Fix CVEs

[GumpacG]

Description

• Removed H2 as is included but not used and makes CI fail
• Updated guava version
• Specified version of CodeQL as the update introduced breaking changes

Issues Resolved

https://github.com/opensearch-project/sql-jdbc/issues/5

Check List

• [ ] New functionality includes testing.
  • [ ] All tests pass, including unit test, integration test and doctest
• [ ] New functionality has been documented.
  • [ ] New functionality has javadoc added
  • [ ] New functionality has user manual doc added
• [ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[Yury-Fridlyand]

Can you update release notes?

[mbg]

Hi @GumpacG 👋🏻

I work on CodeQL and noticed that you referenced an issue over on the codeql repo, but that isn't quite the same issue you are encountering here. I see that you have a test dependency on org.eclipse.jetty:jetty-server:11.0.14 which is only compatible with Java 11+. Indeed, your Java build CI only builds with Java 11 and 17, but your Gradle build script suggests that Java 8 should be used. (I assume that while your tests require Java 11+, the library part of this project is still happy with Java 8+?)

Rather than pinning the older version of CodeQL and missing out on new features and improvements, I would suggest that you build with Java 11 or 17 in the CodeQL workflow as well. The easiest way to accomplish this would be with a manual build by replacing

    - name: Autobuild
      uses: github/codeql-action/autobuild@v2

with

    - name: Build
      run: |
        ./gradlew --no-daemon -S -Dorg.gradle.dependency.verification=off clean
        ./gradlew --no-daemon -S -Dorg.gradle.dependency.verification=off testClasses

This should give you the same results as with the automatic build, except that the default Java version on the system is used instead of the one that CodeQL infers based on your project configuration. In the case of the GHA runners, the default is currently Java 11.

To further improve the workflow's reliability, I would also recommend adding a setup-java step to explicitly install and make Java 11 the default (or whichever version of Java you would like to use for the CodeQL workflow).

[GumpacG]

I tested and the suggested solution worked. I'll update. Thanks @mbg.