Add granular JMX metrics and runtime stats tracing for SystemAccessControl operations with automatic integration

.devcontainer/Dockerfile

@@ -0,0 +1,18 @@
+FROM ubuntu:24.04
+
+# Install necessary tools
+RUN apt-get update && apt-get install -y \
+    # Intellij IDEA dev container prerequisites
+	curl \
+	git \
+	unzip \
+    # Java 8 and 17 jdk
+	openjdk-8-jdk \
+    openjdk-17-jdk \
+    # for documentation
+    python3 \
+    python3-pip \
+    python3.12-venv \
+    fonts-freefont-otf \
+    xindy
+

.devcontainer/devcontainer.json

@@ -0,0 +1,6 @@
+{
+    "name": "PrestoDB Dev Container",
+    "build": {
+      "dockerfile": "Dockerfile"
+    }
+}

.github/actions/maven-owasp-scan/action.yml

@@ -0,0 +1,35 @@
+name: 'Maven OWASP Dependency Check Scan'
+description: 'Runs OWASP dependency check Maven scan with consistent settings'
+inputs:
+  working-directory:
+    description: 'Working directory for Maven command'
+    required: false
+    default: '.'
+  owasp-version:
+    description: 'OWASP dependency check plugin version'
+    required: false
+    default: '12.1.3'
+  data-directory:
+    description: 'OWASP data directory path'
+    required: false
+    default: '$HOME/.owasp/dependency-check-data'
+runs:
+  using: 'composite'
+  steps:
+    - name: Run OWASP dependency check
+      working-directory: ${{ inputs.working-directory }}
+      shell: bash
+      run: |
+        mvn org.owasp:dependency-check-maven:${{ inputs.owasp-version }}:aggregate \
+          -DskipTests \
+          -Dformat=JSON \
+          -DprettyPrint=true \
+          -DfailOnError=false \
+          -DossindexAnalyzerEnabled=true \
+          -DnvdApiAnalyzerEnabled=false \
+          -DnodeAnalyzerEnabled=false \
+          -DassemblyAnalyzerEnabled=false \
+          -DcentralAnalyzerEnabled=false \
+          -DnuspecAnalyzerEnabled=false \
+          -DnvdValidForHours=168 \
+          -DdataDirectory=${{ inputs.data-directory }}

.github/workflows/conventional-commit-check.yml

@@ -0,0 +1,41 @@
+name: Semantic Commit Check
+
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - edited
+      - synchronize
+
+permissions:
+  contents: read
+
+jobs:
+  semantic-pr:
+    concurrency:
+      group: ${{ github.workflow }}-semantic-commit-check-${{ github.event.pull_request.number }}
+      cancel-in-progress: true
+    name: Validate PR Title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@2d952a1bf90a6a7ab8f0293dc86f5fdf9acb1915 # v5.5.3
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          types: |
+            feat
+            fix
+            docs
+            refactor
+            perf
+            test
+            build
+            ci
+            chore
+            revert
+            misc
+          requireScope: false
+          subjectPattern: ^[A-Z].*[^.]$
+          subjectPatternError: |
+            The PR title subject must start with a capital letter and not end with a period.

.github/workflows/maven-checks.yml

@@ -23,10 +23,10 @@ jobs:
       cancel-in-progress: true
     steps:
       - name: Free Disk Space
-        run: |
-          df -h
-          sudo apt-get clean
-          df -h
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
+        with:
+          tool-cache: true
+          swap-storage: false
       - uses: actions/checkout@v4
         with:
           show-progress: false

.github/workflows/owasp-dependency-check.yml

@@ -0,0 +1,152 @@
+name: Maven OWASP Dependency Check
+permissions:
+  contents: read
+on:
+  pull_request:
+  workflow_dispatch:
+    inputs:
+      cvss-threshold:
+        description: 'CVSS score threshold for failing (7.0 = high/critical)'
+        required: false
+        default: '7.0'
+        type: string
+
+jobs:
+  dependency-check:
+    runs-on: ubuntu-latest
+    env:
+      CVSS_THRESHOLD: ${{ github.event.inputs.cvss-threshold || '7.0' }}
+      OWASP_VERSION: '12.1.3'
+    steps:
+      # Checkout PR branch first to get access to the composite action
+      - name: Checkout PR branch
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Checkout base branch
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.base.sha }}
+          path: base
+
+      - name: Set up Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: 17
+          cache: 'maven'
+
+      - name: Get date for cache key
+        id: get-date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+      - name: Restore OWASP database cache
+        uses: actions/cache/restore@v4
+        id: cache-owasp-restore
+        with:
+          path: ~/.owasp/dependency-check-data
+          key: owasp-cache-${{ runner.os }}-v${{ env.OWASP_VERSION }}-${{ steps.get-date.outputs.date }}
+          restore-keys: |
+            owasp-cache-${{ runner.os }}-v${{ env.OWASP_VERSION }}-
+            owasp-cache-${{ runner.os }}-
+
+      - name: Run OWASP check on base branch
+        uses: ./.github/actions/maven-owasp-scan
+        with:
+          working-directory: base
+          owasp-version: ${{ env.OWASP_VERSION }}
+          data-directory: $HOME/.owasp/dependency-check-data
+
+      - name: Save OWASP cache after base scan
+        if: steps.cache-owasp-restore.outputs.cache-hit != 'true'
+        uses: actions/cache/save@v4
+        with:
+          path: ~/.owasp/dependency-check-data
+          key: owasp-cache-${{ runner.os }}-v${{ env.OWASP_VERSION }}-${{ steps.get-date.outputs.date }}-partial
+
+      - name: Run OWASP check on PR branch
+        uses: ./.github/actions/maven-owasp-scan
+        with:
+          working-directory: .
+          owasp-version: ${{ env.OWASP_VERSION }}
+          data-directory: $HOME/.owasp/dependency-check-data
+
+      - name: Compare and fail on new CVEs above threshold
+        run: |
+          # Extract CVEs above threshold from both branches (CVSS >= $CVSS_THRESHOLD)
+          threshold="${{ env.CVSS_THRESHOLD }}"
+
+          # Validate report files exist
+          if [ ! -f base/target/dependency-check-report.json ]; then
+            echo "❌ Missing base report: base/target/dependency-check-report.json"
+            exit 1
+          fi
+          if [ ! -f target/dependency-check-report.json ]; then
+            echo "❌ Missing PR report: target/dependency-check-report.json"
+            exit 1
+          fi
+
+          # Validate report files are valid JSON
+          if ! jq empty base/target/dependency-check-report.json >/dev/null 2>&1; then
+            echo "❌ Malformed JSON in base/target/dependency-check-report.json"
+            exit 1
+          fi
+          if ! jq empty target/dependency-check-report.json >/dev/null 2>&1; then
+            echo "❌ Malformed JSON in target/dependency-check-report.json"
+            exit 1
+          fi
+
+          base_cves=$(jq -r ".dependencies[].vulnerabilities[]? | select((.cvssv2.score // 0) >= $threshold or (.cvssv3.baseScore // 0) >= $threshold) | .name" base/target/dependency-check-report.json | grep -E '^CVE-[0-9]{4}-[0-9]+$' | sort -u)
+          pr_cves=$(jq -r ".dependencies[].vulnerabilities[]? | select((.cvssv2.score // 0) >= $threshold or (.cvssv3.baseScore // 0) >= $threshold) | .name" target/dependency-check-report.json | grep -E '^CVE-[0-9]{4}-[0-9]+$' | sort -u)
+
+          # Find new CVEs introduced in PR
+          new_cves=$(comm -13 <(echo "$base_cves") <(echo "$pr_cves"))
+
+          if [ -n "$new_cves" ]; then
+            echo "❌ New vulnerabilities with CVSS >= $threshold introduced in PR:"
+            echo "$new_cves"
+            echo ""
+
+            for cve in $new_cves; do
+              echo "=================================================="
+              echo "CVE: $cve"
+              echo "=================================================="
+
+              # Find which dependencies have this CVE
+              jq -r '
+                .dependencies[]
+                | select(.vulnerabilities[]?.name == "'"$cve"'")
+                | "Module: " + (.projectReferences // ["root"])[0]
+                  + "\nDependency: " + .fileName
+                  + "\nPackage: " + (if .packages and .packages[0] then .packages[0].id else "N/A" end)
+                  + "\nDescription: " + (
+                      [.vulnerabilities[] | select(.name == "'"$cve"'") | .description]
+                      | unique
+                      | join("\nDescription: ")
+                    )
+              ' target/dependency-check-report.json
+
+              echo ""
+            done
+
+            exit 1
+          else
+            echo "✅ No new vulnerabilities introduced"
+          fi
+
+      - name: Save OWASP database cache
+        if: always()
+        uses: actions/cache/save@v4
+        with:
+          path: ~/.owasp/dependency-check-data
+          key: owasp-cache-${{ runner.os }}-v${{ env.OWASP_VERSION }}-${{ steps.get-date.outputs.date }}
+
+      - name: Upload reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: owasp-reports
+          path: |
+            base/target/dependency-check-report.json
+            target/dependency-check-report.json

.github/workflows/prestocpp-linux-build-and-unit-test.yml

@@ -79,6 +79,8 @@ jobs:
           github.event_name == 'schedule' || needs.changes.outputs.codechange == 'true'
         run: |
           source /opt/rh/gcc-toolset-12/enable
+          cp -r presto-native-tests/presto_cpp/tests presto-native-execution/presto_cpp/main/functions/dynamic_registry
+          echo "add_subdirectory(tests)" >> presto-native-execution/presto_cpp/main/functions/dynamic_registry/CMakeLists.txt
           cd presto-native-execution
           cmake \
             -B _build/release \
@@ -126,6 +128,7 @@ jobs:
           path: |
             presto-native-execution/_build/release/presto_cpp/main/presto_server
             presto-native-execution/_build/release/velox/velox/functions/remote/server/velox_functions_remote_server_main
+            presto-native-execution/_build/release/presto_cpp/main/functions/dynamic_registry/tests/
 
   prestocpp-linux-presto-e2e-tests:
     needs: [changes, prestocpp-linux-build-for-test]
@@ -328,43 +331,59 @@ jobs:
       MAVEN_TEST: "-B -Dair.check.skip-all -Dmaven.javadoc.skip=true -DLogTestDurationListener.enabled=true --fail-at-end"
     steps:
       - uses: actions/checkout@v4
+        if: |
+          github.event_name == 'schedule' || needs.changes.outputs.codechange == 'true'
 
       - name: Fix git permissions
+        if: |
+          github.event_name == 'schedule' || needs.changes.outputs.codechange == 'true'
         # Usually actions/checkout does this but as we run in a container
         # it doesn't work
         run: git config --global --add safe.directory ${GITHUB_WORKSPACE}
 
       - name: Download artifacts
+        if: |
+          github.event_name == 'schedule' || needs.changes.outputs.codechange == 'true'
         uses: actions/download-artifact@v4
         with:
           name: presto-native-build
           path: presto-native-execution/_build/release
 
       # Permissions are lost when uploading. Details here: https://github.com/actions/upload-artifact/issues/38
       - name: Restore execute permissions and library path
+        if: |
+          github.event_name == 'schedule' || needs.changes.outputs.codechange == 'true'
         run: |
           chmod +x ${GITHUB_WORKSPACE}/presto-native-execution/_build/release/presto_cpp/main/presto_server
           chmod +x ${GITHUB_WORKSPACE}/presto-native-execution/_build/release/velox/velox/functions/remote/server/velox_functions_remote_server_main
           # Ensure transitive dependency libboost-iostreams is found.
           ldconfig /usr/local/lib
 
       - name: Install OpenJDK17
+        if: |
+          github.event_name == 'schedule' || needs.changes.outputs.codechange == 'true'
         uses: actions/setup-java@v4
         with:
           distribution: 'temurin'
           java-version: 17.0.15
           cache: 'maven'
       - name: Download nodejs to maven cache
+        if: |
+          github.event_name == 'schedule' || needs.changes.outputs.codechange == 'true'
         run: .github/bin/download_nodejs
 
       - name: Maven install
+        if: |
+          github.event_name == 'schedule' || needs.changes.outputs.codechange == 'true'
         env:
           # Use different Maven options to install.
           MAVEN_OPTS: "-Xmx2G -XX:+ExitOnOutOfMemoryError"
         run: |
           for i in $(seq 1 3); do ./mvnw clean install $MAVEN_FAST_INSTALL -pl 'presto-native-tests' -am && s=0 && break || s=$? && sleep 10; done; (exit $s)
 
       - name: Run presto-on-spark native tests
+        if: |
+          github.event_name == 'schedule' || needs.changes.outputs.codechange == 'true'
         run: |
           export PRESTO_SERVER_PATH="${GITHUB_WORKSPACE}/presto-native-execution/_build/release/presto_cpp/main/presto_server"
           export TESTFILES=`find ./presto-native-execution/src/test -type f -name 'TestPrestoSpark*.java'`

.github/workflows/product-tests-specific-environment.yml

@@ -42,11 +42,9 @@ jobs:
     steps:
       - name: Free Disk Space
         if: needs.changes.outputs.codechange == 'true'
-        run: |
-          df -h
-          sudo apt-get clean
-          rm -rf /opt/hostedtoolcache
-          df -h
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be
+        with:
+          docker-images: false
       - uses: actions/checkout@v4
         if: needs.changes.outputs.codechange == 'true'
         with:
@@ -108,11 +106,9 @@ jobs:
     steps:
       - name: Free Disk Space
         if: needs.changes.outputs.codechange == 'true'
-        run: |
-          df -h
-          sudo apt-get clean
-          rm -rf /opt/hostedtoolcache
-          df -h
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be
+        with:
+          docker-images: false
       - uses: actions/checkout@v4
         if: needs.changes.outputs.codechange == 'true'
         with:

.github/workflows/tests.yml

@@ -60,7 +60,7 @@ jobs:
           - ":presto-main-base"
           - ":presto-main"
           - ":presto-mongodb -P ci-full-tests"
-          - ":presto-redis -P test-redis-integration-smoke-test"
+          - ":presto-redis -P ci-full-tests"
           - ":presto-elasticsearch"
           - ":presto-orc"
           - ":presto-thrift-connector"