HADOOP-18323.Bump javax.ws.rs-api to 3.1.0

[hotcodemacha]

Description of PR

Bump javax.ws.rs-api To Version 3.1.0 to mitigate CVE-2020-15250

JIRA - HADOOP-18323

How was this patch tested?

CI/Build

For code changes:

• Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
• Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
• If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

[virajjasani]

Can we wait sometime for HADOOP-15984 to go through? It will take sometime but if we can bump javax.ws.rs-api after Jersey 2 upgrade, that would be less complex. Otherwise we anyways have some complexities and some class clashes because jsr311-api is still being used, please check discussions on HADOOP-18033.

cc @ayushtkn

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 53s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	xmllint	0m 0s		xmllint was not available.
+0 🆗	shelldocs	0m 1s		Shelldocs was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ trunk Compile Tests _
+0 🆗	mvndep	14m 36s		Maven dependency ordering for branch
+1 💚	mvninstall	28m 17s		trunk passed
+1 💚	compile	24m 58s		trunk passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚	compile	21m 35s		trunk passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚	mvnsite	19m 44s		trunk passed
+1 💚	javadoc	8m 57s		trunk passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚	javadoc	7m 33s		trunk passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚	shadedclient	38m 44s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 35s		Maven dependency ordering for patch
+1 💚	mvninstall	44m 19s		the patch passed
+1 💚	compile	24m 26s		the patch passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚	javac	24m 26s		the patch passed
+1 💚	compile	21m 40s		the patch passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚	javac	21m 40s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	mvnsite	19m 8s		the patch passed
+1 💚	shellcheck	0m 0s		No new issues.
+1 💚	javadoc	8m 21s		the patch passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚	javadoc	7m 31s		the patch passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚	shadedclient	40m 26s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
-1 ❌	unit	1009m 3s	/patch-unit-root.txt	root in the patch passed.
+1 💚	asflicense	2m 7s		The patch does not generate ASF License warnings.
		1313m 29s

Reason	Tests
Failed junit tests	hadoop.yarn.applications.distributedshell.TestDSWithMultipleNodeManager
	hadoop.yarn.applications.distributedshell.TestDSTimelineV20
	hadoop.yarn.applications.distributedshell.TestDSTimelineV15
	hadoop.yarn.applications.distributedshell.TestDSTimelineV10
	hadoop.yarn.client.api.impl.TestYarnClient
	hadoop.yarn.client.api.impl.TestYarnClientImpl
	hadoop.yarn.client.TestApplicationMasterServiceProtocolForTimelineV2
	hadoop.yarn.server.timelineservice.documentstore.TestDocumentStoreTimelineWriterImpl
	hadoop.yarn.server.timelineservice.documentstore.writer.cosmosdb.TestCosmosDBDocumentStoreWriter
	hadoop.yarn.server.timelineservice.documentstore.TestDocumentStoreTimelineReaderImpl
	hadoop.yarn.server.timelineservice.documentstore.reader.cosmosdb.TestCosmosDBDocumentStoreReader
	hadoop.yarn.server.timelineservice.documentstore.collection.TestDocumentOperations
	hadoop.yarn.server.timelineservice.collector.TestTimelineCollector
	hadoop.yarn.server.timelineservice.storage.TestFileSystemTimelineReaderImpl
	hadoop.yarn.server.timelineservice.reader.TestTimelineReaderWebServices
	hadoop.yarn.server.timelineservice.reader.TestTimelineReaderServer
	hadoop.yarn.server.timelineservice.storage.TestFileSystemTimelineWriterImpl
	hadoop.yarn.server.timelineservice.reader.TestTimelineReaderWebServicesACL
	hadoop.yarn.server.timelineservice.collector.TestPerNodeTimelineCollectorsAuxService
	hadoop.yarn.server.timelineservice.reader.TestTimelineUIDConverter
	hadoop.yarn.server.timelineservice.collector.TestNMTimelineCollectorManager
	hadoop.yarn.server.timelineservice.storage.TestHBaseTimelineStorageEntities
	hadoop.yarn.server.timelineservice.reader.TestTimelineReaderWebServicesHBaseStorage
	hadoop.yarn.server.timelineservice.storage.flow.TestHBaseStorageFlowRunCompaction
	hadoop.yarn.server.timelineservice.storage.flow.TestHBaseStorageFlowActivity
	hadoop.yarn.server.timelineservice.storage.TestTimelineWriterHBaseDown
	hadoop.yarn.server.timelineservice.storage.TestHBaseTimelineStorageDomain
	hadoop.yarn.server.timelineservice.storage.TestTimelineReaderHBaseDown
	hadoop.yarn.server.timelineservice.storage.TestHBaseTimelineStorageApps
	hadoop.yarn.server.timelineservice.storage.flow.TestHBaseStorageFlowRun
	hadoop.yarn.server.nodemanager.webapp.TestNMWebServices
	hadoop.yarn.server.nodemanager.containermanager.TestContainerManagerRecovery
	hadoop.yarn.server.timelineservice.TestTimelineServiceClientIntegration
	hadoop.yarn.server.TestMiniYarnCluster
	hadoop.yarn.server.timelineservice.security.TestTimelineAuthFilterForV2
	hadoop.yarn.server.timeline.webapp.TestTimelineWebServicesWithSSL
	hadoop.yarn.server.timeline.security.TestTimelineAuthenticationFilterForV1
	hadoop.yarn.server.applicationhistoryservice.webapp.TestAHSWebApp
	hadoop.yarn.server.applicationhistoryservice.TestApplicationHistoryServer
	hadoop.yarn.server.timeline.webapp.TestTimelineWebServices
	hadoop.yarn.server.applicationhistoryservice.webapp.TestAHSWebServices
	hadoop.yarn.server.resourcemanager.metrics.TestSystemMetricsPublisherForV2
	hadoop.yarn.server.resourcemanager.TestResourceTrackerService
	hadoop.yarn.server.resourcemanager.TestRMHATimelineCollectors
	hadoop.yarn.server.resourcemanager.TestRMRestart
	hadoop.yarn.server.resourcemanager.metrics.TestSystemMetricsPublisher
	hadoop.yarn.server.resourcemanager.metrics.TestCombinedSystemMetricsPublisher
	hadoop.yarn.api.records.timelineservice.TestTimelineServiceRecords
	hadoop.yarn.api.records.timeline.TestTimelineRecords
	hadoop.yarn.util.timeline.TestShortenedFlowName
	hadoop.mapreduce.jobhistory.TestJobHistoryEventHandler
	hadoop.mapred.TestMRTimelineEventHandling

Subsystem	Report/Notes
Docker	ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4522/1/artifact/out/Dockerfile
GITHUB PR	#4522
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint shellcheck shelldocs
uname	Linux 27fe91101c42 4.15.0-175-generic #184-Ubuntu SMP Thu Mar 24 17:48:36 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 6cc1373
Default Java	Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4522/1/testReport/
Max. process+thread count	2557 (vs. ulimit of 5500)
modules	C: hadoop-project hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-tests hadoop-mapreduce-project/hadoop-mapreduce-client hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timeline-pluginstorage hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice-hbase/hadoop-yarn-server-timelineservice-hbase-common hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-timelineservice-hbase-tests hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-distributedshell hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-core hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp hadoop-client-modules/hadoop-client-runtime hadoop-client-modules/hadoop-client-minicluster . U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4522/1/console
versions	git=2.25.1 maven=3.6.3 shellcheck=0.7.0
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[ayushtkn]

A lot of tests have failed as well....
But what is the CVE all about? are we getting impacted? This CVE is like "CVE from dependency", and the dependency is Junit? Can you check?
Some lines:

In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability

This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. 

For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1

Doesn't look like a prod use case to me, second we are already above Juinit. 4.13.1

[hotcodemacha]

@ayushtkn @virajjasani - Thanks for your comments. I do agree after having all the test case failures and the fact that we are already on junit-4.13.1. It really don't look to me as Prod impacting vulnerability.

[steveloughran]

we don't distribute junit at all; sole risk would be during manual/automated builds

[github-actions]

We're closing this stale PR because it has been open for 100 days with no activity. This isn't a judgement on the merit of the PR in any way. It's just a way of keeping the PR queue manageable.
If you feel like this was a mistake, or you would like to continue working on it, please feel free to re-open it and ask for a committer to remove the stale tag and review again.
Thanks all for your contribution.