Address Netty CVEs by bumping AWS SDK and excluding micronaut-core-bom from test classpath

[jorgee]

Summary

Address two HIGH-severity Dependabot alerts on transitively-pulled Netty:

• GHSA-pwqr-wmgm-9rr8 — netty-codec-http HTTP Request Smuggling (alerts #155, #156)
• GHSA-w9fj-cfpg-grvv — netty-codec-http2 CONTINUATION Frame Flood DoS (alerts #157, #158)

Rather than pinning Netty versions explicitly, this PR fixes the root causes of how the vulnerable Netty was reaching Nextflow:

1. Bump AWS SDK in nf-amazon (2.33.2 → 2.44.3), nf-codecommit (2.31.64 → 2.44.3). This SDK version already pull patched Netty 4.1.133.Final natively in their POMs.
   The Azure SDK in nf-azure (azure-storage-blob 12.33.2 → 12.33.3, azure-identity 1.18.2 → 1.18.3). The newer SDKs already pull patched Netty 4.1.132.Final natively in their POMs.
2. Exclude io.micronaut:micronaut-core-bom from testRuntimeClasspath in the three plugins. That BOM (transitively reached through testImplementation project(':nextflow') → npr-api → micronaut-serde-api) was declaring a constraint forcing Netty to 4.2.5.Final on the test classpath only — overriding whatever the AWS / Azure SDKs ship and re-introducing the vulnerable line. The exclusion lets the test classpath inherit the same Netty as runtime.
3. nf-tower: bumped WireMock 3.13.1 → 3.13.2 (latest patch; ships Jetty 11.0.26).

Why this is better than version pinning

• No magic version numbers in the build files. The Netty version simply tracks whatever the AWS / Azure SDKs ship. Future SDK bumps automatically pick up new Netty patches without any manual intervention.
• Consistent runtime/test classpaths. Without the BOM exclusion, the test classpath would pin Netty to a different version than runtime — masking real ABI issues. With the exclusion, both classpaths resolve to the same Netty.
• Smaller diff, less to maintain. A single testRuntimeClasspath.exclude per plugin replaces a five-line constraints { strictly … } block.

Other changes

• plugins/nf-amazon/src/main/nextflow/cloud/aws/nio/S3Client.java: explicit import java.nio.file.AccessDeniedException; added. AWS SDK 2.42.41 introduces software.amazon.awssdk.services.s3.model.AccessDeniedException; the wildcard imports for both packages now collide, so an explicit import is required to disambiguate to the JDK type.

Verification

./gradlew :plugins:nf-amazon:dependencies --configuration runtimeClasspath \
  | grep io.netty:netty-codec-http
# 4.1.132.Final natively (no version arrows)

./gradlew :plugins:nf-amazon:dependencies --configuration testRuntimeClasspath \
  | grep io.netty:netty-codec-http
# 4.1.132.Final, no 4.2.x anywhere

./gradlew :plugins:nf-amazon:test :plugins:nf-azure:test :plugins:nf-codecommit:test \
  --rerun-tasks
# BUILD SUCCESSFUL

Same checks pass for nf-azure and nf-codecommit.

Remaining Dependabot alerts (no code fix available)

To be dismissed via the GitHub UI / gh api — not reachable from any published Nextflow artifact:

• #165, #152 (jetty-http) — test-only via WireMock; upstream Jetty 11.0.28 patch not yet published on Maven Central.
• #161 (plexus-utils) — build-script-only (dependency from shadow-gradle-plugin ) ; verified absent from every resolved classpath in every module/plugin × every configuration.
• #162, #163, #164 (log4j-core) — build-script-only; dependency from shadow-gradle-plugin .

Test plan

• ./gradlew :plugins:nf-amazon:test :plugins:nf-azure:test :plugins:nf-codecommit:test --rerun-tasks — all pass
• :dependencies --configuration {runtime,test}Classpath shows Netty resolves to 4.1.132.Final cleanly across all three plugins
• CI pipeline (incl. e2e if applicable)

🤖 Generated with Claude Code

[netlify]

✅ Deploy Preview for nextflow-docs-staging canceled.

Name	Link
🔨 Latest commit	790c9e1
🔍 Latest deploy log	https://app.netlify.com/projects/nextflow-docs-staging/deploys/69fc71463f1ac5000879051b

[pditommaso]

Well done

[jorgee]

Solved conflicts with master bumping AWS 2.44.3 that includes netty 4.1.133.Final in their POMS. Azure does not have a version with the latest patched Netty version yet. However the azure bump updates to 4.1.132.Final which fixes some Netty issues.