fix: issue-19148 - bump commons-lang3, bcprov-jdk18on, bouncycastle

[Archiit19]

Description

Bump vulnerable dependencies to the fixed versions.

Related Issues

Resolves #19148

Check List

• [ -] Functionality includes testing.
• [ -] API changes companion pull request created, if applicable.
• [ -] Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[github-actions]

❌ Gradle check result for c1430e4: null

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 2a079dd: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[Archiit19]

@cwperks @peternied the vulnerable versions are already updated in main branches and these are not updated in the 2.19 branch, thats why I have created the backport branch directly to 2.19.
please suggest if I am missing something, please help me with the correct labels if needs to be added to the PR.

[github-actions]

❌ Gradle check result for 7e054a2: null

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[opensearch-trigger-bot]

This PR is stalled because it has been open for 30 days with no activity.

[dbwiddis]

@Archiit19 Thank you for submitting this. Sorry for the delay taking action until now. I'll take this over and push it through to completion.

[github-actions]

❌ Gradle check result for b1e32df: null

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for b1e32df: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for b1e32df: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[dbwiddis]

Tests have failed twice now on org.opensearch.plugins.InstallPluginCommandTests.classMethod

Given that bouncycastle is in this PR, may be some additional change needed.

com.carrotsearch.randomizedtesting.ThreadLeakError: 2 threads leaked from SUITE scope at org.opensearch.plugins.InstallPluginCommandTests: 
   1) Thread[id=71, name=BC Cleanup Executor, state=WAITING, group=TGRP-InstallPluginCommandTests]
        at java.base/jdk.internal.misc.Unsafe.park(Native Method)
        at java.base/java.util.concurrent.locks.LockSupport.park(LockSupport.java:371)
        at java.base/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionNode.block(AbstractQueuedSynchronizer.java:519)
        at java.base/java.util.concurrent.ForkJoinPool.unmanagedBlock(ForkJoinPool.java:3780)
        at java.base/java.util.concurrent.ForkJoinPool.managedBlock(ForkJoinPool.java:3725)
        at java.base/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:1712)
        at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:1170)
        at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:899)
        at java.base/java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1070)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
        at java.base/java.lang.Thread.run(Thread.java:1583)
   2) Thread[id=65, name=BC Disposal Daemon, state=WAITING, group=TGRP-InstallPluginCommandTests]
        at java.base/jdk.internal.misc.Unsafe.park(Native Method)
        at java.base/java.util.concurrent.locks.LockSupport.park(LockSupport.java:371)
        at java.base/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionNode.block(AbstractQueuedSynchronizer.java:519)
        at java.base/java.util.concurrent.ForkJoinPool.unmanagedBlock(ForkJoinPool.java:3780)
        at java.base/java.util.concurrent.ForkJoinPool.managedBlock(ForkJoinPool.java:3725)
        at java.base/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:1712)
        at java.base/java.lang.ref.ReferenceQueue.await(ReferenceQueue.java:67)
        at java.base/java.lang.ref.ReferenceQueue.remove0(ReferenceQueue.java:158)
        at java.base/java.lang.ref.ReferenceQueue.remove(ReferenceQueue.java:234)
        at org.bouncycastle.crypto.util.dispose.DisposalDaemon.run(Unknown Source)
        at java.base/java.lang.Thread.run(Thread.java:1583)
	at __randomizedtesting.SeedInfo.seed([DE34685E588E1DF5]:0)

[dbwiddis]

Probably related to the default 5 second delay for cleanup, introduced in 2.1.0.

See #19238 (CC: @cwperks)

[github-actions]

❌ Gradle check result for f904953: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for cf923b9: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 024b994: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[dbwiddis]

The setting only prevents one of the two cleanup threads from starting; the other one always runs. Porting over the workaround from #19222....

[github-actions]

❌ Gradle check result for f017ef0: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

✅ Gradle check result for f017ef0: SUCCESS

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.08%. Comparing base (7caafaf) to head (f017ef0).
⚠️ Report is 4 commits behind head on 2.19.

Additional details and impacted files

@@             Coverage Diff              @@
##               2.19   #19155      +/-   ##
============================================
+ Coverage     72.02%   72.08%   +0.05%     
- Complexity    66027    66060      +33     
============================================
  Files          5341     5341              
  Lines        307273   307273              
  Branches      44845    44845              
============================================
+ Hits         221320   221494     +174     
+ Misses        67537    67327     -210     
- Partials      18416    18452      +36     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Archiit19]

Thanks a lot @dbwiddis, I have closed the related github issue as well.