57     
  Lines        145342   149505     +4163     
  Branches      16886    17372      +486     
=============================================
+ Hits          56353   110975    +54622     
+ Misses        81459    29671    -51788     
- Partials       7530     8859     +1329     

Flag	Coverage Δ
inttests	26.44% <ø> (+0.03%)	⬆️
systests	22.70% <ø> (-0.15%)	⬇️
unittests	73.75% <ø> (+38.75%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1411 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[lhotari]

Removing Flume connector in #25079