ARROW-16996: [Java] Configure Netty/GRPC/Protobuf base on BOM configuration + upgrade of dependencies by CVE #13544

davisusanibar · 2022-07-08T00:36:15Z

Configure Netty/GRPC/Protobuf base on BOM Bill Of Material configuration to dependencies versions be added by configuration (Bill Of Materials (BOM) pom netty/netty#5994).
Upgrade Netty/GRPC/Protobuf dependencies. Netty CVE

…Netty/GRPC/Protobuf dependencies

github-actions · 2022-07-08T00:36:31Z

https://issues.apache.org/jira/browse/ARROW-16996

lidavidm

Thanks!

lidavidm · 2022-07-08T14:38:37Z

Hmm, something about the build is off though.

lidavidm · 2022-07-08T14:39:38Z

java/flight/flight-core/pom.xml

        <dependency>
          <groupId>io.netty</groupId>
          <artifactId>netty-transport-native-unix-common</artifactId>
-          <version>${dep.netty.version}</version>


Seems this is required, at least judging by the build?

From some searching, it seems dependencyManagement may not get inherited by profiles, so we'll need to explicitly reference the version here still.

What will be the impact if we only use io.netty:netty-transport-native-unix-common:4.1.78.Final instead of io.netty:netty-transport-native-unix-common:osx-x86_64:4.1.78.Final? Is there some reason to why we use that?

I am building and testing code without -osx / -linux and it finished without problems.

You need the platform specific code since this is a JNI library.

That said our tests might not actually hit any of the platform-specific paths

That said our tests might not actually hit any of the platform-specific paths

Does it mean that we still need the platform-specific JNI library for actual usages? Or, do we ever need no the JNI libraries for both test and actual usages?

We currently do not need the Netty JNI libraries for tests, because we aren't properly testing those paths (ARROW-17024). For actual use, they are only required if the application is using domain sockets, or wants to manually configure Netty to use epoll/kqueue. The application can always explicitly add the necessary dependencies.

I see. I will remove this code to download the Netty JNI binaries from the build script for s390x.

lidavidm · 2022-07-08T15:05:04Z

If we're going to remove the profiles please update the docs too.

davisusanibar · 2022-07-08T16:29:43Z

Is github-actions crossbow submit java-jars run needed? How do you evaluate if this is needed?

lidavidm · 2022-07-08T16:56:01Z

It's usually fine unless we're changing something about how the JARs are built

davisusanibar · 2022-07-08T17:14:00Z

If we're going to remove the profiles please update the docs too.

Added

lidavidm · 2022-07-08T20:22:58Z

I just noticed. Why are all tests skipped?

lidavidm · 2022-07-08T20:29:16Z

Never mind, they get run at the end. However:


[INFO] Running org.apache.arrow.flight.TestServerOptions
Warning:  Tests run: 5, Failures: 0, Errors: 0, Skipped: 1, Time elapsed: 0.033 s - in org.apache.arrow.flight.TestServerOptions

The test that exercises the Netty-with-native-utils path is getting skipped

lidavidm · 2022-07-08T20:29:52Z

That said they're getting skipped on HEAD too so I'll file a ticket to investigate that.

lidavidm · 2022-07-08T20:31:33Z

https://issues.apache.org/jira/browse/ARROW-17024

kou · 2022-07-15T21:21:00Z

@kiszk Could you upload protoc-gen-grpc-java 1.47.0 for s390x to https://apache.jfrog.io/ui/native/arrow/protoc-gen-grpc-java-binary/ to fix a Travis CI job failure?

e.g.: https://app.travis-ci.com/github/apache/arrow/jobs/576822591#L2933

[ERROR] Failed to execute goal org.xolstice.maven.plugins:protobuf-maven-plugin:0.6.1:compile-custom (src) on project flight-core: Unable to resolve artifact: Missing:
[ERROR] ----------
[ERROR] 1) io.grpc:protoc-gen-grpc-java:exe:linux-s390_64:1.47.0
[ERROR] 
[ERROR]   Try downloading the file manually from the project website.
[ERROR] 
[ERROR]   Then, install it using the command: 
[ERROR]       mvn install:install-file -DgroupId=io.grpc -DartifactId=protoc-gen-grpc-java -Dversion=1.47.0 -Dclassifier=linux-s390_64 -Dpackaging=exe -Dfile=/path/to/file
[ERROR] 
[ERROR]   Alternatively, if you host your own repository you can deploy the file there: 
[ERROR]       mvn deploy:deploy-file -DgroupId=io.grpc -DartifactId=protoc-gen-grpc-java -Dversion=1.47.0 -Dclassifier=linux-s390_64 -Dpackaging=exe -Dfile=/path/to/file -Durl=[url] -DrepositoryId=[id]
[ERROR] 
[ERROR]   Path to dependency: 
[ERROR]   	1) org.apache.arrow:flight-core:jar:9.0.0-SNAPSHOT
[ERROR]   	2) io.grpc:protoc-gen-grpc-java:exe:linux-s390_64:1.47.0
[ERROR] 
[ERROR] ----------
[ERROR] 1 required artifact is missing.

kiszk · 2022-07-16T07:54:07Z

I will do it this weekend.

kiszk · 2022-07-17T09:51:33Z

When I prepare the required binaries at my end, the build process on s390x goes forward. But, I got the following error while the build on x86_64 did not fail.

I am investigating why this error occurs.

% mvn -B -DskipTests -Drat.skip=true  -Dcheckstyle.skip -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn  install -rf :flight-sql
...
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$1 (file:/usr/share/maven/lib/guice.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[INFO] Scanning for projects...
[INFO] ------------------------------------------------------------------------
[INFO] Detecting the operating system and CPU architecture
[INFO] ------------------------------------------------------------------------
[INFO] os.detected.name: linux
[INFO] os.detected.arch: s390_64
[INFO] os.detected.bitness: 64
[INFO] os.detected.version: 5.4
[INFO] os.detected.version.major: 5
[INFO] os.detected.version.minor: 4
[INFO] os.detected.release: ubuntu
[INFO] os.detected.release.version: 20.04
[INFO] os.detected.release.like.ubuntu: true
[INFO] os.detected.release.like.debian: true
[INFO] os.detected.classifier: linux-s390_64
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Build Order:
[INFO] 
[INFO] Arrow Flight SQL                                                   [jar]
[INFO] Arrow Flight Integration Tests                                     [jar]
[INFO] Arrow AVRO Adapter                                                 [jar]
[INFO] Arrow Algorithms                                                   [jar]
[INFO] Arrow Performance Benchmarks                                       [jar]
[INFO] 
[INFO] --------------------< org.apache.arrow:flight-sql >---------------------
[INFO] Building Arrow Flight SQL 9.0.0-SNAPSHOT                           [1/5]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- apache-rat-plugin:0.13:check (rat-checks) @ flight-sql ---
[INFO] RAT will not execute since it is configured to be skipped via system property 'rat.skip'.
[INFO] 
[INFO] --- maven-checkstyle-plugin:3.1.0:check (validate) @ flight-sql ---
[INFO] 
[INFO] --- git-commit-id-plugin:2.2.2:revision (for-jars) @ flight-sql ---
[INFO] 
[INFO] --- maven-remote-resources-plugin:1.5:process (process-resource-bundles) @ flight-sql ---
[INFO] 
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ flight-sql ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /home/ishizaki/Arrow/arrow-java-clean/java/flight/flight-sql/src/main/resources
[INFO] Copying 3 resources
[INFO] 
[INFO] --- maven-compiler-plugin:3.10.1:compile (default-compile) @ flight-sql ---
[INFO] Nothing to compile - all classes are up to date
[INFO] 
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ flight-sql ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /home/ishizaki/Arrow/arrow-java-clean/java/flight/flight-sql/src/test/resources
[INFO] Copying 3 resources
[INFO] 
[INFO] --- maven-compiler-plugin:3.10.1:testCompile (default-testCompile) @ flight-sql ---
[INFO] Nothing to compile - all classes are up to date
[INFO] 
[INFO] --- maven-surefire-plugin:3.0.0-M3:test (default-test) @ flight-sql ---
[INFO] Tests are skipped.
[INFO] 
[INFO] --- maven-jar-plugin:3.0.0:jar (default-jar) @ flight-sql ---
[INFO] Building jar: /home/ishizaki/Arrow/arrow-java-clean/java/flight/flight-sql/target/flight-sql-9.0.0-SNAPSHOT.jar
[INFO] 
[INFO] --- maven-site-plugin:3.5.1:attach-descriptor (attach-descriptor) @ flight-sql ---
[INFO] 
[INFO] --- maven-jar-plugin:3.0.0:test-jar (default) @ flight-sql ---
[INFO] Building jar: /home/ishizaki/Arrow/arrow-java-clean/java/flight/flight-sql/target/flight-sql-9.0.0-SNAPSHOT-tests.jar
[INFO] 
[INFO] --- maven-enforcer-plugin:3.0.0-M2:enforce (avoid_bad_dependencies) @ flight-sql ---
[INFO] 
[INFO] --- maven-dependency-plugin:3.0.1:analyze-only (analyze) @ flight-sql ---
[WARNING] Used undeclared dependencies found:
[WARNING]    io.grpc:grpc-stub:jar:1.47.0:compile
[WARNING]    io.grpc:grpc-api:jar:1.47.0:compile
[WARNING]    io.grpc:grpc-protobuf:jar:1.47.0:compile
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for Arrow Flight SQL 9.0.0-SNAPSHOT:
[INFO] 
[INFO] Arrow Flight SQL ................................... FAILURE [  2.677 s]
[INFO] Arrow Flight Integration Tests ..................... SKIPPED
[INFO] Arrow AVRO Adapter ................................. SKIPPED
[INFO] Arrow Algorithms ................................... SKIPPED
[INFO] Arrow Performance Benchmarks ....................... SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  2.894 s
[INFO] Finished at: 2022-07-17T09:46:40Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.0.1:analyze-only (analyze) on project flight-sql: Dependency problems found -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
% mvn --version
Apache Maven 3.6.3
Maven home: /usr/share/maven
Java version: 11.0.13, vendor: Ubuntu, runtime: /usr/lib/jvm/java-11-openjdk-s390x
Default locale: en_US, platform encoding: ANSI_X3.4-1968
OS name: "linux", version: "5.4.0-110-generic", arch: "s390x", family: "unix"
% java --version
openjdk 11.0.13 2021-10-19
OpenJDK Runtime Environment (build 11.0.13+8-Ubuntu-0ubuntu1.20.04)
OpenJDK 64-Bit Server VM (build 11.0.13+8-Ubuntu-0ubuntu1.20.04, mixed mode)
% git log | head -1
commit af4db7731b1f857e78221c53c2d8221849b1eeec

lidavidm · 2022-07-17T13:43:00Z

@kiszk thank you very much for taking a look.

I think that error will go away if you rebase? This recent commit removes those dependencies because they are transitive dependencies: 1fd3593

lidavidm · 2022-07-17T13:44:04Z

Oh wait. I read it backwards, sorry. Hmm, it looks like something is generating gRPC/Protobuf code inside flight-sql? Or maybe we need to make those dependencies platform-dependent.

kiszk · 2022-07-17T16:11:42Z

When I execute only analyze-only, an error does not occur...

% mvn -B -DskipTests -Drat.skip=true  -Dcheckstyle.skip -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn  dependency:analyze-only -rf :flight-sql
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$1 (file:/usr/share/maven/lib/guice.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[INFO] Scanning for projects...
[INFO] ------------------------------------------------------------------------
[INFO] Detecting the operating system and CPU architecture
[INFO] ------------------------------------------------------------------------
[INFO] os.detected.name: linux
[INFO] os.detected.arch: s390_64
[INFO] os.detected.bitness: 64
[INFO] os.detected.version: 5.4
[INFO] os.detected.version.major: 5
[INFO] os.detected.version.minor: 4
[INFO] os.detected.release: ubuntu
[INFO] os.detected.release.version: 20.04
[INFO] os.detected.release.like.ubuntu: true
[INFO] os.detected.release.like.debian: true
[INFO] os.detected.classifier: linux-s390_64
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Build Order:
[INFO] 
[INFO] Arrow Flight SQL                                                   [jar]
[INFO] Arrow Flight Integration Tests                                     [jar]
[INFO] Arrow AVRO Adapter                                                 [jar]
[INFO] Arrow Algorithms                                                   [jar]
[INFO] Arrow Performance Benchmarks                                       [jar]
[INFO] 
[INFO] --------------------< org.apache.arrow:flight-sql >---------------------
[INFO] Building Arrow Flight SQL 9.0.0-SNAPSHOT                           [1/5]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.0.1:analyze-only (default-cli) @ flight-sql ---
[WARNING] Used undeclared dependencies found:
[WARNING]    io.grpc:grpc-stub:jar:1.47.0:compile
[WARNING]    io.grpc:grpc-api:jar:1.47.0:compile
[WARNING]    io.grpc:grpc-protobuf:jar:1.47.0:compile
[WARNING] Unused declared dependencies found:
[WARNING]    org.apache.derby:derby:jar:10.14.2.0:test
[WARNING]    org.slf4j:jul-to-slf4j:jar:1.7.25:test
[WARNING]    org.slf4j:jcl-over-slf4j:jar:1.7.25:test
[WARNING]    org.slf4j:log4j-over-slf4j:jar:1.7.25:test
[WARNING]    org.junit.platform:junit-platform-runner:jar:1.4.0:test
[WARNING]    org.junit.jupiter:junit-jupiter-engine:jar:5.4.0:test
[WARNING]    org.junit.jupiter:junit-jupiter-api:jar:5.4.0:test
[WARNING]    org.junit.vintage:junit-vintage-engine:jar:5.4.0:test
[WARNING]    org.mockito:mockito-junit-jupiter:jar:2.25.1:test
[WARNING]    ch.qos.logback:logback-classic:jar:1.2.3:test
[WARNING]    de.huxhorn.lilith:de.huxhorn.lilith.logback.appender.multiplex-classic:jar:0.9.44:test
[INFO] 
[INFO] -------------< org.apache.arrow:flight-integration-tests >--------------
[INFO] Building Arrow Flight Integration Tests 9.0.0-SNAPSHOT             [2/5]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.0.1:analyze-only (default-cli) @ flight-integration-tests ---
[WARNING] Unused declared dependencies found:
[WARNING]    org.slf4j:jul-to-slf4j:jar:1.7.25:test
[WARNING]    org.slf4j:jcl-over-slf4j:jar:1.7.25:test
[WARNING]    org.slf4j:log4j-over-slf4j:jar:1.7.25:test
[WARNING]    org.junit.platform:junit-platform-runner:jar:1.4.0:test
[WARNING]    org.junit.jupiter:junit-jupiter-engine:jar:5.4.0:test
[WARNING]    org.junit.jupiter:junit-jupiter-api:jar:5.4.0:test
[WARNING]    org.junit.vintage:junit-vintage-engine:jar:5.4.0:test
[WARNING]    junit:junit:jar:4.12:test
[WARNING]    org.mockito:mockito-junit-jupiter:jar:2.25.1:test
[WARNING]    ch.qos.logback:logback-classic:jar:1.2.3:test
[WARNING]    de.huxhorn.lilith:de.huxhorn.lilith.logback.appender.multiplex-classic:jar:0.9.44:test
[INFO] 
[INFO] --------------------< org.apache.arrow:arrow-avro >---------------------
[INFO] Building Arrow AVRO Adapter 9.0.0-SNAPSHOT                         [3/5]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.0.1:analyze-only (default-cli) @ arrow-avro ---
[WARNING] Unused declared dependencies found:
[WARNING]    org.apache.arrow:arrow-memory-netty:jar:9.0.0-SNAPSHOT:runtime
[WARNING]    org.slf4j:jul-to-slf4j:jar:1.7.25:test
[WARNING]    org.slf4j:jcl-over-slf4j:jar:1.7.25:test
[WARNING]    org.slf4j:log4j-over-slf4j:jar:1.7.25:test
[WARNING]    org.junit.platform:junit-platform-runner:jar:1.4.0:test
[WARNING]    org.junit.jupiter:junit-jupiter-engine:jar:5.4.0:test
[WARNING]    org.junit.vintage:junit-vintage-engine:jar:5.4.0:test
[WARNING]    org.mockito:mockito-junit-jupiter:jar:2.25.1:test
[WARNING]    ch.qos.logback:logback-classic:jar:1.2.3:test
[WARNING]    de.huxhorn.lilith:de.huxhorn.lilith.logback.appender.multiplex-classic:jar:0.9.44:test
[INFO] 
[INFO] ------------------< org.apache.arrow:arrow-algorithm >------------------
[INFO] Building Arrow Algorithms 9.0.0-SNAPSHOT                           [4/5]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.0.1:analyze-only (default-cli) @ arrow-algorithm ---
[WARNING] Unused declared dependencies found:
[WARNING]    org.apache.arrow:arrow-memory-netty:jar:9.0.0-SNAPSHOT:test
[WARNING]    org.slf4j:jul-to-slf4j:jar:1.7.25:test
[WARNING]    org.slf4j:jcl-over-slf4j:jar:1.7.25:test
[WARNING]    org.slf4j:log4j-over-slf4j:jar:1.7.25:test
[WARNING]    org.junit.platform:junit-platform-runner:jar:1.4.0:test
[WARNING]    org.junit.jupiter:junit-jupiter-engine:jar:5.4.0:test
[WARNING]    org.junit.vintage:junit-vintage-engine:jar:5.4.0:test
[WARNING]    org.mockito:mockito-junit-jupiter:jar:2.25.1:test
[WARNING]    ch.qos.logback:logback-classic:jar:1.2.3:test
[WARNING]    de.huxhorn.lilith:de.huxhorn.lilith.logback.appender.multiplex-classic:jar:0.9.44:test
[INFO] 
[INFO] -----------------< org.apache.arrow:arrow-performance >-----------------
[INFO] Building Arrow Performance Benchmarks 9.0.0-SNAPSHOT               [5/5]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.0.1:analyze-only (default-cli) @ arrow-performance ---
[WARNING] Unused declared dependencies found:
[WARNING]    org.openjdk.jmh:jmh-generator-annprocess:jar:1.21:provided
[WARNING]    org.apache.arrow:arrow-memory-netty:jar:9.0.0-SNAPSHOT:test
[WARNING]    org.slf4j:jul-to-slf4j:jar:1.7.25:test
[WARNING]    org.slf4j:jcl-over-slf4j:jar:1.7.25:test
[WARNING]    org.slf4j:log4j-over-slf4j:jar:1.7.25:test
[WARNING]    org.junit.platform:junit-platform-runner:jar:1.4.0:test
[WARNING]    org.junit.jupiter:junit-jupiter-engine:jar:5.4.0:test
[WARNING]    org.junit.jupiter:junit-jupiter-api:jar:5.4.0:test
[WARNING]    org.junit.vintage:junit-vintage-engine:jar:5.4.0:test
[WARNING]    junit:junit:jar:4.12:test
[WARNING]    org.mockito:mockito-junit-jupiter:jar:2.25.1:test
[WARNING]    ch.qos.logback:logback-classic:jar:1.2.3:test
[WARNING]    de.huxhorn.lilith:de.huxhorn.lilith.logback.appender.multiplex-classic:jar:0.9.44:test
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for Arrow Flight SQL 9.0.0-SNAPSHOT:
[INFO] 
[INFO] Arrow Flight SQL ................................... SUCCESS [  0.457 s]
[INFO] Arrow Flight Integration Tests ..................... SUCCESS [  0.652 s]
[INFO] Arrow AVRO Adapter ................................. SUCCESS [  0.030 s]
[INFO] Arrow Algorithms ................................... SUCCESS [  0.029 s]
[INFO] Arrow Performance Benchmarks ....................... SUCCESS [  0.052 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.492 s
[INFO] Finished at: 2022-07-17T16:08:57Z
[INFO] ------------------------------------------------------------------------

kiszk · 2022-07-17T17:06:27Z

Sorry for my bad. After executing mvn clean, this error disappears. I will create a PR tomorrow.

kiszk · 2022-07-18T09:15:02Z

Submitted a PR #13632

kiszk · 2022-07-19T07:37:10Z

Now, the test passed.
@lidavidm @kou Thank you very much.

…ration + upgrade of dependencies by CVE (apache#13544) - Configure Netty/GRPC/Protobuf base on BOM Bill Of Material configuration to dependencies versions be added by configuration (netty/netty#5994). - Upgrade Netty/GRPC/Protobuf dependencies. Netty [CVE](GHSA-269q-hmxg-m83q) Authored-by: david dali susanibar arce <davi.sarces@gmail.com> Signed-off-by: David Li <li.davidm96@gmail.com>

… configuration + upgrade of dependencies by CVE (apache#13544)" This reverts commit 9b18459.

* DX-86156: Cherry pick a4a3d3f for apacheGH-39265 * Update README_DREMIO.md * ARROW-16996: [Java] Configure Netty/GRPC/Protobuf base on BOM configuration + upgrade of dependencies by CVE (apache#13544) - Configure Netty/GRPC/Protobuf base on BOM Bill Of Material configuration to dependencies versions be added by configuration (netty/netty#5994). - Upgrade Netty/GRPC/Protobuf dependencies. Netty [CVE](GHSA-269q-hmxg-m83q) Authored-by: david dali susanibar arce <davi.sarces@gmail.com> Signed-off-by: David Li <li.davidm96@gmail.com> * Revert "ARROW-16996: [Java] Configure Netty/GRPC/Protobuf base on BOM configuration + upgrade of dependencies by CVE (apache#13544)" This reverts commit 9b18459. * Update pom.xml Remove unused dependency. * apacheGH-38996: [Java] Update dependencies and plugins for JPMS modules (apache#38994) Update dependencies and plugins to versions that work correctly with JPMS modules. * Update several plugins to use module-enabled versions: * maven-compiler-plugin is updated to 3.11.0 * maven-shade-plugin is updated to 3.2.4 * maven-dependency-plugin is updated to 3.1.2 * CycloneDX is updated to 2.7.10 * Update grpc-java to 1.59 for module support * Update jackson to 2.16.0 as 2.15.1 had corrupt module-info.class files that broke module support. Existing tests only Users may need to update their own dependencies if they have the same ones. * Closes: apache#38996 Authored-by: James Duong <james.duong@improving.com> Signed-off-by: Sutou Kouhei <kou@clear-code.com> * Update README_DREMIO.md --------- Signed-off-by: David Li <li.davidm96@gmail.com> Signed-off-by: Sutou Kouhei <kou@clear-code.com> Co-authored-by: panbingkun <pbk1982@gmail.com> Co-authored-by: david dali susanibar arce <davi.sarces@gmail.com> Co-authored-by: James Duong <james.duong@improving.com>

…ration + upgrade of dependencies by CVE (apache#13544) - Configure Netty/GRPC/Protobuf base on BOM Bill Of Material configuration to dependencies versions be added by configuration (netty/netty#5994). - Upgrade Netty/GRPC/Protobuf dependencies. Netty [CVE](GHSA-269q-hmxg-m83q) Authored-by: david dali susanibar arce <davi.sarces@gmail.com> Signed-off-by: David Li <li.davidm96@gmail.com>

Configure Netty/GRPC/Protobuf base on BOM configuration + upgrade of …

28774c6

…Netty/GRPC/Protobuf dependencies

github-actions bot added the Component: Java label Jul 8, 2022

lidavidm approved these changes Jul 8, 2022

View reviewed changes

lidavidm reviewed Jul 8, 2022

View reviewed changes

Deleting mac/linux netty-native profiles

a8ac2b3

Deleting mac/linux netty-native profiles from documentation

338a8ab

github-actions bot added the Component: Documentation label Jul 8, 2022

lidavidm approved these changes Jul 8, 2022

View reviewed changes

lidavidm merged commit 17d6fdc into apache:master Jul 8, 2022

asfimport mentioned this pull request Jul 19, 2022

[Java] Upgrade netty-codec dependencies #32310

Closed

1 task

lriggs added a commit to lriggs/arrow that referenced this pull request Jan 9, 2024

Revert "ARROW-16996: [Java] Configure Netty/GRPC/Protobuf base on BOM…

be4c901

… configuration + upgrade of dependencies by CVE (apache#13544)" This reverts commit 9b18459.

ARROW-16996: [Java] Configure Netty/GRPC/Protobuf base on BOM configuration + upgrade of dependencies by CVE #13544

ARROW-16996: [Java] Configure Netty/GRPC/Protobuf base on BOM configuration + upgrade of dependencies by CVE #13544

Uh oh!

Conversation

davisusanibar commented Jul 8, 2022

Uh oh!

github-actions bot commented Jul 8, 2022

Uh oh!

lidavidm left a comment

Choose a reason for hiding this comment

Uh oh!

lidavidm commented Jul 8, 2022

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

lidavidm commented Jul 8, 2022

Uh oh!

davisusanibar commented Jul 8, 2022

Uh oh!

lidavidm commented Jul 8, 2022

Uh oh!

davisusanibar commented Jul 8, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

lidavidm commented Jul 8, 2022

Uh oh!

lidavidm commented Jul 8, 2022

Uh oh!

lidavidm commented Jul 8, 2022

Uh oh!

lidavidm commented Jul 8, 2022

Uh oh!

kou commented Jul 15, 2022

Uh oh!

kiszk commented Jul 16, 2022

Uh oh!

kiszk commented Jul 17, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

lidavidm commented Jul 17, 2022

Uh oh!

lidavidm commented Jul 17, 2022

Uh oh!

kiszk commented Jul 17, 2022

Uh oh!

kiszk commented Jul 17, 2022

Uh oh!

kiszk commented Jul 18, 2022

Uh oh!

kiszk commented Jul 19, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

davisusanibar commented Jul 8, 2022 •

edited

Loading

kiszk commented Jul 17, 2022 •

edited

Loading