From b16de641609e06d2bed51d05d3ee153440fe351f Mon Sep 17 00:00:00 2001
From: satish <satish@traceable.ai>
Date: Wed, 25 Oct 2023 16:49:20 +0530
Subject: [PATCH 1/4] truncate Trino query error message to 2K

---
 .../core/query/service/trino/TrinoBasedRequestHandler.java     | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/query-service-impl/src/main/java/org/hypertrace/core/query/service/trino/TrinoBasedRequestHandler.java b/query-service-impl/src/main/java/org/hypertrace/core/query/service/trino/TrinoBasedRequestHandler.java
index 3f885536..e422da33 100644
--- a/query-service-impl/src/main/java/org/hypertrace/core/query/service/trino/TrinoBasedRequestHandler.java
+++ b/query-service-impl/src/main/java/org/hypertrace/core/query/service/trino/TrinoBasedRequestHandler.java
@@ -130,7 +130,8 @@ public Observable<Row> handleRequest(QueryRequest request, ExecutionContext exec
 
       return executeQuery(sql.getKey(), sql.getValue());
     } catch (Throwable t) {
-      return Observable.error(t);
+      String truncatedMessage = (t.getMessage() == null) ? null : t.getMessage().substring(0, 2048);
+      return Observable.error(new Throwable(truncatedMessage));
     }
   }
 

From 66bf0693b66bd986f6db6d158880b77f2a545fa3 Mon Sep 17 00:00:00 2001
From: satish <satish@traceable.ai>
Date: Wed, 25 Oct 2023 16:57:34 +0530
Subject: [PATCH 2/4] fix vulnerabilities

---
 owasp-suppressions.xml                 |  5 +++--
 query-service-client/build.gradle.kts  |  2 +-
 query-service-factory/build.gradle.kts |  2 +-
 query-service-impl/build.gradle.kts    | 11 +++++++----
 query-service/build.gradle.kts         |  6 +++---
 5 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
index c75b0137..42d6e7c2 100644
--- a/owasp-suppressions.xml
+++ b/owasp-suppressions.xml
@@ -18,14 +18,15 @@
     <cve>CVE-2020-13956</cve>
   </suppress>
 
-  <suppress until="2023-10-31Z">
+  <suppress until="2023-11-30Z">
     <notes><![CDATA[
-   file name: zookeeper-api-1.2.0.jar
+   file name: zookeeper-api-1.3.0.jar
    ]]></notes>
     <packageUrl regex="true">^pkg:maven/org\.apache\.helix/zookeeper\-api@.*$</packageUrl>
     <cve>CVE-2016-5017</cve>
     <cve>CVE-2018-8012</cve>
     <cve>CVE-2019-0201</cve>
+    <cve>CVE-2023-44981</cve>
   </suppress>
   <suppress until="2023-10-31Z">
     <notes><![CDATA[
diff --git a/query-service-client/build.gradle.kts b/query-service-client/build.gradle.kts
index aa1a4b06..0db50e1e 100644
--- a/query-service-client/build.gradle.kts
+++ b/query-service-client/build.gradle.kts
@@ -7,7 +7,7 @@ plugins {
 
 dependencies {
   api(project(":query-service-api"))
-  implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.1")
+  implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.6")
 
   // Logging
   implementation("org.slf4j:slf4j-api:1.7.32")
diff --git a/query-service-factory/build.gradle.kts b/query-service-factory/build.gradle.kts
index 8bb466be..2c850d46 100644
--- a/query-service-factory/build.gradle.kts
+++ b/query-service-factory/build.gradle.kts
@@ -3,7 +3,7 @@ plugins {
 }
 
 dependencies {
-  api("org.hypertrace.core.serviceframework:platform-grpc-service-framework:0.1.60")
+  api("org.hypertrace.core.serviceframework:platform-grpc-service-framework:0.1.62")
 
   implementation(project(":query-service-impl"))
   implementation("com.google.inject:guice:5.0.1")
diff --git a/query-service-impl/build.gradle.kts b/query-service-impl/build.gradle.kts
index d227935a..d341cfd6 100644
--- a/query-service-impl/build.gradle.kts
+++ b/query-service-impl/build.gradle.kts
@@ -54,12 +54,15 @@ dependencies {
     implementation("com.squareup.okio:okio:3.4.0") {
       because("CVE-2023-3635")
     }
+    implementation("org.apache.zookeeper:zookeeper:3.7.2") {
+      because("CVE-2023-44981")
+    }
   }
   api(project(":query-service-api"))
   api("com.typesafe:config:1.4.1")
-  implementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.12.1")
-  implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.1")
-  implementation("org.hypertrace.core.grpcutils:grpc-server-rx-utils:0.12.1")
+  implementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.12.6")
+  implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.6")
+  implementation("org.hypertrace.core.grpcutils:grpc-server-rx-utils:0.12.6")
   implementation("org.hypertrace.core.attribute.service:attribute-service-api:0.14.26")
   implementation("org.hypertrace.core.attribute.service:attribute-projection-registry:0.14.26")
   implementation("org.hypertrace.core.attribute.service:caching-attribute-service-client:0.14.26")
@@ -71,7 +74,7 @@ dependencies {
   }
   implementation("org.slf4j:slf4j-api:1.7.32")
   implementation("commons-codec:commons-codec:1.15")
-  implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.60")
+  implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.62")
   implementation("com.google.protobuf:protobuf-java-util:3.22.0")
   implementation("com.google.guava:guava:32.1.2-jre")
   implementation("io.reactivex.rxjava3:rxjava:3.0.11")
diff --git a/query-service/build.gradle.kts b/query-service/build.gradle.kts
index aeb21a22..d65d8f4d 100644
--- a/query-service/build.gradle.kts
+++ b/query-service/build.gradle.kts
@@ -10,8 +10,8 @@ plugins {
 
 dependencies {
   implementation(project(":query-service-factory"))
-  implementation("org.hypertrace.core.grpcutils:grpc-server-utils:0.12.1")
-  implementation("org.hypertrace.core.serviceframework:platform-grpc-service-framework:0.1.61")
+  implementation("org.hypertrace.core.grpcutils:grpc-server-utils:0.12.6")
+  implementation("org.hypertrace.core.serviceframework:platform-grpc-service-framework:0.1.62")
   implementation("org.slf4j:slf4j-api:1.7.32")
   implementation("com.typesafe:config:1.4.1")
 
@@ -22,7 +22,7 @@ dependencies {
   integrationTestImplementation("org.testcontainers:testcontainers:1.16.2")
   integrationTestImplementation("org.testcontainers:junit-jupiter:1.16.2")
   integrationTestImplementation("org.testcontainers:kafka:1.16.2")
-  integrationTestImplementation("org.hypertrace.core.serviceframework:integrationtest-service-framework:0.1.61")
+  integrationTestImplementation("org.hypertrace.core.serviceframework:integrationtest-service-framework:0.1.62")
   integrationTestImplementation("com.github.stefanbirkner:system-lambda:1.2.0")
 
   integrationTestImplementation("org.apache.kafka:kafka-clients:7.2.1-ccs")

From ee4bd854c3b4d0c962daffa269aff284a5882b99 Mon Sep 17 00:00:00 2001
From: satish <satish@traceable.ai>
Date: Wed, 25 Oct 2023 22:25:07 +0530
Subject: [PATCH 3/4] handle indexOutOfBoundsException

---
 .../query/service/trino/TrinoBasedRequestHandler.java | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/query-service-impl/src/main/java/org/hypertrace/core/query/service/trino/TrinoBasedRequestHandler.java b/query-service-impl/src/main/java/org/hypertrace/core/query/service/trino/TrinoBasedRequestHandler.java
index e422da33..2b61f14e 100644
--- a/query-service-impl/src/main/java/org/hypertrace/core/query/service/trino/TrinoBasedRequestHandler.java
+++ b/query-service-impl/src/main/java/org/hypertrace/core/query/service/trino/TrinoBasedRequestHandler.java
@@ -130,8 +130,7 @@ public Observable<Row> handleRequest(QueryRequest request, ExecutionContext exec
 
       return executeQuery(sql.getKey(), sql.getValue());
     } catch (Throwable t) {
-      String truncatedMessage = (t.getMessage() == null) ? null : t.getMessage().substring(0, 2048);
-      return Observable.error(new Throwable(truncatedMessage));
+      return Observable.error(new Throwable(truncateMessage(t.getMessage(), 2048)));
     }
   }
 
@@ -229,4 +228,12 @@ private Value getNullValueEquivalent(int columnType) {
         return NULL_STRING_EQ_STRING_VALUE;
     }
   }
+
+  private String truncateMessage(String message, int length) {
+    if (message == null) {
+      return null;
+    } else {
+      return message.length() <= length ? message : message.substring(0, length);
+    }
+  }
 }

From cb03283a88c9d32f22b6a76a4ec601983985746b Mon Sep 17 00:00:00 2001
From: satish <satish@traceable.ai>
Date: Thu, 26 Oct 2023 10:35:19 +0530
Subject: [PATCH 4/4] use StringUtils

---
 .../query/service/trino/TrinoBasedRequestHandler.java | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/query-service-impl/src/main/java/org/hypertrace/core/query/service/trino/TrinoBasedRequestHandler.java b/query-service-impl/src/main/java/org/hypertrace/core/query/service/trino/TrinoBasedRequestHandler.java
index 2b61f14e..690dcad3 100644
--- a/query-service-impl/src/main/java/org/hypertrace/core/query/service/trino/TrinoBasedRequestHandler.java
+++ b/query-service-impl/src/main/java/org/hypertrace/core/query/service/trino/TrinoBasedRequestHandler.java
@@ -19,6 +19,7 @@
 import java.util.Optional;
 import java.util.Set;
 import lombok.SneakyThrows;
+import org.apache.commons.lang3.StringUtils;
 import org.hypertrace.core.query.service.ExecutionContext;
 import org.hypertrace.core.query.service.QueryCost;
 import org.hypertrace.core.query.service.RequestHandler;
@@ -130,7 +131,7 @@ public Observable<Row> handleRequest(QueryRequest request, ExecutionContext exec
 
       return executeQuery(sql.getKey(), sql.getValue());
     } catch (Throwable t) {
-      return Observable.error(new Throwable(truncateMessage(t.getMessage(), 2048)));
+      return Observable.error(new Throwable(StringUtils.truncate(t.getMessage(), 2048)));
     }
   }
 
@@ -228,12 +229,4 @@ private Value getNullValueEquivalent(int columnType) {
         return NULL_STRING_EQ_STRING_VALUE;
     }
   }
-
-  private String truncateMessage(String message, int length) {
-    if (message == null) {
-      return null;
-    } else {
-      return message.length() <= length ? message : message.substring(0, length);
-    }
-  }
 }