Skip to content

HIVE-27299: Upgrade guava version to 31.1-jre to fix CVE #4271

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

HIVE-27299: Upgrade guava version to 31.1-jre to fix CVE #4271

wants to merge 1 commit into from

Conversation

@Aggarwal-Raghav
Copy link
Contributor

@Aggarwal-Raghav Aggarwal-Raghav commented Apr 26, 2023

What changes were proposed in this pull request?

Upgrade guava to fix the CVE's

Why are the changes needed?

The guava version in Hive master branch is 22.0 which has 2 Direct CVE:
CVE-2020-8908
CVE-2018-10237
Component like Tez 0.10.2 (used in hive) has also moved to 31.1-jre of guava version.

Does this PR introduce any user-facing change?

No

How was this patch tested?

By building hive on local machine

@Aggarwal-Raghav Aggarwal-Raghav changed the title Upgrade guava version to 31.1-jre to fix the CVE HIVE-27299: Upgrade guava version to 31.1-jre to fix CVE Apr 26, 2023
@aturoczy
Copy link

aturoczy commented Apr 27, 2023

It is a fair change to fix the CVE's, but I have doubt it will be as easy as the change. The Guava 16 was released in 2014, the 31 is released somewhere in early 2023. After 9 years, I think there will be several breaking change that needs to adjust in the hive side. It should be a huge, but respectful task.

cc: @abstractdog @ayushtkn @deniskuzZ

@ayushtkn
Copy link
Member

ayushtkn commented Apr 27, 2023

have played with guava in the past, to chase hadoop upgrade. but hive has too many dependencies with different guava versions, so that didn't work well.
So, ultimately I shaded guava in hadoop for hive and we moved to the hadoop version in which guava was shaded.

@Aggarwal-Raghav no point running the tests again and again those are genuine errors, guava upgrade ain't just a change in the pom

@Aggarwal-Raghav
Copy link
Contributor Author

Aggarwal-Raghav commented Apr 27, 2023

Thanks for letting me know @ayushtkn. I was not aware of this.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Apr 27, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@aturoczy
Copy link

aturoczy commented Apr 30, 2023

Please close this PR as I think it is won't be resolvable soon.

@Aggarwal-Raghav Aggarwal-Raghav deleted the guava branch October 10, 2024 14:45
@Aggarwal-Raghav Aggarwal-Raghav mentioned this pull request Oct 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

tests failed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Aggarwal-Raghav @aturoczy @ayushtkn @kgyrtkirk