Build: Bump Netty pin to 4.2.15.Final for Trivy fixes

[nssalian]

Summary

Bumps Netty pin 4.2.14.Final -> 4.2.15.Final and extends the existing eachDependency rule to also align 4.2.x transitive requests. Fixes 4 high CVEs flagged by Trivy on aws-bundle, azure-bundle, kafka-connect-runtime, and open-api-test-fixtures-runtime

• CVE-2026-44249, CVE-2026-45416 (netty-handler)
• CVE-2026-45674, CVE-2026-47691 (netty-resolver-dns)

Example run

All four fixed in 4.2.15.Final.

Changes

• gradle/libs.versions.toml: netty-buffer 4.2.14.Final -> 4.2.15.Final
• build.gradle: rule now matches 4.1.x OR 4.2.x (was 4.1.x only); CVE list updated.

Local verification

./gradlew :<bundle>:dependencyInsight --dependency io.netty:<module> --configuration <cfg> confirms every netty dep resolves to 4.2.15.Final with Selected by rule: Fix Netty 4.1.x and 4.2.x CVEs (...).

Bundle	Configuration	Modules
iceberg-aws-bundle	runtimeClasspath	netty-handler
iceberg-azure-bundle	runtimeClasspath	netty-resolver-dns (+ macos variants)
iceberg-kafka-connect-runtime	runtimeClasspath	netty-resolver-dns (+ macos variants)
iceberg-open-api	testFixturesRuntimeClasspath	netty-handler, -handler-proxy, -codec-http, -codec-http2, -resolver-dns (+ macos variants)

[stevenzwu]

we should get this in. CI checks for PRs are failing everywhere. but failed CVE scans don't seem to block PR merge. so mostly a noise problem.

[singhpk234]

LGTM

[singhpk234]

Thanks @nssalian for the change and @stevenzwu for the review

[wombatu-kun]

Verified the resolution mechanism rather than just the version string, since the pin is named netty-buffer while the flagged CVEs are in netty-handler / netty-resolver-dns.

The netty-buffer toml value is the forced version for the whole io.netty family through the eachDependency rule (details.useVersion(libs.versions.netty.buffer.get())), not only the netty-buffer artifact. The CVE-bearing artifacts come in transitively (AWS/Azure SDK, kafka-connect, open-api fixtures) and resolve at 4.2.14.Final per the Trivy output.

The load-bearing part here is the prefix extension, not the bump. Before this change the rule only matched version.startsWith('4.1.'), so the bundles' 4.2.14 requests were never caught and a toml-only bump to 4.2.15.Final would have left them at 4.2.14. Adding the 4.2. branch is what makes the force actually apply, so both halves of the change are needed.

LGTM, +1 (non-binding).

[kevinjqliu]

Thanks for fixing this, @nssalian.

We might want to reconsider blocking PRs on CVE scan:

iceberg/.github/workflows/cve-scan.yml

Line 155 in 8d0aab7

exit-code: ${{ github.event_name == 'pull_request' && '1' || '0' }}

The scan was originally added to prevent PRs from introducing new dependencies with active CVEs. But with the current behavior, if a new CVE is reported for an existing dependency, unrelated PRs can start failing as well.

It might be better to make PR scans informational too, as long as the findings are surfaced clearly on the PR. That way, reviewers can distinguish between CVEs on existing dependencies and PRs that introduce new dependencies with active CVEs.