Upgrade guava to 32.1.0-jre due CVE-2023-2976#23127
Upgrade guava to 32.1.0-jre due CVE-2023-2976#23127tdcmeehan merged 1 commit intoprestodb:masterfrom
Conversation
| checkArgument(bucketNumber.isPresent(), "bucketNumber must be present"); | ||
| if (!allSplitLoaded.isDone()) { | ||
| return allSplitLoaded.transform(ignored -> ImmutableList.of(), executor); | ||
| return FluentFuture.from(allSplitLoaded).transform(ignored -> ImmutableList.of(), executor); |
There was a problem hiding this comment.
Fixes a compilation error due to this change introduced in Guava 27.0: AbstractFuture doesn't expose FluentFuture APIs anymore
| <exclusion> | ||
| <groupId>*</groupId> | ||
| <artifactId>*</artifactId> | ||
| <artifactId>checker-qual</artifactId> |
There was a problem hiding this comment.
Why do these need to be excluded?
Also, groupId conventionally comes before artifactId. This made me look twice.
There was a problem hiding this comment.
Done: groupid before artifactid.
Only failureaccess is needed, all others are excluded.
| <dep.jayway.version>2.6.0</dep.jayway.version> | ||
| <dep.ratis.version>2.2.0</dep.ratis.version> | ||
| <dep.errorprone.version>2.18.0</dep.errorprone.version> | ||
| <dep.guava.version>32.1.0-jre</dep.guava.version> |
There was a problem hiding this comment.
Where was this set before? Was this pulled in via airlift? If so, we might want to update airlift instead.
There was a problem hiding this comment.
guava version is pulled via airbase, but we see no movement on the forked airbase regarding to version upgrades.
errorprone version is introduced in this PR.
There was a problem hiding this comment.
I personally don't know why we use airbase, but I assume there's a reason. Given that we do, I think the default approach is to fix that rather introducing the new guava version here. Otherwise it's still possible we'll pull in the wrong guava version somewhere and have dependency convergence issues.
There was a problem hiding this comment.
It seems that in the past airbase was used to pull versions, but it does not appear to be the approach being used now:
- the pom also overrides other versions declared in airbase such as slf4j, jackson, joda, etc...
- airbase v102 is in use since May 2021
| <dep.errorprone.version>2.18.0</dep.errorprone.version> | ||
| <dep.guava.version>32.1.0-jre</dep.guava.version> | ||
| <dep.jackson.version>2.11.0</dep.jackson.version> | ||
| <dep.j2objc.version>2.8</dep.j2objc.version> |
There was a problem hiding this comment.
Do we need j2bjc? I see it in a few poms, but not in Java code anywhere. Can we instead remove it where it appears?
There was a problem hiding this comment.
Yes we need it. It is often used in the guava code, e.g. in com.google.common.util.concurrent.AbstractFuture class, and this class is used via com.google.common.util.concurrent.SettableFuture by com.facebook.presto.hive.HiveSplitSource
There was a problem hiding this comment.
but shouldn't guava supply that then? Does it need to be in our poms?
Also should we just use the guava BOM instead of setting these dependencies up manually?
There was a problem hiding this comment.
We are pinning the version to avoid conflicts among different versions of the same dependency (Maven Enforcer plugin).
denodo-research-labs
force-pushed
the
cve_2023_2976_guava
branch
from
04f311c to
da1e753
Compare
| <exclusion> | ||
| <groupId>*</groupId> | ||
| <artifactId>*</artifactId> | ||
| <groupId>com.google.errorprone</groupId> |
There was a problem hiding this comment.
I believe this is wrong and is causing shading issues in presto-jdbc: org/checkerframework is now creeping into presto-jdbc jar. The groupId should be org.checkerframework for the checker-qual
Please fix asap.
agrawaldevesh
left a comment
agrawaldevesh
left a comment
There was a problem hiding this comment.
Please fix the highlighted issue asap since this is breaking projects that use presto-jdbc
4 participants
Description
Presto issue #22841
Motivation and Context
Solve CVE of severity HIGH.
Contributor checklist
Release Notes
Please follow release notes guidelines and fill in the release notes below.