Skip to content

HIVE-29000: Upgrade nimbus-jose-jwt to 10.4.2 to resolve CVE #5855

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 21, 2025
Merged

HIVE-29000: Upgrade nimbus-jose-jwt to 10.4.2 to resolve CVE #5855

merged 1 commit into from
Aug 21, 2025

Conversation

arorasimran0309
Copy link
Contributor

@arorasimran0309 arorasimran0309 commented Jun 10, 2025
edited
Loading

What changes were proposed in this pull request?

Upgrading nimbus-jose-jwt to resolve CVEs

Why are the changes needed?

Due to CVEs

Does this PR introduce any user-facing change?

No

How was this patch tested?

Existing tests, dependency tree

@arorasimran0309 arorasimran0309 changed the title HIVE-29000: Upgrade nimbus-jose-jwt [WIP] HIVE-29000: Upgrade nimbus-jose-jwt Jun 10, 2025
@Aggarwal-Raghav
Copy link
Contributor

@arorasimran0309 , I can still see nimbus older version in iceberg/patched-iceberg-core/pom.xml

[INFO] |  +- org.apache.hadoop:hadoop-auth:jar:3.4.1:compile (optional)
[INFO] |  |  +- com.nimbusds:nimbus-jose-jwt:jar:9.37.2:compile (optional)
[INFO] |  |  |  \- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile (optional)

Also, this is a major version change, please check for any incompatiblities in api's (from release notes). As we are forcing hadoop 3.4.1 to work with 10.3 instead of 9.37.2

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@github-actions GitHub Actions
Copy link

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Feel free to reach out on the dev@hive.apache.org list if the patch is in need of reviews.

@github-actions github-actions bot added the stale label Aug 11, 2025
saihemanth-cloudera
saihemanth-cloudera requested changes Aug 14, 2025
View reviewed changes
pom.xml
Comment on lines +958 to +941
<exclusion>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
</exclusion>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add the same exclusion here as well: https://github.com/apache/hive/blob/master/standalone-metastore/metastore-common/pom.xml#L77 to avoid 9.37.3 completely from the dependency tree

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed these changes, please review

@arorasimran0309 arorasimran0309 changed the title [WIP] HIVE-29000: Upgrade nimbus-jose-jwt HIVE-29000: Upgrade nimbus-jose-jwt to 10.4.2 to resolve CVE Aug 20, 2025
@arorasimran0309 arorasimran0309 mentioned this pull request Aug 20, 2025
Closed
saihemanth-cloudera
saihemanth-cloudera reviewed Aug 20, 2025
View reviewed changes
Copy link
Contributor

@saihemanth-cloudera saihemanth-cloudera left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM +1, Pending green Jenkins tests.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
28 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@arorasimran0309
Copy link
Contributor Author

arorasimran0309 commented Aug 21, 2025
edited
Loading

@arorasimran0309 , I can still see nimbus older version in iceberg/patched-iceberg-core/pom.xml

[INFO] |  +- org.apache.hadoop:hadoop-auth:jar:3.4.1:compile (optional)
[INFO] |  |  +- com.nimbusds:nimbus-jose-jwt:jar:9.37.2:compile (optional)
[INFO] |  |  |  \- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile (optional)

Also, this is a major version change, please check for any incompatiblities in api's (from release notes). As we are forcing hadoop 3.4.1 to work with 10.3 instead of 9.37.2

@Aggarwal-Raghav
older version from iceberg/patched-iceberg-core/pom.xml is handled now.
Also, checked release notes for 9.37.2 → 10.4.2 and confirmed no usage of features impacted by notable changes (null‑claim serialization, HS384/HS512 key length enforcement, RSA‑OAEP mode fix). The full build/test suite passes.

@saihemanth-cloudera
Copy link
Contributor

Waiting for @Aggarwal-Raghav's approval to merge this patch

@Aggarwal-Raghav
Copy link
Contributor

Dependency tree looks good, packaing also contains onty nimbus-jose-jwt-10.4.2.jar.
LGTM +1

@saihemanth-cloudera saihemanth-cloudera merged commit 08944ea into apache:master Aug 21, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saihemanth-cloudera saihemanth-cloudera

+1 more reviewer

@Aggarwal-Raghav Aggarwal-Raghav

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
stale tests passed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@arorasimran0309 @Aggarwal-Raghav @saihemanth-cloudera @asf-ci-hive