Security Vulnerability fix for snappy-0.2(CVE-2024-36124)

[namya28]

Description

This PR is fixing the security vulnerability for the library "snappy-0.2" (CVE-2024-36124) https://mvnrepository.com/artifact/org.iq80.snappy/snappy/0.2. The library has been upgraded to the version 0.5 (https://mvnrepository.com/artifact/org.iq80.snappy/snappy/0.5). This fixes CVE-2024-36124.

Motivation and Context

The snappy library currently used has a security vulnerability for the version 0.2. This PR focuses on upgrading the version to 0.5 to fix the current vulnerability.

Impact

Test Plan

Contributor checklist

• Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes

* Upgrade the snappy version to 0.5 in response to `CVE-2024-36124 <https://github.com/advisories/GHSA-8wh2-6qhj-h7j9>`_. :pr:`24159`

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: namya28 / name: Namya Sehgal (f6e2e60)

[infvg]

Why are we excluding this?

[namya28]

There was an upper bound dependencies error for org.iq80.snappy:snappy:0.2 from this module(Attaching below for reference) :

+-com.facebook.presto:presto-hive:0.291-SNAPSHOT
+-com.facebook.hive:hive-dwrf:0.8.5
+-org.iq80.snappy:snappy:0.2
and
+-com.facebook.presto:presto-hive:0.291-SNAPSHOT
+-com.facebook.presto:presto-hive-metastore:0.291-SNAPSHOT
+-org.iq80.snappy:snappy:0.5
and
+-com.facebook.presto:presto-hive:0.291-SNAPSHOT
+-com.facebook.presto:presto-hive-metastore:0.291-SNAPSHOT
+-org.iq80.snappy:snappy:0.5

[infvg]

Instead of bringing in this dependency, have you tried adding this upgrade to the root pom dependency management?

[namya28]

This was a transitive dependency coming from this module. I will try adding in the root pom as well. Thanks for the suggestion.

[infvg]

Could you please squash the commits and modify the commit message to follow the guidelines?

The release note should also contain the CVE as per the guidelines
eg:
* Upgrade okio to 3.6.0 in response to `CVE-2023-3635 <https://github.com/advisories/GHSA-w33c-445m-f8w7>`_. :pr:`23796

[infvg]

Could we also get this in the root pom?

[namya28]

Hi @infvg , thank you for your suggestions and comments. I have addressed all the review comments. Could you please re-review the PR once again.

[infvg]

LGTM

[nishithakbhaskaran]

Looks good

[tdcmeehan]

What is ultimately bringing in and using this dependency?

[namya28]

@tdcmeehan The version earlier used was 0.2 which was present transitively across modules , causing the vulnerability. By bringing in this dependency and the version 0.5 fixes the vulnerability as 0.5 is the vulnerable free version for this library.

[tdcmeehan]

Right, but my question is what is using it?

[namya28]

It is being transitively used by the modules presto-hive-hadoop2 , presto-hive , presto-native-execution and presto-hive-metastore . (Attaching a screenshot for reference)

[tdcmeehan]

Should we update hive-dwrf instead of overriding it at the top level here?

[namya28]

@tdcmeehan , introducing the latest version of hive-dwrf introduces a lot of vulnerabilities. (https://mvnrepository.com/artifact/com.facebook.hive/hive-dwrf/0.18.9). (Attaching the screenshot from the maven repository). Although even if we try upgrading hive-dwrf, it does not resolve the vulnerability directly as it still introduces the 0.2 version of snappy transitively.

[namya28]

@tdcmeehan , could you please have a look at the comments and re-review if possible?

[tdcmeehan]

What I mean is, simply fix the vulnerabilities in hive-dwrf, cut a release, then update here. https://github.com/prestodb/presto-hive-dwrf

[namya28]

Closing this PR as this CVE was fixed by upgrading the snappy version in the new hive-dwrf release.
Attaching the PRs:
The PR Link to prestodb/presto: #24461
The PR link to upgrade snappy in prestodb/presto-hive-dwrf : prestodb/presto-hive-dwrf#7