[1.3] Version bump for protobuf, snappy-java

[dbwiddis]

Description

Bumps protobuf-java to 3.25.5 (Resolves CVE-2024-7254)
Bumps snappy-java to 1.1.10.7 (Resolves CVE-2023-43642)

Check List

• [ ] Functionality includes testing.
• [ ] API changes companion pull request created, if applicable.
• [ ] Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[owaiskazi19]

@dbwiddis You need to run ./gradlew updateSHAs to update the jars for the dependencies.

[github-actions]

❌ Gradle check result for e820f08: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[dbwiddis]

Could not determine the dependencies of task ':plugins:repository-azure:thirdPartyAudit'.
> Could not resolve all files for configuration ':plugins:repository-azure:runtimeClasspath'.
   > Could not find com.azure:azure-storage-blob:12.18.1.
     Searched in the following locations:
       - https://repo.maven.apache.org/maven2/com/azure/azure-storage-blob/12.18.1/azure-storage-blob-12.18.1.pom

But it's there: https://central.sonatype.com/artifact/com.azure/azure-storage-blob/versions

EDIT: I'm blind it's 28, not 18

[github-actions]

❌ Gradle check result for eb8e5c1: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 2e930e8: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 8c54edc: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[dbwiddis]

I'll revert the azure-storage bump as it seems more complicated. Depends on azure-storage-commons but they have different versions and still getting errors bumping both.

[github-actions]

❌ Gradle check result for e560c3d: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[dbwiddis]

Going to back out the commons-compress changes as well as they run afoul of tika.

I'm going to need help from other maintainers on the commons-compress and azure-storage blob CVEs
CC: @andrross @reta

[github-actions]

❌ Gradle check result for 17b39a9: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 51aa9c9: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 1857d76: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 4d2585d: ABORTED

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 2cd664a: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 2cd664a: ABORTED

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

✅ Gradle check result for 0862d49: SUCCESS

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 77.65%. Comparing base (05f4aac) to head (0862d49).
Report is 38 commits behind head on 1.3.

Additional details and impacted files

@@             Coverage Diff              @@
##                1.3   #16792      +/-   ##
============================================
+ Coverage     77.56%   77.65%   +0.08%     
- Complexity    58760    58798      +38     
============================================
  Files          4223     4223              
  Lines        253441   253459      +18     
  Branches      38701    38692       -9     
============================================
+ Hits         196590   196831     +241     
+ Misses        40844    40631     -213     
+ Partials      16007    15997      -10     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[reta]

I'm going to need help from other maintainers on the commons-compress and azure-storage blob CVEs
CC: @andrross @reta

Seems like you pulled it off @dbwiddis ? thanks!
UPD: Oh I see commons-compres is out, will surely help you out

[dbwiddis]

OK, 2 out of 5 bumps is better than 0.

[dbwiddis]

Seems like you pulled it off @dbwiddis ? thanks! UPD: Oh I see commons-compres is out, will surely help you out

I only managed to get protobuf and snappy-java.

commons-compress runs afoul of tika on ingest.
azure-storage-blob requires a lot more transitive dependencies and fails container tests that don't exist in 2.x.
hadoop-minicluster fails on some hdfs tests.

I don't know how many are solvable or if we should mark the CVEs as "not fixable due to backwards compatibility" but I hope others with more experience with them (and the 2.x bumps) can advise.