Downstream Dependencies of org.apache.pinot : pinot-jdbc-client : 0.12.1 have serious vulnerabilities

[efreem01]

We are using the pinot-jdbc-client : 0.12.1 and there are multiple downstream dependencies with serious, known vulnerabilities. We looked, and 0.12.1 is the latest version available. Can you please upgrade these dependencies?

com.google.guava : guava : 31.1-jre - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2976 com.google.protobuf : protobuf-java : 3.19.2 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3509 commons-httpclient : commons-httpclient : 3.1 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783 org.apache.calcite : calcite-core : 1.29.0 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39135 org.apache.calcite.avatica : avatica-core : 1.20.0 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36364 org.xerial.snappy : snappy-java : 1.1.8.2 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-34453 org.yaml : snakeyaml : 1.29 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1471 io.netty : netty-handler : 4.1.92.final - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-34462 org.webjars : swagger-ui : 3.23.11 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-25031

[Jackie-Jiang]

@soumitra-st Can you please take a look?

Related: #10311 cc @mayankshriv

[soumitra-st]

Collecting the upgrade versions based on the nist recommendation: com.google.guava:guava - 32.0.1 com.google.protobuf:protobuf-java - 3.19.6 commons-httpclient:commons-httpclient - no recommendation found org.apache.calcite:calcite-core - 1.32.0 org.apache.calcite.avatica:avatica-core - 1.22.0 org.xerial.snappy:snappy-java - 1.1.10.1 org.yaml:snakeyaml - 2.0 io.netty:netty-handler - 4.1.94.Final org.webjars:swagger-ui - 4.1.3

[soumitra-st]

Here are the versions of these dependencies in latest Pinot codebase: com.google.guava:guava:jar:30.1.1-jre com.google.protobuf:protobuf-java:jar:3.22.0 commons-httpclient:commons-httpclient:jar:3.1 org.apache.calcite:calcite-core:jar:1.30.0 org.apache.calcite.avatica:avatica-core:jar:1.20.0 org.xerial.snappy:snappy-java:jar:1.1.10.1 org.yaml:snakeyaml:jar:2.0 io.netty:netty-handler:jar:4.1.94.Final org.webjars:swagger-ui:jar:5.1.0

Hence the dependencies to upgrade are: com.google.guava:guava - 32.0.1 org.apache.calcite:calcite-core - 1.32.0 org.apache.calcite.avatica:avatica-core - 1.22.0

[soumitra-st]

Calcite upgrade is having issues - https://gist.github.com/rajagopr/f97663cc4bfb7212daae1d8eaa85462e We are tracking Calcite upgrade effort as a separate issue.

org.apache.calcite.avatica:avatica-core is a dependency of org.apache.calcite:calcite-core, so need to upgrade calcite | +- org.apache.calcite:calcite-core:jar:1.30.0:compile | | +- org.apache.calcite:calcite-linq4j:jar:1.30.0:compile | | +- com.esri.geometry:esri-geometry-api:jar:2.2.0:compile | | +- org.apache.calcite.avatica:avatica-core:jar:1.20.0:compile

[soumitra-st]

Created https://github.com/apache/pinot/pull/11115 for upgrading com.google.guava:guava to 32.0.1

[soumitra-st]

@efreem01 - The PR for upgrading guava has been merged. However, the formal Apache release of pinot-jdbc-client may come in Aug/Sept, so if you want to pick the latest version before that, please consider building the jdbc client yourself.

[efreem01]

Thank you so much for your help. We'll likely wait until the formal apache release comes out... but I'm thrilled at how attentive you were in addressing these security issues.

[soumitra-st]

Thank you so much for your help. We'll likely wait until the formal apache release comes out... but I'm thrilled at how attentive you were in addressing these security issues.

We are hard at work to build enterprise grade Pinot, hence these issues are essential to resolve. Thanks for raising them!