[HUDI-5071] Upgrade com.google.guava:guava to 30.0-jre

[lxxawfl]

Change Logs

There is 1 security vulnerability found in com.google.guava:guava 12.0.1

• CVE-2018-10237. This PR upgrades com.google.guava:guava from 12.0.1 to 30.0-jre for vulnerability fix

Impact

Fix guava security vulnerability.

Risk level (write none, low medium or high below)

medium

Documentation Update

N/A

Contributor's checklist

• Read through contributor's guide
• Change Logs and Impact were stated clearly
• Adequate tests were added if applicable
• CI passed

[hudi-bot]

CI report:

• d8616dc Azure: SUCCESS

Bot commands

@hudi-bot supports the following commands:

• @hudi-bot run azure re-run the last Azure build

[codope]

@lxxawfl Thanks for this fix. Unfortunately, if we upgrade guava here then it will run into conflict when we upgrade hudi-presto-bundle version in prestodb https://github.com/prestodb/presto/blob/0.277/pom.xml#L1263. I tried to build presto with hudi-presto-bundle incorporating this fix and it ran into following build failure:

[INFO] --- duplicate-finder-maven-plugin:1.2.1:check (default) @ presto-hive ---
[INFO] Checking compile classpath
[INFO] Checking runtime classpath
[INFO] Checking test classpath
[WARNING] Found duplicate and different classes in [com.google.guava:guava:26.0-jre, org.apache.hudi:hudi-presto-bundle:0.13.0-SNAPSHOT]:
[WARNING]   com.google.thirdparty.publicsuffix.PublicSuffixPatterns
[WARNING]   com.google.thirdparty.publicsuffix.PublicSuffixType
[WARNING]   com.google.thirdparty.publicsuffix.TrieParser
[WARNING] Found duplicate classes/resources in compile classpath.
[WARNING] Found duplicate and different classes in [com.google.guava:guava:26.0-jre, org.apache.hudi:hudi-presto-bundle:0.13.0-SNAPSHOT]:
[WARNING]   com.google.thirdparty.publicsuffix.PublicSuffixPatterns
[WARNING]   com.google.thirdparty.publicsuffix.PublicSuffixType
[WARNING]   com.google.thirdparty.publicsuffix.TrieParser
[WARNING] Found duplicate classes/resources in runtime classpath.
[WARNING] Found duplicate and different classes in [com.google.guava:guava:26.0-jre, org.apache.hudi:hudi-presto-bundle:0.13.0-SNAPSHOT]:
[WARNING]   com.google.thirdparty.publicsuffix.PublicSuffixPatterns
[WARNING]   com.google.thirdparty.publicsuffix.PublicSuffixType
[WARNING]   com.google.thirdparty.publicsuffix.TrieParser
[WARNING] Found duplicate classes/resources in test classpath.
...
...
[ERROR] Failed to execute goal org.basepom.maven:duplicate-finder-maven-plugin:1.2.1:check (default) on project presto-hive: Found duplicate classes/resources! -> [Help 1]

[codope]

I don't think we can get rid of Guava right away as HBase depends Guava. I tried but ran into issues with Precondition class conflict when querying a Hudi table with metadata enabled. And we cannot upgrade directly because HBase depends on a particular version of guava that is used by hadoop (more specifically hadoop-common). When we upgrade to Hadoop 3 then guava will automatically get upgraded to version 27 which is compatible with that in Presto. So, IMO we should wait unti we have upgraded Hadoop libs in Hudi. https://issues.apache.org/jira/browse/HUDI-2955 tracks the effort

[bvaradar]

@codope @yihua : Should this PR be closed ?

[yihua]

Closing this PR. We'll revisit the guava update after Hadoop and Spark dependency upgrades.