From ef92ea9931fa4358bea21bb0e1b211b4085e0555 Mon Sep 17 00:00:00 2001
From: Jay Patel <jay.patel@snowflake.com>
Date: Thu, 3 Oct 2024 09:22:27 -0700
Subject: [PATCH] SNOW-1707031 hadoop upgrade for vulnerability fix (#849)

* fix: pom.xml to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHADOOP-8089372

* test

* test remove

* revert

* fix whitespace

* upgrade netty too for the hadoop upgrade

* Fix maven package

* Fix maven install - works locally

---------

Co-authored-by: snyk-bot <snyk-bot@snyk.io>
Co-authored-by: Xin Huang <xin.huang@snowflake.com>
---
 pom.xml                     | 16 ++++++++++++++--
 scripts/check_content.sh    |  1 +
 scripts/process_licenses.py |  8 ++++++++
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index 4ecf1e26a..f1c746a56 100644
--- a/pom.xml
+++ b/pom.xml
@@ -50,7 +50,7 @@
     <commonstext.version>1.11.0</commonstext.version>
     <fasterxml.version>2.17.2</fasterxml.version>
     <guava.version>32.0.1-jre</guava.version>
-    <hadoop.version>3.3.6</hadoop.version>
+    <hadoop.version>3.4.0</hadoop.version>
     <iceberg.version>1.5.2</iceberg.version>
     <jacoco.skip.instrument>true</jacoco.skip.instrument>
     <jacoco.version>0.8.5</jacoco.version>
@@ -61,7 +61,7 @@
     <maven.compiler.source>1.8</maven.compiler.source>
     <maven.compiler.target>1.8</maven.compiler.target>
     <net.minidev.version>2.4.9</net.minidev.version>
-    <netty.version>4.1.94.Final</netty.version>
+    <netty.version>4.1.113.Final</netty.version>
     <nimbusds.version>9.37.3</nimbusds.version>
     <objenesis.version>3.1</objenesis.version>
     <parquet.version>1.14.1</parquet.version>
@@ -240,6 +240,10 @@
             <groupId>org.apache.zookeeper</groupId>
             <artifactId>zookeeper</artifactId>
           </exclusion>
+          <exclusion>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-jdk15on</artifactId>
+          </exclusion>
           <exclusion>
             <groupId>org.eclipse.jetty</groupId>
             <artifactId>jetty-server</artifactId>
@@ -385,6 +389,14 @@
             <groupId>javax.xml.bind</groupId>
             <artifactId>jaxb-api</artifactId>
           </exclusion>
+          <exclusion>
+            <groupId>org.apache.hadoop</groupId>
+            <artifactId>hadoop-yarn-common</artifactId>
+          </exclusion>
+          <exclusion>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-jdk15on</artifactId>
+          </exclusion>
           <exclusion>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-reload4j</artifactId>
diff --git a/scripts/check_content.sh b/scripts/check_content.sh
index e4d3e2076..7608c23ec 100755
--- a/scripts/check_content.sh
+++ b/scripts/check_content.sh
@@ -28,6 +28,7 @@ if jar tvf $DIR/../target/snowflake-ingest-sdk.jar  | awk '{print $8}' | \
     grep -v PropertyList-1.0.dtd | \
     grep -v properties.dtd | \
     grep -v parquet.thrift | \
+    grep -v assets/org/apache/commons/math3/random/new-joe-kuo-6.1000 | \
 
     # Native zstd libraries are allowed
     grep -v -E '^darwin' | \
diff --git a/scripts/process_licenses.py b/scripts/process_licenses.py
index 9f715abd6..b5181bce1 100644
--- a/scripts/process_licenses.py
+++ b/scripts/process_licenses.py
@@ -50,6 +50,14 @@
     "com.nimbusds:nimbus-jose-jwt": APACHE_LICENSE,
     "com.github.stephenc.jcip:jcip-annotations": APACHE_LICENSE,
     "io.netty:netty-common": APACHE_LICENSE,
+    "io.netty:netty-handler": APACHE_LICENSE,
+    "io.netty:netty-resolver": APACHE_LICENSE,
+    "io.netty:netty-buffer": APACHE_LICENSE,
+    "io.netty:netty-transport": APACHE_LICENSE,
+    "io.netty:netty-transport-native-unix-common": APACHE_LICENSE,
+    "io.netty:netty-codec": APACHE_LICENSE,
+    "io.netty:netty-transport-native-epoll": APACHE_LICENSE,
+    "io.netty:netty-transport-classes-epoll": APACHE_LICENSE,
     "com.google.re2j:re2j": GO_LICENSE,
     "com.google.protobuf:protobuf-java": BSD_3_CLAUSE_LICENSE,
     "com.google.code.gson:gson": APACHE_LICENSE,