From 2e129d7179670eaaf2ade24323ee15cb8e81e272 Mon Sep 17 00:00:00 2001
From: Chi Cao Minh <chi.caominh@imply.io>
Date: Fri, 29 Nov 2019 15:32:59 -0800
Subject: [PATCH 1/3] Address security vulnerabilities CVSS >= 7

Update dependencies to address security vulnerabilities with CVSS scores
of 7 or higher. A new Travis CI job is added to prevent new
high/critical security vulnerabilities from being added.

Updated dependencies:
- api-util 1.0.0 -> 1.0.3
- jackson 2.9.10 -> 2.10.1
- kafka 2.1.0 -> 2.1.1
- libthrift 0.10.0 -> 0.13.0
- protobuf 3.2.0 -> 3.11.0

The following high/critical security vulnerabilities are currently
suppressed (so that the new Travis CI job can be added now) and are left
as future work to fix:
- hibernate-validator:5.2.5
- jackson-mapper-asl:1.9.13
- libthrift:0.6.1
- netty:3.10.6
- nimbus-jose-jwt:4.41.1
---
 .travis.yml                                   |  12 ++
 benchmarks/pom.xml                            |   7 +
 .../input/impl/prefetch/JsonIterator.java     |   4 +-
 distribution/bin/check-licenses.py            |   5 +
 distribution/pom.xml                          |   9 +-
 .../ambari-metrics-emitter/pom.xml            |  22 ++
 extensions-contrib/cassandra-storage/pom.xml  |  10 +
 .../movingaverage/MovingAverageQueryTest.java |   7 +-
 extensions-contrib/thrift-extensions/pom.xml  |   2 +-
 .../druid/security/basic/BasicAuthUtils.java  |  12 +-
 .../kafka-extraction-namespace/pom.xml        |   4 -
 extensions-core/protobuf-extensions/pom.xml   |   6 +-
 integration-tests/pom.xml                     |  11 +-
 .../CoordinatorResourceTestClient.java        |   5 +-
 .../ITBasicAuthConfigurationTest.java         |   4 +-
 licenses.yaml                                 |  44 +++-
 licenses/bin/jakarta.activation-api.EDL1      |  13 ++
 owasp-dependency-check-suppressions.xml       | 198 ++++++++++++++++++
 pom.xml                                       |  25 ++-
 .../SQLMetadataStorageActionHandler.java      |  12 +-
 .../query/ResultLevelCachingQueryRunner.java  |   2 +-
 .../server/coordinator/HttpLoadQueuePeon.java |  16 +-
 services/pom.xml                              |  16 ++
 23 files changed, 392 insertions(+), 54 deletions(-)
 create mode 100644 licenses/bin/jakarta.activation-api.EDL1
 create mode 100644 owasp-dependency-check-suppressions.xml

diff --git a/.travis.yml b/.travis.yml
index f4aa88b4bdcc..a0ad65bdb1fe 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -114,6 +114,18 @@ jobs:
         https://maven.apache.org/plugins/maven-dependency-plugin/analyze-mojo.html
         "
 
+    - name: "security vulnerabilities"
+      install: skip
+      script: ${MVN} dependency-check:check
+      after_failure: |-
+        echo "FAILURE EXPLANATION:
+
+        The OWASP dependency check has found security vulnerabilities. Please use a newer version
+        of the dependency that does not have vulenerabilities. If the analysis has false positives,
+        they can be suppressed by adding entries to owasp-dependency-check-suppressions.xml (for more
+        information, see https://jeremylong.github.io/DependencyCheck/general/suppression.html).
+        "
+
     - &package
       name: "(openjdk8) packaging check"
       install: skip
diff --git a/benchmarks/pom.xml b/benchmarks/pom.xml
index 027f81f67375..9b85b21cf10e 100644
--- a/benchmarks/pom.xml
+++ b/benchmarks/pom.xml
@@ -216,6 +216,13 @@
           </execution>
         </executions>
       </plugin>
+      <plugin>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-maven</artifactId>
+        <configuration>
+          <skip>true</skip>
+        </configuration>
+      </plugin>
     </plugins>
     <pluginManagement>
       <plugins>
diff --git a/core/src/main/java/org/apache/druid/data/input/impl/prefetch/JsonIterator.java b/core/src/main/java/org/apache/druid/data/input/impl/prefetch/JsonIterator.java
index 6bd56cbc2a6e..2a241f66de7c 100644
--- a/core/src/main/java/org/apache/druid/data/input/impl/prefetch/JsonIterator.java
+++ b/core/src/main/java/org/apache/druid/data/input/impl/prefetch/JsonIterator.java
@@ -43,7 +43,7 @@ public class JsonIterator<T> implements Iterator<T>, Closeable
 {
   private JsonParser jp;
   private ObjectCodec objectCodec;
-  private final TypeReference typeRef;
+  private final TypeReference<T> typeRef;
   private final InputStream inputStream;
   private final Closeable resourceCloser;
   private final ObjectMapper objectMapper;
@@ -55,7 +55,7 @@ public class JsonIterator<T> implements Iterator<T>, Closeable
    * @param objectMapper   object mapper, used for deserialization
    */
   public JsonIterator(
-      TypeReference typeRef,
+      TypeReference<T> typeRef,
       InputStream inputStream,
       Closeable resourceCloser,
       ObjectMapper objectMapper
diff --git a/distribution/bin/check-licenses.py b/distribution/bin/check-licenses.py
index cbbcf3c18311..aad34cb5ca3d 100755
--- a/distribution/bin/check-licenses.py
+++ b/distribution/bin/check-licenses.py
@@ -239,6 +239,7 @@ def build_compatible_license_names():
     compatible_licenses['The BSD 3-Clause License'] = 'BSD-3-Clause License'
     compatible_licenses['Revised BSD'] = 'BSD-3-Clause License'
     compatible_licenses['New BSD License'] = 'BSD-3-Clause License'
+    compatible_licenses['3-Clause BSD License'] = 'BSD-3-Clause License'
 
     compatible_licenses['ICU License'] = 'ICU License'
 
@@ -254,6 +255,10 @@ def build_compatible_license_names():
     compatible_licenses['Eclipse Public License - Version 1.0'] = 'Eclipse Public License 1.0'
     compatible_licenses['Eclipse Public License, Version 1.0'] = 'Eclipse Public License 1.0'
 
+    compatible_licenses['Eclipse Distribution License 1.0'] = 'Eclipse Distribution License 1.0'
+    compatible_licenses['Eclipse Distribution License - v 1.0'] = 'Eclipse Distribution License 1.0'
+    compatible_licenses['EDL 1.0'] = 'Eclipse Distribution License 1.0'
+
     compatible_licenses['Mozilla Public License Version 2.0'] = 'Mozilla Public License Version 2.0'
     compatible_licenses['Mozilla Public License, Version 2.0'] = 'Mozilla Public License Version 2.0'
 
diff --git a/distribution/pom.xml b/distribution/pom.xml
index 215cd8d95b12..ac8848fa7e99 100644
--- a/distribution/pom.xml
+++ b/distribution/pom.xml
@@ -98,6 +98,13 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
 
@@ -421,4 +428,4 @@
             </build>
         </profile>
     </profiles>
-</project>
\ No newline at end of file
+</project>
diff --git a/extensions-contrib/ambari-metrics-emitter/pom.xml b/extensions-contrib/ambari-metrics-emitter/pom.xml
index fb81ee146951..59639ab20f90 100644
--- a/extensions-contrib/ambari-metrics-emitter/pom.xml
+++ b/extensions-contrib/ambari-metrics-emitter/pom.xml
@@ -69,6 +69,12 @@
         </exclusion>
       </exclusions>
     </dependency>
+    <dependency>
+      <!-- transitive dependency of org.apache.amabri:ambari-metrics-common; override version to fix security vulnerabilities -->
+      <groupId>org.apache.hadoop</groupId>
+      <artifactId>hadoop-annotations</artifactId>
+      <version>${hadoop.compile.version}</version>
+    </dependency>
     <dependency>
       <groupId>commons-io</groupId>
       <artifactId>commons-io</artifactId>
@@ -126,6 +132,22 @@
       <scope>test</scope>
     </dependency>
   </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-dependency-plugin</artifactId>
+        <configuration>
+          <ignoredUnusedDeclaredDependencies>
+            <!-- Transitive dependency but explicitly added to fix security vulnerability -->
+            <ignoredUnusedDeclaredDependency>org.apache.hadoop:hadoop-annotations</ignoredUnusedDeclaredDependency>
+          </ignoredUnusedDeclaredDependencies>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+
   <repositories>
     <repository>
       <id>hortonworks</id>
diff --git a/extensions-contrib/cassandra-storage/pom.xml b/extensions-contrib/cassandra-storage/pom.xml
index 6171a008fc33..993e0057300d 100644
--- a/extensions-contrib/cassandra-storage/pom.xml
+++ b/extensions-contrib/cassandra-storage/pom.xml
@@ -41,6 +41,11 @@
             <scope>provided</scope>
         </dependency>
         <dependency>
+            <!--
+              ~ This library is no longer actively developed and should be migrated to DataStax Java Driver for Apache
+              ~ Cassandra. Even the latest version of astyanax (3.10.2) has transitive dependencies with security
+              ~ vulenerabilites with CVSS scores greater than 7 (e.g., libthrift 0.9.1).
+            -->
             <groupId>com.netflix.astyanax</groupId>
             <artifactId>astyanax</artifactId>
             <version>1.0.1</version>
@@ -113,6 +118,11 @@
                     <groupId>com.github.stephenc.high-scale-lib</groupId>
                     <artifactId>high-scale-lib</artifactId>
                 </exclusion>
+                <exclusion>
+                    <!-- Excluded to remove security vulnerability -->
+                    <groupId>org.mortbay.jetty</groupId>
+                    <artifactId>jetty</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency>
diff --git a/extensions-contrib/moving-average-query/src/test/java/org/apache/druid/query/movingaverage/MovingAverageQueryTest.java b/extensions-contrib/moving-average-query/src/test/java/org/apache/druid/query/movingaverage/MovingAverageQueryTest.java
index ca9e4c5ec18b..83881c79cf97 100644
--- a/extensions-contrib/moving-average-query/src/test/java/org/apache/druid/query/movingaverage/MovingAverageQueryTest.java
+++ b/extensions-contrib/moving-average-query/src/test/java/org/apache/druid/query/movingaverage/MovingAverageQueryTest.java
@@ -38,7 +38,6 @@
 import org.apache.druid.client.cache.MapCache;
 import org.apache.druid.client.selector.ServerSelector;
 import org.apache.druid.data.input.MapBasedRow;
-import org.apache.druid.data.input.Row;
 import org.apache.druid.guice.DruidProcessingModule;
 import org.apache.druid.guice.GuiceInjectors;
 import org.apache.druid.guice.QueryRunnerFactoryModule;
@@ -99,7 +98,7 @@ public class MovingAverageQueryTest extends InitializedNullHandlingTest
   private final RetryQueryRunnerConfig retryConfig;
   private final ServerConfig serverConfig;
 
-  private final List<Row> groupByResults = new ArrayList<>();
+  private final List<ResultRow> groupByResults = new ArrayList<>();
   private final List<Result<TimeseriesResultValue>> timeseriesResults = new ArrayList<>();
 
   private final TestConfig config;
@@ -222,9 +221,9 @@ private Class<?> getExpectedQueryType()
     return MovingAverageQuery.class;
   }
 
-  private TypeReference<?> getExpectedResultType()
+  private TypeReference<List<MapBasedRow>> getExpectedResultType()
   {
-    return new TypeReference<List<Row>>()
+    return new TypeReference<List<MapBasedRow>>()
     {
     };
   }
diff --git a/extensions-contrib/thrift-extensions/pom.xml b/extensions-contrib/thrift-extensions/pom.xml
index 80c9af2145ff..71d5b03ee5d4 100644
--- a/extensions-contrib/thrift-extensions/pom.xml
+++ b/extensions-contrib/thrift-extensions/pom.xml
@@ -36,7 +36,7 @@
   <modelVersion>4.0.0</modelVersion>
 
   <properties>
-    <thrift.version>0.10.0</thrift.version>
+    <thrift.version>0.13.0</thrift.version>
     <elephantbird.version>4.17</elephantbird.version>
     <scrooge.version>19.10.0</scrooge.version>
   </properties>
diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthUtils.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthUtils.java
index 21664d0659f2..1646fc334b1b 100644
--- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthUtils.java
+++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthUtils.java
@@ -67,32 +67,32 @@ public class BasicAuthUtils
   public static final int KEY_LENGTH = 512;
   public static final String ALGORITHM = "PBKDF2WithHmacSHA512";
 
-  public static final TypeReference AUTHENTICATOR_USER_MAP_TYPE_REFERENCE =
+  public static final TypeReference<Map<String, BasicAuthenticatorUser>> AUTHENTICATOR_USER_MAP_TYPE_REFERENCE =
       new TypeReference<Map<String, BasicAuthenticatorUser>>()
       {
       };
 
-  public static final TypeReference AUTHORIZER_USER_MAP_TYPE_REFERENCE =
+  public static final TypeReference<Map<String, BasicAuthorizerUser>> AUTHORIZER_USER_MAP_TYPE_REFERENCE =
       new TypeReference<Map<String, BasicAuthorizerUser>>()
       {
       };
 
-  public static final TypeReference AUTHORIZER_GROUP_MAPPING_MAP_TYPE_REFERENCE =
+  public static final TypeReference<Map<String, BasicAuthorizerGroupMapping>> AUTHORIZER_GROUP_MAPPING_MAP_TYPE_REFERENCE =
       new TypeReference<Map<String, BasicAuthorizerGroupMapping>>()
       {
       };
 
-  public static final TypeReference AUTHORIZER_ROLE_MAP_TYPE_REFERENCE =
+  public static final TypeReference<Map<String, BasicAuthorizerRole>> AUTHORIZER_ROLE_MAP_TYPE_REFERENCE =
       new TypeReference<Map<String, BasicAuthorizerRole>>()
       {
       };
 
-  public static final TypeReference AUTHORIZER_USER_AND_ROLE_MAP_TYPE_REFERENCE =
+  public static final TypeReference<UserAndRoleMap> AUTHORIZER_USER_AND_ROLE_MAP_TYPE_REFERENCE =
       new TypeReference<UserAndRoleMap>()
       {
       };
 
-  public static final TypeReference AUTHORIZER_GROUP_MAPPING_AND_ROLE_MAP_TYPE_REFERENCE =
+  public static final TypeReference<GroupMappingAndRoleMap> AUTHORIZER_GROUP_MAPPING_AND_ROLE_MAP_TYPE_REFERENCE =
       new TypeReference<GroupMappingAndRoleMap>()
       {
       };
diff --git a/extensions-core/kafka-extraction-namespace/pom.xml b/extensions-core/kafka-extraction-namespace/pom.xml
index 259bdb12f3e5..32a1853a644a 100644
--- a/extensions-core/kafka-extraction-namespace/pom.xml
+++ b/extensions-core/kafka-extraction-namespace/pom.xml
@@ -33,10 +33,6 @@
     <relativePath>../../pom.xml</relativePath>
   </parent>
 
-  <properties>
-    <apache.kafka.version>2.1.0</apache.kafka.version>
-  </properties>
-
   <dependencies>
     <dependency>
       <groupId>org.apache.druid</groupId>
diff --git a/extensions-core/protobuf-extensions/pom.xml b/extensions-core/protobuf-extensions/pom.xml
index 97f617287664..c29a82a56c05 100644
--- a/extensions-core/protobuf-extensions/pom.xml
+++ b/extensions-core/protobuf-extensions/pom.xml
@@ -35,10 +35,6 @@
     <relativePath>../../pom.xml</relativePath>
   </parent>
 
-  <properties>
-    <protobuf.version>3.2.0</protobuf.version>
-  </properties>
-
   <dependencies>
     <dependency>
       <groupId>org.apache.druid</groupId>
@@ -111,7 +107,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-shade-plugin</artifactId>
-        <version>3.0.0</version>
+        <version>3.2.1</version>
         <configuration>
           <createDependencyReducedPom>false</createDependencyReducedPom>
           <relocations>
diff --git a/integration-tests/pom.xml b/integration-tests/pom.xml
index 79e8c2c8c65d..7822af33b3ef 100644
--- a/integration-tests/pom.xml
+++ b/integration-tests/pom.xml
@@ -31,10 +31,6 @@
         <version>0.17.0-incubating-SNAPSHOT</version>
     </parent>
 
-    <properties>
-        <apache.kafka.version>2.1.0</apache.kafka.version>
-    </properties>
-
     <dependencies>
         <dependency>
             <groupId>org.apache.druid</groupId>
@@ -252,6 +248,13 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
 
diff --git a/integration-tests/src/main/java/org/apache/druid/testing/clients/CoordinatorResourceTestClient.java b/integration-tests/src/main/java/org/apache/druid/testing/clients/CoordinatorResourceTestClient.java
index 074c77b11dbf..71ca9f83a4d0 100644
--- a/integration-tests/src/main/java/org/apache/druid/testing/clients/CoordinatorResourceTestClient.java
+++ b/integration-tests/src/main/java/org/apache/druid/testing/clients/CoordinatorResourceTestClient.java
@@ -41,7 +41,6 @@
 import org.joda.time.Interval;
 
 import java.net.URL;
-import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 
@@ -96,7 +95,7 @@ private String getLoadStatusURL()
   // return a list of the segment dates for the specified datasource
   public List<String> getMetadataSegments(final String dataSource)
   {
-    ArrayList<String> segments;
+    List<String> segments;
     try {
       StatusResponseHolder response = makeRequest(HttpMethod.GET, getMetadataSegmentsURL(dataSource));
 
@@ -115,7 +114,7 @@ public List<String> getMetadataSegments(final String dataSource)
   // return a list of the segment dates for the specified datasource
   public List<String> getSegmentIntervals(final String dataSource)
   {
-    ArrayList<String> segments;
+    List<String> segments;
     try {
       StatusResponseHolder response = makeRequest(HttpMethod.GET, getIntervalsURL(dataSource));
 
diff --git a/integration-tests/src/test/java/org/apache/druid/tests/security/ITBasicAuthConfigurationTest.java b/integration-tests/src/test/java/org/apache/druid/tests/security/ITBasicAuthConfigurationTest.java
index e074b2f64c18..cb675bf5b4c3 100644
--- a/integration-tests/src/test/java/org/apache/druid/tests/security/ITBasicAuthConfigurationTest.java
+++ b/integration-tests/src/test/java/org/apache/druid/tests/security/ITBasicAuthConfigurationTest.java
@@ -74,12 +74,12 @@ public class ITBasicAuthConfigurationTest
 {
   private static final Logger LOG = new Logger(ITBasicAuthConfigurationTest.class);
 
-  private static final TypeReference LOAD_STATUS_TYPE_REFERENCE =
+  private static final TypeReference<Map<String, Boolean>> LOAD_STATUS_TYPE_REFERENCE =
       new TypeReference<Map<String, Boolean>>()
       {
       };
 
-  private static final TypeReference SYS_SCHEMA_RESULTS_TYPE_REFERENCE =
+  private static final TypeReference<List<Map<String, Object>>> SYS_SCHEMA_RESULTS_TYPE_REFERENCE =
       new TypeReference<List<Map<String, Object>>>()
       {
       };
diff --git a/licenses.yaml b/licenses.yaml
index ecb864c3515e..636de2bdfb6a 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -196,7 +196,7 @@ name: Jackson
 license_category: binary
 module: java-core
 license_name: Apache License version 2.0
-version: 2.9.10
+version: 2.10.1
 libraries:
   - com.fasterxml.jackson.core: jackson-annotations
   - com.fasterxml.jackson.core: jackson-core
@@ -233,6 +233,30 @@ notice: |
 
 ---
 
+name: JavaBeans Activation Framework API JAR
+license_category: binary
+module: java-core
+license_name: Eclipse Distribution License 1.0
+version: 1.2.1
+copyright: Oracle and/or its affiliates.
+license_file_path: licenses/bin/jakarta.activation-api.EDL1
+libraries:
+  - jakarta.activation: jakarta.activation-api
+
+---
+
+name: Jakarta XML Bind API
+license_category: binary
+module: java-core
+license_name: Eclipse Distribution License 1.0
+version: 2.3.2
+copyright: Oracle and/or its affiliates.
+license_file_path: licenses/bin/jakarta.activation-api.EDL1
+libraries:
+  - jakarta.xml.bind: jakarta.xml.bind-api
+
+---
+
 name: Caffeine
 license_category: binary
 module: java-core
@@ -2744,11 +2768,21 @@ license_name: Apache License version 2.0
 version: 1.0.0-M20
 libraries:
   - org.apache.directory.api: api-asn1-api
+
+---
+
+name: Apache Directory
+license_category: binary
+module: hadoop-client
+license_name: Apache License version 2.0
+version: 1.0.3
+libraries:
   - org.apache.directory.api: api-util
 notices:
   - api-util: |
       Apache Directory LDAP API Utilities
       Copyright 2003-2013 The Apache Software Foundation
+
 ---
 
 name: Apache Directory Server
@@ -3161,7 +3195,7 @@ name: Gson
 license_category: binary
 module: extensions/protobuf-extensions
 license_name: Apache License version 2.0
-version: 2.7
+version: 2.8.6
 libraries:
   - com.google.code.gson: gson
 
@@ -3279,7 +3313,7 @@ name: Protocol Buffers
 license_category: binary
 module: java-core
 license_name: BSD-3-Clause License
-version: 3.1.0
+version: 3.11.0
 copyright: Google, Inc.
 license_file_path:
   - licenses/bin/protobuf-java.BSD3
@@ -3444,7 +3478,7 @@ name: Protocol Buffers
 license_category: binary
 module: extensions/druid-protobuf-extensions
 license_name: BSD-3-Clause License
-version: 3.2.0
+version: 3.11.0
 copyright: Google, Inc.
 license_file_path: licenses/bin/protobuf-java.BSD3
 libraries:
@@ -3932,7 +3966,7 @@ name: Apache Kafka
 license_category: binary
 module: extensions/kafka-extraction-namespace
 license_name: Apache License version 2.0
-version: 2.1.0
+version: 2.1.1
 libraries:
   - org.apache.kafka: kafka_2.12
   - org.apache.kafka: kafka-clients
diff --git a/licenses/bin/jakarta.activation-api.EDL1 b/licenses/bin/jakarta.activation-api.EDL1
new file mode 100644
index 000000000000..8e44780c8564
--- /dev/null
+++ b/licenses/bin/jakarta.activation-api.EDL1
@@ -0,0 +1,13 @@
+Eclipse Distribution License - v 1.0
+
+Copyright (c) 2007, Eclipse Foundation, Inc. and its licensors.
+
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+    * Neither the name of the Eclipse Foundation, Inc. nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
new file mode 100644
index 000000000000..cf88f3957448
--- /dev/null
+++ b/owasp-dependency-check-suppressions.xml
@@ -0,0 +1,198 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one
+  ~ or more contributor license agreements.  See the NOTICE file
+  ~ distributed with this work for additional information
+  ~ regarding copyright ownership.  The ASF licenses this file
+  ~ to you under the Apache License, Version 2.0 (the
+  ~ "License"); you may not use this file except in compliance
+  ~ with the License.  You may obtain a copy of the License at
+  ~
+  ~   http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing,
+  ~ software distributed under the License is distributed on an
+  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~ KIND, either express or implied.  See the License for the
+  ~ specific language governing permissions and limitations
+  ~ under the License.
+  -->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <suppress>
+    <!-- druid-indexing-hadoop.jar is mistaken for hadoop -->
+    <notes><![CDATA[
+   file name: org.apache.druid:druid-indexing-hadoop:0.17.0-incubating-SNAPSHOT
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.druid/druid\-indexing\-hadoop@.*$</packageUrl>
+    <cve>CVE-2012-4449</cve>
+  </suppress>
+  <suppress>
+    <!-- druid-indexing-hadoop.jar is mistaken for hadoop -->
+    <notes><![CDATA[
+   file name: druid-indexing-hadoop-0.17.0-incubating-SNAPSHOT.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.druid/druid\-indexing\-hadoop@.*$</packageUrl>
+    <cve>CVE-2017-3162</cve>
+  </suppress>
+  <suppress>
+    <!-- druid-processing.jar is mistaken for org.processing:processing -->
+    <notes><![CDATA[
+   file name: org.apache.druid:druid-processing:0.17.0-incubating-SNAPSHOT
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.druid/druid\-processing@.*$</packageUrl>
+    <cve>CVE-2018-1000840</cve>
+  </suppress>
+  <suppress>
+    <!-- These CVEs are for the python SDK, but Druid uses the Java SDK -->
+    <notes><![CDATA[
+   file name: openstack-swift-1.9.3.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.jclouds\.api/openstack\-swift@.*$</packageUrl>
+    <cve>CVE-2016-0737</cve>
+    <cve>CVE-2016-0738</cve>
+    <cve>CVE-2017-16613</cve>
+  </suppress>
+  <suppress>
+    <!-- These CVEs are for the python SDK, but Druid uses the Java SDK -->
+    <notes><![CDATA[
+   file name: openstack-keystone-1.9.3.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.jclouds\.api/openstack\-keystone@.*$</packageUrl>
+    <cve>CVE-2015-7546</cve>
+  </suppress>
+
+  <!-- FIXME: These are suppressed so that CI can enforce that no new vulnerable dependencies are added. -->
+  <suppress>
+    <!--
+      ~ TODO: Fix by updating hibernate-validator.
+
+      ~ Note hibernate-validator:5.3.1 introduces a change that requires an EL implementation to be in the classpath:
+      ~ https://developer.jboss.org/wiki/HibernateValidatorMigrationGuide#jive_content_id_531Final
+      ~
+      ~ For example, updating hibernate-validator causes hadoop ingestion tasks to fail:
+      ~
+      ~   Error: com.google.inject.CreationException: Unable to create injector, see the following errors:
+      ~
+      ~   1) An exception was caught and reported. Message: HV000183: Unable to initialize 'javax.el.ExpressionFactory'. Check that you have the EL dependencies on the classpath, or use ParameterMessageInterpolator instead
+      ~     at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138)
+      ~
+      ~   2) No implementation for javax.validation.Validator was bound.
+      ~     at org.apache.druid.guice.ConfigModule.configure(ConfigModule.java:39)
+      ~
+      ~   2 errors
+      ~       at com.google.inject.internal.Errors.throwCreationExceptionIfErrorsExist(Errors.java:470)
+      ~       at com.google.inject.internal.InternalInjectorCreator.initializeStatically(InternalInjectorCreator.java:155)
+      ~       at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:107)
+      ~       at com.google.inject.Guice.createInjector(Guice.java:99)
+      ~       at com.google.inject.Guice.createInjector(Guice.java:73)
+      ~       at org.apache.druid.guice.GuiceInjectors.makeStartupInjector(GuiceInjectors.java:56)
+      ~       at org.apache.druid.indexer.HadoopDruidIndexerConfig.<clinit>(HadoopDruidIndexerConfig.java:102)
+      ~       at org.apache.druid.indexer.HadoopDruidIndexerMapper.setup(HadoopDruidIndexerMapper.java:53)
+      ~       at org.apache.druid.indexer.DetermineHashedPartitionsJob$DetermineCardinalityMapper.setup(DetermineHashedPartitionsJob.java:279)
+      ~       at org.apache.druid.indexer.DetermineHashedPartitionsJob$DetermineCardinalityMapper.run(DetermineHashedPartitionsJob.java:334)
+      ~       at org.apache.hadoop.mapred.MapTask.runNewMapper(MapTask.java:787)
+      ~       at org.apache.hadoop.mapred.MapTask.run(MapTask.java:341)
+      ~       at org.apache.hadoop.mapred.YarnChild$2.run(YarnChild.java:175)
+      ~       at java.security.AccessController.doPrivileged(Native Method)
+      ~       at javax.security.auth.Subject.doAs(Subject.java:422)
+      ~       at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1844)
+      ~       at org.apache.hadoop.mapred.YarnChild.main(YarnChild.java:169)
+      ~   Caused by: javax.validation.ValidationException: HV000183: Unable to initialize 'javax.el.ExpressionFactory'. Check that you have the EL dependencies on the classpath, or use ParameterMessageInterpolator instead
+      ~       at org.hibernate.validator.messageinterpolation.ResourceBundleMessageInterpolator.buildExpressionFactory(ResourceBundleMessageInterpolator.java:102)
+      ~       at org.hibernate.validator.messageinterpolation.ResourceBundleMessageInterpolator.<init>(ResourceBundleMessageInterpolator.java:45)
+      ~       at org.hibernate.validator.internal.engine.ConfigurationImpl.getDefaultMessageInterpolator(ConfigurationImpl.java:423)
+      ~       at org.hibernate.validator.internal.engine.ConfigurationImpl.getDefaultMessageInterpolatorConfiguredWithClassLoader(ConfigurationImpl.java:575)
+      ~       at org.hibernate.validator.internal.engine.ConfigurationImpl.getMessageInterpolator(ConfigurationImpl.java:364)
+      ~       at org.hibernate.validator.internal.engine.ValidatorFactoryImpl.<init>(ValidatorFactoryImpl.java:148)
+      ~       at org.hibernate.validator.HibernateValidator.buildValidatorFactory(HibernateValidator.java:38)
+      ~       at org.hibernate.validator.internal.engine.ConfigurationImpl.buildValidatorFactory(ConfigurationImpl.java:331)
+      ~       at javax.validation.Validation.buildDefaultValidatorFactory(Validation.java:110)
+      ~       at org.apache.druid.guice.ConfigModule.configure(ConfigModule.java:39)
+      ~       at com.google.inject.spi.Elements$RecordingBinder.install(Elements.java:340)
+      ~       at com.google.inject.spi.Elements.getElements(Elements.java:110)
+      ~       at com.google.inject.internal.InjectorShell$Builder.build(InjectorShell.java:138)
+      ~       at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:104)
+      ~       ... 14 more
+      ~   Caused by: java.lang.NoSuchMethodError: javax.el.ExpressionFactory.newInstance()Ljavax/el/ExpressionFactory;
+      ~       at org.hibernate.validator.messageinterpolation.ResourceBundleMessageInterpolator.buildExpressionFactory(ResourceBundleMessageInterpolator.java:98)
+      ~       ... 27 more
+      -->
+    <notes><![CDATA[
+   file name: hibernate-validator-5.2.5.Final.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.hibernate/hibernate\-validator@.*$</packageUrl>
+    <cve>CVE-2017-7536</cve>
+  </suppress>
+  <suppress>
+    <!-- TODO: Fix by updating curator-x-discovery to > 4.2.0 and updating hadoop -->
+    <notes><![CDATA[
+   file name: jackson-mapper-asl-1.9.13.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@.*$</packageUrl>
+    <cve>CVE-2017-7525</cve>
+    <cve>CVE-2017-15095</cve>
+    <cve>CVE-2017-17485</cve>
+    <cve>CVE-2018-5968</cve>
+    <cve>CVE-2018-7489</cve>
+    <cve>CVE-2018-14718</cve>
+    <cve>CVE-2019-10172</cve>
+    <cve>CVE-2019-14540</cve>
+    <cve>CVE-2019-16335</cve>
+    <cve>CVE-2019-17267</cve>
+  </suppress>
+  <suppress>
+    <!-- TODO: Fix by updating org.apache.druid.java.util.http.client.NettyHttpClient to use netty 4 -->
+    <notes><![CDATA[
+   file name: netty-3.10.6.Final.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.netty/netty@.*$</packageUrl>
+    <cve>CVE-2019-16869</cve>
+  </suppress>
+  <suppress>
+    <!-- TODO: Fix by upgrading hadoop-auth version -->
+    <notes><![CDATA[
+   file name: nimbus-jose-jwt-4.41.1.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/com\.nimbusds/nimbus\-jose\-jwt@.*$</packageUrl>
+    <cve>CVE-2019-17195</cve>
+  </suppress>
+  <suppress>
+      <!-- TODO: Fix by using com.datastax.oss:java-driver-core instead of com.netflix.astyanax:astyanax in extensions-contrib/cassandra-stroage -->
+      <notes><![CDATA[
+   file name: libthrift-0.6.1.jar
+   ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl>
+      <cve>CVE-2016-5397</cve>
+      <cve>CVE-2018-1320</cve>
+      <cve>CVE-2019-0205</cve>
+  </suppress>
+  <suppress>
+    <!--
+      ~ TODO: Fix by updating hadoop-common used by extensions-core/parquet-extensions. Possibly need to change
+      ~ HdfsStorageDruidModule.configure()->FileSystem.get(conf) as well.
+      -->
+    <notes><![CDATA[
+   file name: htrace-core4-4.0.1-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0)
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+    <cve>CVE-2017-7525</cve>
+    <cve>CVE-2017-15095</cve>
+    <cve>CVE-2017-17485</cve>
+    <cve>CVE-2018-5968</cve>
+    <cve>CVE-2018-7489</cve>
+    <cve>CVE-2018-11307</cve>
+    <cve>CVE-2018-14718</cve>
+    <cve>CVE-2018-14719</cve>
+    <cve>CVE-2018-14720</cve>
+    <cve>CVE-2018-14721</cve>
+    <cve>CVE-2018-19360</cve>
+    <cve>CVE-2018-19361</cve>
+    <cve>CVE-2018-19362</cve>
+    <cve>CVE-2019-14540</cve>
+    <cve>CVE-2019-16335</cve>
+    <cve>CVE-2019-16942</cve>
+    <cve>CVE-2019-16943</cve>
+    <cve>CVE-2019-17267</cve>
+    <cve>CVE-2019-17531</cve>
+  </suppress>
+</suppressions>
diff --git a/pom.xml b/pom.xml
index d3cacfb13130..6569e30fa120 100644
--- a/pom.xml
+++ b/pom.xml
@@ -78,6 +78,7 @@
         <aether.version>0.9.0.M2</aether.version>
         <apache.curator.version>4.1.0</apache.curator.version>
         <apache.curator.test.version>2.12.0</apache.curator.test.version>
+        <apache.kafka.version>2.1.1</apache.kafka.version>
         <avatica.version>1.15.0</avatica.version>
         <avro.version>1.9.1</avro.version>
         <calcite.version>1.21.0</calcite.version>
@@ -88,7 +89,7 @@
         <hamcrest.version>1.3</hamcrest.version>
         <jetty.version>9.4.12.v20180830</jetty.version>
         <jersey.version>1.19.3</jersey.version>
-        <jackson.version>2.9.10</jackson.version>
+        <jackson.version>2.10.1</jackson.version>
         <codehaus.jackson.version>1.9.13</codehaus.jackson.version>
         <log4j.version>2.8.2</log4j.version>
         <netty3.version>3.10.6.Final</netty3.version>
@@ -96,6 +97,7 @@
         <netty4.version>4.1.42.Final</netty4.version>
         <node.version>v10.14.2</node.version>
         <npm.version>6.5.0</npm.version>
+        <protobuf.version>3.11.0</protobuf.version>
         <slf4j.version>1.7.12</slf4j.version>
         <!-- If compiling with different hadoop version also modify default hadoop coordinates in TaskConfig.java -->
         <hadoop.compile.version>2.8.5</hadoop.compile.version>
@@ -758,7 +760,7 @@
             <dependency>
                 <groupId>com.google.protobuf</groupId>
                 <artifactId>protobuf-java</artifactId>
-                <version>3.1.0</version>
+                <version>${protobuf.version}</version>
             </dependency>
             <dependency>
                 <groupId>io.tesla.aether</groupId>
@@ -988,7 +990,7 @@
             <dependency>
                 <groupId>org.apache.directory.api</groupId>
                 <artifactId>api-util</artifactId>
-                <version>1.0.0-M20</version>
+                <version>1.0.3</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.calcite</groupId>
@@ -1478,6 +1480,23 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <version>5.2.4</version>
+                <configuration>
+                    <cveValidForHours>24</cveValidForHours>
+                    <failBuildOnCVSS>7</failBuildOnCVSS>
+                    <skipProvidedScope>true</skipProvidedScope>
+                    <skipSystemScope>true</skipSystemScope>  <!-- avoid error when processing jdk.tools:jdk.tools:jar:1.8:system -->
+                    <suppressionFile>owasp-dependency-check-suppressions.xml</suppressionFile>
+                </configuration>
+                <executions>
+                    <execution>
+                        <phase>none</phase>  <!-- TODO: Consider enabling so part of dev flow instead of just CI -->
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
         <pluginManagement>
             <plugins>
diff --git a/server/src/main/java/org/apache/druid/metadata/SQLMetadataStorageActionHandler.java b/server/src/main/java/org/apache/druid/metadata/SQLMetadataStorageActionHandler.java
index acdbbd0f2c1a..eb9e9916cac8 100644
--- a/server/src/main/java/org/apache/druid/metadata/SQLMetadataStorageActionHandler.java
+++ b/server/src/main/java/org/apache/druid/metadata/SQLMetadataStorageActionHandler.java
@@ -59,10 +59,10 @@ public abstract class SQLMetadataStorageActionHandler<EntryType, StatusType, Log
 
   private final SQLMetadataConnector connector;
   private final ObjectMapper jsonMapper;
-  private final TypeReference entryType;
-  private final TypeReference statusType;
-  private final TypeReference logType;
-  private final TypeReference lockType;
+  private final TypeReference<EntryType> entryType;
+  private final TypeReference<StatusType> statusType;
+  private final TypeReference<LogType> logType;
+  private final TypeReference<LockType> lockType;
 
   private final String entryTypeName;
   private final String entryTable;
@@ -107,7 +107,7 @@ protected ObjectMapper getJsonMapper()
     return jsonMapper;
   }
 
-  protected TypeReference getStatusType()
+  protected TypeReference<StatusType> getStatusType()
   {
     return statusType;
   }
@@ -127,7 +127,7 @@ protected String getEntryTypeName()
     return entryTypeName;
   }
 
-  public TypeReference getEntryType()
+  public TypeReference<EntryType> getEntryType()
   {
     return entryType;
   }
diff --git a/server/src/main/java/org/apache/druid/query/ResultLevelCachingQueryRunner.java b/server/src/main/java/org/apache/druid/query/ResultLevelCachingQueryRunner.java
index ac1636c1e644..0a7407fa52f8 100644
--- a/server/src/main/java/org/apache/druid/query/ResultLevelCachingQueryRunner.java
+++ b/server/src/main/java/org/apache/druid/query/ResultLevelCachingQueryRunner.java
@@ -185,7 +185,7 @@ private Sequence<T> deserializeResults(final byte[] cachedResult, CacheStrategy
       log.error("Cached result set is null");
     }
     final Function<Object, T> pullFromCacheFunction = strategy.pullFromCache(true);
-    final TypeReference<Object> cacheObjectClazz = strategy.getCacheObjectClazz();
+    final TypeReference<T> cacheObjectClazz = strategy.getCacheObjectClazz();
     //Skip the resultsetID and its length bytes
     Sequence<T> cachedSequence = Sequences.simple(() -> {
       try {
diff --git a/server/src/main/java/org/apache/druid/server/coordinator/HttpLoadQueuePeon.java b/server/src/main/java/org/apache/druid/server/coordinator/HttpLoadQueuePeon.java
index eea87118f9e9..0d297697ee29 100644
--- a/server/src/main/java/org/apache/druid/server/coordinator/HttpLoadQueuePeon.java
+++ b/server/src/main/java/org/apache/druid/server/coordinator/HttpLoadQueuePeon.java
@@ -67,13 +67,15 @@
  */
 public class HttpLoadQueuePeon extends LoadQueuePeon
 {
-  public static final TypeReference REQUEST_ENTITY_TYPE_REF = new TypeReference<List<DataSegmentChangeRequest>>()
-  {
-  };
-
-  public static final TypeReference RESPONSE_ENTITY_TYPE_REF = new TypeReference<List<SegmentLoadDropHandler.DataSegmentChangeRequestAndStatus>>()
-  {
-  };
+  public static final TypeReference<List<DataSegmentChangeRequest>> REQUEST_ENTITY_TYPE_REF =
+      new TypeReference<List<DataSegmentChangeRequest>>()
+      {
+      };
+
+  public static final TypeReference<List<SegmentLoadDropHandler.DataSegmentChangeRequestAndStatus>> RESPONSE_ENTITY_TYPE_REF =
+      new TypeReference<List<SegmentLoadDropHandler.DataSegmentChangeRequestAndStatus>>()
+      {
+      };
 
   private static final EmittingLogger log = new EmittingLogger(HttpLoadQueuePeon.class);
 
diff --git a/services/pom.xml b/services/pom.xml
index fb927038fa12..15301f103437 100644
--- a/services/pom.xml
+++ b/services/pom.xml
@@ -226,6 +226,22 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+                <configuration>
+                    <!--
+                      ~ The analysis gets confused between javax.xml.bind:jaxb-api and jakarta.xml.bind:jakarta.xml.bind-api.
+                      ~ The former is a direct dependency, and the latter is a transitive dependency of jackson 2.10+.
+                      -->
+                    <usedDependencies>
+                        <dependency>javax.xml.bind:jaxb-api</dependency>
+                    </usedDependencies>
+                    <ignoredUsedUndeclaredDependencies>
+                        <ignoredUsedUndeclaredDependency>jakarta.xml.bind:jakarta.xml.bind-api</ignoredUsedUndeclaredDependency>
+                    </ignoredUsedUndeclaredDependencies>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
 

From 0c3809e925f4c9f020327eabfc1f4d8f1996fa2b Mon Sep 17 00:00:00 2001
From: Chi Cao Minh <chi.caominh@imply.io>
Date: Wed, 4 Dec 2019 10:26:49 -0800
Subject: [PATCH 2/3] Rename EDL1 license file

---
 licenses.yaml                                              | 4 ++--
 licenses/bin/{jakarta.activation-api.EDL1 => jakarta.EDL1} | 0
 2 files changed, 2 insertions(+), 2 deletions(-)
 rename licenses/bin/{jakarta.activation-api.EDL1 => jakarta.EDL1} (100%)

diff --git a/licenses.yaml b/licenses.yaml
index 636de2bdfb6a..f375dce96fd2 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -239,7 +239,7 @@ module: java-core
 license_name: Eclipse Distribution License 1.0
 version: 1.2.1
 copyright: Oracle and/or its affiliates.
-license_file_path: licenses/bin/jakarta.activation-api.EDL1
+license_file_path: licenses/bin/jakarta.EDL1
 libraries:
   - jakarta.activation: jakarta.activation-api
 
@@ -251,7 +251,7 @@ module: java-core
 license_name: Eclipse Distribution License 1.0
 version: 2.3.2
 copyright: Oracle and/or its affiliates.
-license_file_path: licenses/bin/jakarta.activation-api.EDL1
+license_file_path: licenses/bin/jakarta.EDL1
 libraries:
   - jakarta.xml.bind: jakarta.xml.bind-api
 
diff --git a/licenses/bin/jakarta.activation-api.EDL1 b/licenses/bin/jakarta.EDL1
similarity index 100%
rename from licenses/bin/jakarta.activation-api.EDL1
rename to licenses/bin/jakarta.EDL1

From de9a4cc5017fe2f4be697df15e1c2b1a6bd36c5c Mon Sep 17 00:00:00 2001
From: Chi Cao Minh <chi.caominh@imply.io>
Date: Wed, 4 Dec 2019 13:02:00 -0800
Subject: [PATCH 3/3] Fix inspection errors

---
 .../druid/query/lookup/NamespaceLookupExtractorFactoryTest.java | 2 +-
 .../indexing/seekablestream/SeekableStreamIndexTaskRunner.java  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions-core/lookups-cached-global/src/test/java/org/apache/druid/query/lookup/NamespaceLookupExtractorFactoryTest.java b/extensions-core/lookups-cached-global/src/test/java/org/apache/druid/query/lookup/NamespaceLookupExtractorFactoryTest.java
index bab8259dbcfc..64c5022a376b 100644
--- a/extensions-core/lookups-cached-global/src/test/java/org/apache/druid/query/lookup/NamespaceLookupExtractorFactoryTest.java
+++ b/extensions-core/lookups-cached-global/src/test/java/org/apache/druid/query/lookup/NamespaceLookupExtractorFactoryTest.java
@@ -471,7 +471,7 @@ public void testSerDe() throws Exception
         namespaceLookupExtractorFactory.getExtractionNamespace().getClass()
     );
     Assert.assertFalse(namespaceLookupExtractorFactory.replaces(mapper.readValue(str, LookupExtractorFactory.class)));
-    final Map<String, Object> map = new HashMap<>(mapper.<Map<String, Object>>readValue(
+    final Map<String, Object> map = new HashMap<>(mapper.readValue(
         str,
         JacksonUtils.TYPE_REFERENCE_MAP_STRING_OBJECT
     ));
diff --git a/indexing-service/src/main/java/org/apache/druid/indexing/seekablestream/SeekableStreamIndexTaskRunner.java b/indexing-service/src/main/java/org/apache/druid/indexing/seekablestream/SeekableStreamIndexTaskRunner.java
index 6d33179c27aa..e1f3861531ea 100644
--- a/indexing-service/src/main/java/org/apache/druid/indexing/seekablestream/SeekableStreamIndexTaskRunner.java
+++ b/indexing-service/src/main/java/org/apache/druid/indexing/seekablestream/SeekableStreamIndexTaskRunner.java
@@ -1079,7 +1079,7 @@ private boolean restoreSequences() throws IOException
     final File sequencesPersistFile = getSequencesPersistFile(toolbox);
     if (sequencesPersistFile.exists()) {
       sequences = new CopyOnWriteArrayList<>(
-          toolbox.getJsonMapper().<List<SequenceMetadata<PartitionIdType, SequenceOffsetType>>>readValue(
+          toolbox.getJsonMapper().readValue(
               sequencesPersistFile,
               getSequenceMetadataTypeReference()
           )