HIVE-25054: (2.3) Drop vulnerable jodd-core dependency #5151
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pan3793
commented
Mar 21, 2024
| @@ -1119,6 +1118,7 @@ | |||
| <exclude>**/*.html</exclude> | |||
| <exclude>**/sit</exclude> | |||
| <exclude>**/test/queries/**/*.sql</exclude> | |||
| <exclude>**/ql/io/parquet/timestamp/datetime/**</exclude> | |||
There was a problem hiding this comment.
according to https://www.apache.org/legal/src-headers.html#3party, we should not add AL2 license header to the copied source files
6 tasks
pan3793
force-pushed
the
HIVE-25054-2.3-2
branch
from
e02f7fe
to
8959bc0
Compare
|
Thanks for your approval, @sunchao |
|
Thanks @pan3793 ! |
dongjoon-hyun
pushed a commit
to apache/spark
that referenced
this pull request
May 10, 2024
### What changes were proposed in this pull request? Remove a jar that has CVE GHSA-jrg3-qq99-35g7 ### Why are the changes needed? Previously, `jodd-core` came from Hive transitive deps, while apache/hive#5151 (Hive 2.3.10) cut it out, so we can remove it from Spark now. ### Does this PR introduce _any_ user-facing change? No ### How was this patch tested? Pass GA. ### Was this patch authored or co-authored using generative AI tooling? No. Closes #46520 from pan3793/SPARK-48230. Authored-by: Cheng Pan <chengpan@apache.org> Signed-off-by: Dongjoon Hyun <dhyun@apple.com>
JacobZheng0927
pushed a commit
to JacobZheng0927/spark
that referenced
this pull request
May 11, 2024
### What changes were proposed in this pull request? Remove a jar that has CVE GHSA-jrg3-qq99-35g7 ### Why are the changes needed? Previously, `jodd-core` came from Hive transitive deps, while apache/hive#5151 (Hive 2.3.10) cut it out, so we can remove it from Spark now. ### Does this PR introduce _any_ user-facing change? No ### How was this patch tested? Pass GA. ### Was this patch authored or co-authored using generative AI tooling? No. Closes apache#46520 from pan3793/SPARK-48230. Authored-by: Cheng Pan <chengpan@apache.org> Signed-off-by: Dongjoon Hyun <dhyun@apple.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
This is an alternative to #4923 to address jodd CVE.
Hive uses jodd's JDateTime to handle Julian's calendar in processing Parquet timestamp, while the calendar is tricky and bugly stuff, considering that branch-2.3 has been in maintaining mode for a long time, I prefer to copy the corresponding code to avoid involving any unexpected behavior change.
Why are the changes needed?
To address CVE-2018-21234.
Jodd CVE is listed in https://issues.apache.org/jira/browse/SPARK-44757 top 1, with a score 9.8.
Does this PR introduce any user-facing change?
No.
Is the change a dependency upgrade?
No.
How was this patch tested?
UT