[fix][sec] Update reactor-netty-http in Azure Data Explorer connector to remediate CVE-2025-22227

[guptas6est]

Fixes #xyz

Main Issue: #xyz

PIP: #xyz

Motivation

This PR removes the transitive dependency reactor-netty-http from the Azure Data Explorer module.
The module was bringing in io.projectreactor.netty classes that expose the project to CVE-2025-22227, affecting older versions of Reactor Netty through unsafe HTTP handling behavior.

Modifications

Added an exclusion block under the Azure Data Explorer (kusto-ingest) dependency.

Verifying this change

• Make sure that the change passes the CI checks.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

(or)

This change is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(example:)

• Added integration tests for end-to-end deployment with large payloads (10MB)
• Extended integration test for recovery after broker failure

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

• Dependencies (add or upgrade a dependency)
• The public API
• The schema
• The default values of configurations
• The threading model
• The binary protocol
• The REST endpoints
• The admin CLI options
• The metrics
• Anything that affects deployment

Documentation

• doc
• doc-required
• doc-not-needed
• doc-complete

Matching PR in forked repository

PR in forked repository: Nordix#15

[lhotari]

This PR removes the transitive dependency reactor-netty-http from the Azure Data Explorer module.
The module was bringing in io.projectreactor.netty classes that expose the project to CVE-2025-22227, affecting older versions of Reactor Netty through unsafe HTTP handling behavior.

Removing transitive dependencies could break some functionality. The preferred approach would be to upgrade the dependency that pulls in a dependency (kusto.sdk.version in this case, https://central.sonatype.com/artifact/com.microsoft.azure.kusto/kusto-data/versions).
An alternative approach would be to enforce reactor-netty-http version to a compatible version that includes the fix.

[lhotari]

There's an emulator for Kusto, but unfortunately there's no tests that validate the behavior with the emulator. For TestContainers Java, there's no existing module. For .NET there's a Kusto module.

@asaharn could you please help address this CVE since you were the original contributor of this connector (#22006)?

[lhotari]

I'd recommend upgrading kusto.sdk.version to latest version 7.0.3 instead (versions). Without true integration tests, we don't know if reactor-netty-http 1.2.8 is compatible with the previous dependency.

UPDATE: looks like kusto 7.0.3 doesn't improve the situation.

[INFO] |  +- com.azure:azure-identity:jar:1.13.3:compile
[INFO] |  |  +- com.azure:azure-core-http-netty:jar:1.15.4:compile
[INFO] |  |  |  +- io.netty:netty-codec-http2:jar:4.1.128.Final:compile
[INFO] |  |  |  +- io.netty:netty-transport-native-kqueue:jar:osx-x86_64:4.1.128.Final:compile
[INFO] |  |  |  |  \- io.netty:netty-transport-classes-kqueue:jar:4.1.128.Final:compile
[INFO] |  |  |  \- io.projectreactor.netty:reactor-netty-http:jar:1.0.45:compile
[INFO] |  |  |     \- io.projectreactor.netty:reactor-netty-core:jar:1.0.45:compile

I guess adding com.azure:azure-identity:1.18.1, com.azure:azure-core-http-netty:1.16.2 and com.azure:azure-core:jar:1.57.0 to dependency management would align different libraries.

Upgrading kusto.sdk.version to 7.0.3 and adding azure-sdk-bom to dependency management of the connector would be a better approach.

<dependency>
    <groupId>com.azure</groupId>
    <artifactId>azure-sdk-bom</artifactId>
    <version>1.3.2</version>
    <type>pom</type>
    <scope>import</scope>
</dependency>