Upgrade jackson-databind to 2.13.4.2 to address CVEs

[kfaraz]

CVEs:
CVE-2022-42004
CVE-2022-42003

Changes:

• Upgrade jackson-bom to 2.13.4.20221013
• Remove usage of methods deleted from latest version of jackson-databind

---

• been self-reviewed.
  • using the concurrency checklist (Remove this item if the PR doesn't have any relation to concurrency.)
• added or updated version, license, or notice information in licenses.yaml

[FrankChen021]

FYI

There were two related PRs on this, we can close them once this is done.
#12411
#12373

And a PR before suppressed the CVE of jackson which I think we need to remove the suppression if this PR addresses the CVE:
#12535

[kfaraz]

Thanks for the tip, @FrankChen021 !
There are some backward incompatibility issues with this upgrade. I will try to get those resolved and close the older PRs.

[CookieAroundTheBend]

Hey @kfaraz I am also interested in getting past these CVE's.
What are some of the backward incompatibility issues you're seeing?

Thanks for your work on this!

[kfaraz]

Hi, @CookieAroundTheBend !
The latest version of jackson-databind has removed the method AnnotateMember.getGenericType() which was being used in the Druid code in the GuiceIntrospector. I need to find a way to make the introspector work with getRawType(), or getType(). Haven't spent much time on it though.

Please let me know if you have any ideas.

[CookieAroundTheBend]

@kfaraz We had Druid 0.20.2 working with newer Jackson where we did have to change that GuiceAnnotationIntrospector to use getRawType().

Unfortunately we are trying to apply the same patch to 0.22.1 and are seeing issues most likely stemming from that change.

Does this patch work for the latest Druid? Or are you seeing issues with what's in this branch as well?

[CookieAroundTheBend]

Suggested change

	return Key.get(m.getType(), guiceAnnotation);
	}
	return Key.get(getParamType(m), guiceAnnotation);
	}
	private Type getParamType(AnnotatedMember m) {
	if(m.getType().isContainerType()){
	return Types.newParameterizedType(m.getType().getRawClass(), m.getType().getContentType().getRawClass());
	}
	return m.getRawType();
	}

This seems to work for me (and of course changing the Key.get(m.getType()); to Key.get(getParamType(m)); on line 61.

But this was on version 0.22.1 and I'm not sure if this is as robust handling that could be needed.

[CookieAroundTheBend]

This is needed for the changes for the StorageSelection
https://github.com/apache/druid/pull/10363/files#diff-6bf786a6df7322201eee2b85d1a1857fc89af11af98c47be9c97449627d0673f

[kfaraz]

Thanks for the suggestion, @CookieAroundTheBend ! I will try to spend some time on this and get it resolved soon.

[xvrl]

@kfaraz do you have any plans to push this over the finish line?

[kfaraz]

Not at the moment, @xvrl . I have been occupied with a few other tasks. I am okay if you would like to take it up.

[kfaraz]

There is a new PR #14770 which should address this.

[xvrl]

@kfaraz should we close this PR?

[kfaraz]

Yes, @xvrl , we can close this for now.