Upgraded ElasticSearch to get rid of CVEs.

[dlg99]

CVEs are:
CVE-2020-7020
CVE-2020-7021
CVE-2021-22132
CVE-2021-22134
CVE-2021-22144
CVE-2021-22147

Motivation

mvn clean install verify -Powasp-dependency-check -DskipTests found various CVEs

Modifications

Upgraded ElasticSearch to get rid of CVEs.
Had to update maven compiler plugin config, otherwise it was NPE-ing instead of showing actual errors.

Verifying this change

• Make sure that the change passes the CI checks.

This change is a trivial rework / code cleanup without any test coverage.

Does this pull request potentially affect one of the following parts:

If yes was chosen, please highlight the changes

• Dependencies (does it add or upgrade a dependency): YES
• The public API: (yes / no)
• The schema: (yes / no / don't know)
• The default values of configurations: (yes / no)
• The wire protocol: (yes / no)
• The rest endpoints: (yes / no)
• The admin cli options: (yes / no)
• Anything that affects deployment: (yes / no / don't know)

Documentation

Check the box below or label this PR directly (if you have committer privilege).

Need to update docs?

• doc-required

  (If you need help on updating docs, create a doc issue)

• no-need-doc

  (Please explain why)

• doc

  (If this PR contains doc changes)

[dlg99]

/pulsarbot run-failure-checks

[lhotari]

Had to update maven compiler plugin config, otherwise it was NPE-ing instead of showing actual errors.

Please revert these changes from this PR, if possible.

There's #13126 about the maven NPE issue. In the past there has been a need to temporarily set forceJavacCompilerUse to find out the compiler error, but it has been possible to remove the option after fixing the compilation issue. Is that also the case here?

At least it seems that setting the maven compiler plugin version isn't necessary since the parent pom sets it.
maven-compiler-plugin version is set via

pulsar/pom.xml

Lines 26 to 30 in e5d828a

	<parent>
	<groupId>org.apache</groupId>
	<artifactId>apache</artifactId>
	<version>23</version>
	</parent>

and is set to 3.8.1 in https://github.com/apache/maven-apache-parent/blob/99592e229c20f079c1998875e5c24556d217b491/pom.xml#L138-L142

If there's no way around it, then add a comment why forceJavacCompilerUse has been added, such as.

         <!-- workaround https://issues.apache.org/jira/browse/MCOMPILER-346 -->
         <forceJavacCompilerUse>true</forceJavacCompilerUse>

[dlg99]

@lhotari I removed forceJavacCompilerUse and everything builds/pushed the change.
Please help me understand what's the downside of just keeping it there/adding in another PR?
I presume everyone who updates dependencies now and then gets into that NPE in maven, and have to add the forceJavacCompilerUse to see the errors, and remove it later.
So does it hurt build times or anything else? Why don't we make developers' life easier and keep it until we move to the maven/jvm plugin with the NPE fixed (not soon, probably, as it is not fixed yet)?

[lhotari]

@lhotari I removed forceJavacCompilerUse and everything builds/pushed the change. Please help me understand what's the downside of just keeping it there/adding in another PR? I presume everyone who updates dependencies now and then gets into that NPE in maven, and have to add the forceJavacCompilerUse to see the errors, and remove it later. So does it hurt build times or anything else? Why don't we make developers' life easier and keep it until we move to the maven/jvm plugin with the NPE fixed (not soon, probably, as it is not fixed yet)?

I believe that the downside is reduced performance. In addition, the problem might happen in any module and therefore it doesn't make sense to change the setting for just a few modules if it were to be enabled globally.
There might also be some changes in how maven compiler issues are displayed when forceJavacCompilerUse is used.

The way to make developers' life easier is to raise awareness of this issue. I added a simpler workaround to #13126, it's by passing -Dmaven.compiler.forceJavacCompilerUse=true to the mvn command line. To make it easier to find this information we could add the information to README or the contributor guide.
I just added this solution to stack overflow.

[lhotari]

btw. Regarding the NPEs with maven-compiler-plugin, version 3.9.0 was released recently with fixes to some NPE issues. https://lists.apache.org/thread/8bm3powmfy46z25k9jgrbkf1kxf5j6yk . I'll create a PR to upgrade to 3.9.0 . PR is #13789.

[lhotari]

Good work @dlg99 ! LGTM

[eolivelli]

LGTM

great