HBASE-28250 Bump jruby to 9.4.8.0 to fix snakeyaml CVE

[NihalJain]

No description provided.

[NihalJain]

Please see https://issues.apache.org/jira/browse/HBASE-28250 for RCA

[NihalJain]

This is good for review, except licensing changes, if any, need to analyse!

[NihalJain]

jcoding and joni changes were not needed, hence no change around that here

[Apache-HBase]

🎊 +1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 37s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
			_ master Compile Tests _
+0 🆗	mvndep	0m 16s		Maven dependency ordering for branch
+1 💚	mvninstall	3m 6s		master passed
+1 💚	compile	8m 8s		master passed
+1 💚	spotless	0m 45s		branch has no errors when running spotless:check.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 17s		Maven dependency ordering for patch
+1 💚	mvninstall	2m 57s		the patch passed
+1 💚	compile	8m 7s		the patch passed
+1 💚	javac	8m 7s		the patch passed
-0 ⚠️	blanks	0m 0s	/blanks-eol.txt	The patch has 1 line(s) that end in blanks. Use git apply --whitespace=fix <<patch_file>>. Refer https://git-scm.com/docs/git-apply
-0 ⚠️	rubocop	0m 3s	/results-rubocop.txt	The patch generated 17 new + 23 unchanged - 22 fixed = 40 total (was 45)
+1 💚	xmllint	0m 0s		No new issues.
+1 💚	hadoopcheck	10m 46s		Patch does not cause any errors with Hadoop 3.3.6 3.4.0.
+1 💚	spotless	0m 44s		patch has no errors when running spotless:check.
			_ Other Tests _
+1 💚	asflicense	0m 23s		The patch does not generate ASF License warnings.
		42m 26s

Subsystem	Report/Notes
Docker	ClientAPI=1.46 ServerAPI=1.46 base: https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-6127/1/artifact/yetus-general-check/output/Dockerfile
GITHUB PR	#6127
Optional Tests	dupname asflicense javac codespell detsecrets rubocop spotless xmllint hadoopcheck compile
uname	Linux 7d84631ce7e3 5.4.0-177-generic #197-Ubuntu SMP Thu Mar 28 22:45:47 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/hbase-personality.sh
git revision	master / 879fd86
Default Java	Eclipse Adoptium-17.0.11+9
Max. process+thread count	190 (vs. ulimit of 30000)
modules	C: hbase-shell . U: .
Console output	https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-6127/1/console
versions	git=2.34.1 maven=3.9.8 rubocop=1.37.1 xmllint=20913
Powered by	Apache Yetus 0.15.0 https://yetus.apache.org

This message was automatically generated.

[Apache-HBase]

🎊 +1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 35s		Docker mode activated.
-0 ⚠️	yetus	0m 3s		Unprocessed flag(s): --brief-report-file --spotbugs-strict-precheck --author-ignore-list --blanks-eol-ignore-file --blanks-tabs-ignore-file --quick-hadoopcheck
			_ Prechecks _
			_ master Compile Tests _
+0 🆗	mvndep	0m 16s		Maven dependency ordering for branch
+1 💚	mvninstall	3m 6s		master passed
+1 💚	compile	2m 12s		master passed
+1 💚	javadoc	2m 19s		master passed
+1 💚	shadedjars	5m 26s		branch has no errors when building our shaded downstream artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 16s		Maven dependency ordering for patch
+1 💚	mvninstall	3m 1s		the patch passed
+1 💚	compile	2m 13s		the patch passed
+1 💚	javac	2m 13s		the patch passed
+1 💚	javadoc	2m 19s		the patch passed
+1 💚	shadedjars	5m 23s		patch has no errors when building our shaded downstream artifacts.
			_ Other Tests _
+1 💚	unit	301m 35s		root in the patch passed.
		335m 24s

Subsystem	Report/Notes
Docker	ClientAPI=1.46 ServerAPI=1.46 base: https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-6127/1/artifact/yetus-jdk17-hadoop3-check/output/Dockerfile
GITHUB PR	#6127
Optional Tests	javac javadoc unit shadedjars compile
uname	Linux 67cf6d6fda85 5.4.0-182-generic #202-Ubuntu SMP Fri Apr 26 12:29:36 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/hbase-personality.sh
git revision	master / 879fd86
Default Java	Eclipse Adoptium-17.0.11+9
Test Results	https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-6127/1/testReport/
Max. process+thread count	8833 (vs. ulimit of 30000)
modules	C: hbase-shell . U: .
Console output	https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-6127/1/console
versions	git=2.34.1 maven=3.9.8
Powered by	Apache Yetus 0.15.0 https://yetus.apache.org

This message was automatically generated.

[NihalJain]

This is good for review, except licensing changes, if any, need to analyse!

Just verified, we do not need any licensing changes as apparently ruby licensing is already in place: https://github.com/ruby/irb/blob/v1.4.2/LICENSE.txt is already there in our LICENSE.txt:

hbase/LICENSE.txt

Line 617 in 836f2d9

This project incorporates portions of the 'Ruby' project available

[Apache9]

I'm not a ruby expert but since all UTs are passed, I think it is OK.

Please fix the whilespace issue and also open a PR against branch-2.

Thanks.

[NihalJain]

Hi just updating how I have been testing out this version bump. First, curated a list of tests based on basic sanity + old JIRAs which were created post version bump. (Plan to automate these for future releases soon)

Following are the things i have tested:

1. HBase Shell sanity commands in a standalone on Mac and distributed cluster (with/without kerberos, both cases) on RHEL

• Tested commands: create / get / put / scan / describe / flush / major_compact / get_splits / split / snapshot / list_snapshots / truncate_preserve / restore_snapshot / clone_snapshot / status
• Tested in standalone mode with master open source code itself
• Tested in distributed mode by backporting changes to 2.6.0 code fork that we maintain

2. HBase Shell Help command, works fine!
3. JRuby version check

• 

4. Shell echo and then pipe command and check exit code.

• Covers https://issues.apache.org/jira/browse/HBASE-18393

5. Shell top level defs to load a scipt inside shell.

• Covers https://issues.apache.org/jira/browse/HBASE-26269

6. Shell echo then pipe and run script in background.

• Covers https://issues.apache.org/jira/browse/HBASE-26772

7. Shell error handling cases.

• Covers https://issues.apache.org/jira/browse/HBASE-26751, https://issues.apache.org/jira/browse/HBASE-26741 and https://issues.apache.org/jira/browse/HBASE-26880

8. Shell exit code in case of error.

• Covers https://issues.apache.org/jira/browse/HBASE-26741

9. Run other existing scripts like get-active-master.rb, replication/copy_tables_desc.rb, draining_servers.rb and ensure no error.
10. Test basic ruby code, works fine!

puts "Enter first value: "
num1=gets.chomp.to_i
puts "Enter second value: "
num2=gets.chomp.to_i
sum=num1+num2
puts "The sum is #{sum}."

11. Test basic HBase ruby code, works fine, with removal of import

java_import 'org.apache.hadoop.hbase.HBaseConfiguration'
java_import 'org.apache.hadoop.hbase.client.HTable' 
java_import 'org.apache.hadoop.hbase.client.Scan' 
java_import 'org.apache.hadoop.hbase.util.Bytes' 

config = HBaseConfiguration.create() 
connection = ConnectionFactory.createConnection(config) 
table_name = TableName.valueOf("nj:test")
table = connection.getTable(table_name)

scan = Scan.new() 
scanner = table.getScanner(scan) 

iterator = scanner.iterator() 

while iterator.hasNext() 
  result = iterator.next() 
  puts Bytes.toString(result.getRow()) 
end 

scanner.close()
connection.close()

• Here, there's a breaking change import commands no longer work, so we ought to use java_import

12. Tested TAB behavior.

• Now instead of asking to display all possible options, it just picks up some command from history
• Also noticed TAB in snippets that we copy paste into shell replaced with some old command, which is weird (Seems it is similar to Copy&Paste code with TAB symbol inserts source into the code which makes it void value expression ruby/irb#382)

13. Test Autocomplete, works fine for most commands

• 

14. Test Autocomplete in a scenario where we try switching to command 'disable_all' by typing 'disable' and then TAB

• Buggy, command hangs and we are not able to take input

Based on point 12 and 14, I suggest to disable colorize and auto_complete which are by default enabled in JRuby 9.4.8.0 and is very buggy Or we could document steps on how to disable it via .irbrc. I will update PR based on how others feel.
Also see:

• Autocompletion Meta Issue ruby/irb#445
• Default behavior change ( AUTOCOMPLETE, COLORIZE ) ruby/irb#351

Based on point 11, we may need to add removal of import for custom ruby scripts in release notes.

Please let me know if I have missed any cases, and should test anything else.

[NihalJain]

Please fix the whilespace issue

The previous indent was incorrect, this line indent is as per copied line https://github.com/ruby/irb/blob/f9960dbd370769addca04dda4f1a06d921a4e98d/lib/irb.rb#L461C8-L461C43

also open a PR against branch-2.
Thank @Apache9 for the review, will fix whitespace.

Which all branches should we target? Just branch-2 right? Also just wanted to call out again JRuby 9.4.x targets Ruby 3.1 compatibility instead of Ruby 2.6 which 9.3.x were having!

Anyways I have tested my changes on 2.6.0 itself and all work good as shared in previous comment!

[ndimiduk]

Thanks for the thorough testing here. This looks very promising!

Re: autocomplete and colors, can we disable them by default and document how to reenable them for the brave?

[ndimiduk]

Should this PR also update all the internal rb scripts to use java_import as appropriate?

[NihalJain]

Hi Nick thanks for taking time to review this PR.

Re: autocomplete and colors, can we disable them by default and document how to reenable them for the brave?

I can think of two approaches to implement same:

1. Expose flags in hbase shell to allow colorize and auto-complete. Something like below:

cmdline_help = <<HERE # HERE document output as shell usage
Usage: shell [OPTIONS] [SCRIPTFILE [ARGUMENTS]]

 -d | --debug            Set DEBUG log levels.
 -h | --help             This help.
 -n | --noninteractive   Do not run within an IRB session and exit with non-zero
                         status on first error.
 -c | --colorize         Enable colorize
 -a | --autocomplete     Enable autocomplete
 --top-level-defs        Compatibility flag to export HBase shell commands onto
                         Ruby's main object
 -Dkey=value             Pass hbase-*.xml Configuration overrides. For example, to
                         use an alternate zookeeper ensemble, pass:
                           -Dhbase.zookeeper.quorum=zookeeper.example.org
                         For faster fail, pass the below and vary the values:
                           -Dhbase.client.retries.number=7
                           -Dhbase.ipc.client.connect.max.retries=3
HERE

2. Or, let user set their preferences via .irbrc file and we respect that. For example, if user explicitly sets these features to be enabled, override and ignore our default setting in code

# Load .irbrc
require 'irb'
irbrc = "#{ENV['HOME']}/.irbrc"
if File.exist?(irbrc)
  load irbrc
end

# Check and set :USE_AUTOCOMPLETE
unless IRB.conf.key?(:USE_AUTOCOMPLETE)
  IRB.conf[:USE_AUTOCOMPLETE] = false
end

# Check and set :USE_COLORIZE
unless IRB.conf.key?(:USE_COLORIZE)
  IRB.conf[:USE_COLORIZE] = false
end

Should this PR also update all the internal rb scripts to use java_import as appropriate?

I have tried our internal ruby scripts: get-active-master.rb, replication/copy_tables_desc.rb, draining_servers.rb and shutdown_regionserver.rb to check they work even after this change.

Also I did a quick check with following command: grep -rnw './' -e '^import' --include '*.rb'. Thankfully we have no usage of import, and we use use java_import everywhere.

[NihalJain]

Hi Nick thanks for taking time to review this PR.

Re: autocomplete and colors, can we disable them by default and document how to reenable them for the brave?

I can think of two approaches to implement same:

Going ahead to implement and update PR with approach 1.

[Apache-HBase]

🎊 +1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 38s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
			_ master Compile Tests _
+0 🆗	mvndep	0m 16s		Maven dependency ordering for branch
+1 💚	mvninstall	3m 5s		master passed
+1 💚	compile	8m 7s		master passed
+1 💚	spotless	0m 45s		branch has no errors when running spotless:check.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 15s		Maven dependency ordering for patch
+1 💚	mvninstall	2m 53s		the patch passed
+1 💚	compile	8m 7s		the patch passed
+1 💚	javac	8m 7s		the patch passed
-0 ⚠️	blanks	0m 0s	/blanks-eol.txt	The patch has 1 line(s) that end in blanks. Use git apply --whitespace=fix <<patch_file>>. Refer https://git-scm.com/docs/git-apply
-0 ⚠️	rubocop	0m 6s	/results-rubocop.txt	The patch generated 17 new + 32 unchanged - 22 fixed = 49 total (was 54)
+1 💚	xmllint	0m 1s		No new issues.
+1 💚	hadoopcheck	10m 47s		Patch does not cause any errors with Hadoop 3.3.6 3.4.0.
+1 💚	spotless	0m 45s		patch has no errors when running spotless:check.
			_ Other Tests _
+1 💚	asflicense	0m 23s		The patch does not generate ASF License warnings.
		42m 43s

Subsystem	Report/Notes
Docker	ClientAPI=1.46 ServerAPI=1.46 base: https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-6127/2/artifact/yetus-general-check/output/Dockerfile
GITHUB PR	#6127
Optional Tests	dupname asflicense javac codespell detsecrets rubocop spotless xmllint hadoopcheck compile
uname	Linux ebf1d9694b6d 5.4.0-177-generic #197-Ubuntu SMP Thu Mar 28 22:45:47 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/hbase-personality.sh
git revision	master / e8b359a
Default Java	Eclipse Adoptium-17.0.11+9
Max. process+thread count	191 (vs. ulimit of 30000)
modules	C: hbase-shell . U: .
Console output	https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-6127/2/console
versions	git=2.34.1 maven=3.9.8 rubocop=1.37.1 xmllint=20913
Powered by	Apache Yetus 0.15.0 https://yetus.apache.org

This message was automatically generated.

[Apache-HBase]

🎊 +1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 38s		Docker mode activated.
-0 ⚠️	yetus	0m 3s		Unprocessed flag(s): --brief-report-file --spotbugs-strict-precheck --author-ignore-list --blanks-eol-ignore-file --blanks-tabs-ignore-file --quick-hadoopcheck
			_ Prechecks _
			_ master Compile Tests _
+0 🆗	mvndep	0m 17s		Maven dependency ordering for branch
+1 💚	mvninstall	3m 5s		master passed
+1 💚	compile	2m 15s		master passed
+1 💚	javadoc	2m 20s		master passed
+1 💚	shadedjars	5m 26s		branch has no errors when building our shaded downstream artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 16s		Maven dependency ordering for patch
+1 💚	mvninstall	3m 0s		the patch passed
+1 💚	compile	2m 17s		the patch passed
+1 💚	javac	2m 17s		the patch passed
+1 💚	javadoc	2m 20s		the patch passed
+1 💚	shadedjars	5m 24s		patch has no errors when building our shaded downstream artifacts.
			_ Other Tests _
+1 💚	unit	302m 32s		root in the patch passed.
		336m 48s

Subsystem	Report/Notes
Docker	ClientAPI=1.46 ServerAPI=1.46 base: https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-6127/2/artifact/yetus-jdk17-hadoop3-check/output/Dockerfile
GITHUB PR	#6127
Optional Tests	javac javadoc unit shadedjars compile
uname	Linux 9d4ed3dae6e6 5.4.0-182-generic #202-Ubuntu SMP Fri Apr 26 12:29:36 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/hbase-personality.sh
git revision	master / e8b359a
Default Java	Eclipse Adoptium-17.0.11+9
Test Results	https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-6127/2/testReport/
Max. process+thread count	8872 (vs. ulimit of 30000)
modules	C: hbase-shell . U: .
Console output	https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-6127/2/console
versions	git=2.34.1 maven=3.9.8
Powered by	Apache Yetus 0.15.0 https://yetus.apache.org

This message was automatically generated.

[NihalJain]

Ping @ndimiduk could you please see if commit 2 addresses your review comment

[ndimiduk]

Nice one, thanks @NihalJain

[NihalJain]

Thank you so much for your reviews @ndimiduk and @Apache9. I will raise a backport for branch-3 next.

Let me know if should pull this into branch-2 as well.

[ndimiduk]

Yes I think that this can go to branch-2 as well.

[NihalJain]

Yes I think that this can go to branch-2 as well.

Raised backport for branch-2 as well. May be will request others to add approval on #6146 before we merge that into codebase.