reverting jackson version bump for sql

[jerrypeng]

Motivation

Bumping Jackson version to 2.9.7 breaks the Presto pulsar connector since the presto version we are using packages Jackson 2.8.1 via Airlift.

In the latest version of Airlift (version 88), Jackson 2.8.1 is packaged but presto is yet to release a version with the latest Airlift version. We will have to wait for a presto version that includes that version or later of Airlift.

I also added additional checks to presto pulsar integration test that covers that functionality that was broken because of this issue

[merlimat]

👍

[merlimat]

@jerrypeng this doesn't need to be backported to 2.2.1, right?

[jerrypeng]

@merlimat yes

[rdhabalia]

umm.. instead reverting, can't we make fix in presto distribution because that's what we want ultimately. I think jackson-databind upgrade is somewhat required due to vulnerability issue and multiple org including Oath enforces to use fixed version.
if you really don't want to fix it in presto right now, then let's upgrade to 2.8.11.1 which also has the fix.

[srkukarni]

Agreed with @rdhabalia.

[jerrypeng]

@rdhabalia sounds good, I have changed the jackson databind dependency to be 2.8.11.1 to include the fix for the vulnerability. The current presto version we use is tested with jackson 2.8.x.x so I would rather keep that version for now until presto releases a version using jackson 2.9.x.x

[rdhabalia]

why can't we use jackson.version for all jackson dependencies ? I don't think there will be any issue because 2.8.11.1 has only data-bind change on top of 2.8.11. So, we might not need two separate versions.

[jerrypeng]

@rdhabalia there is only 2.8.11.1 for databind, there isn't that version for other jackson dependencies that aren't effect by this vulnerability.

[rdhabalia]

hmm.. I see.

[merlimat]

@rdhabalia This is just for presto, the rest of our modules are still with 2.9.x

.