I have opened the following component update tickets with PRs: CALCITE-6656 <https://issues.apache.org/jira/browse/CALCITE-6656> Update owasp plugin from 5.2.2 to 10.0.4 in Avatica CALCITE-6657 <https://issues.apache.org/jira/browse/CALCITE-6657> Update checkstyle from 10.3.2 to 10.19.0 in Avatica CALCITE-6658 <https://issues.apache.org/jira/browse/CALCITE-6658> Update Jackson from 2.15.2 to 2.15.4 in Avatica CALCITE-6659 <https://issues.apache.org/jira/browse/CALCITE-6659> Update Jetty from 9.4.44.v20210927 to 9.4.56.v20240826 in Avatica CALCITE-6660 <https://issues.apache.org/jira/browse/CALCITE-6660> Update protobuf-java from 3.21.9 to 3.25.5 in Avatica
This gets the OWASP plugin working, and updates some of the reported components. Jetty and Protobuf are possibly relevant, the Jackson CVE is disputed and probably invalid and checkstyle is only used at runtime. Even the latest Jetty has some CVEs, but there's not much we can do about that. Istvan On Fri, Oct 25, 2024 at 7:44 AM Istvan Toth <st...@cloudera.com> wrote: > Re CALCITE-6590, I think we have agreed to go with the reflection based > fix, but the PR <https://github.com/apache/calcite-avatica/pull/251> has > not been approved yet. > I need a review for the PR. > I have updated the JIRA description to match the solution we have chosen. > > Istvan > > > > On Fri, Oct 25, 2024 at 12:13 AM Francis Chuang <francischu...@apache.org> > wrote: > >> Hey everyone, >> >> Just wanted to follow up on the open issues for Avatica 1.26.0. >> >> I would like to get the following into this release: >> - CALCITE-6590 - Run tests with java.security.manager=allow on JDK23+ in >> Avatica >> -CALCITE-5136 - Avatica build (or CI) must fail if there are deprecation >> warnings >> - CALCITE-6588 - Support JDK 23 and Guava 33.3.0 in Avatica >> >> Istvan, can you see if you can wrap up CALCITE-6590, so the other 2 >> issues can be worked on? >> >> Francis >> >> On 15/10/2024 3:46 pm, Francis Chuang wrote: >> > Now that Calcite 1.38.0 has been released, I think it's time to start >> > the release process for Avatica 1.26.0. >> > >> > For starters, I would like to see CALCITE-6590 [1] in this release. >> > >> > Are there any other changes the community would like to see in this >> > release? >> > >> > I also note that we have 12 other open PRs that could potentially be >> > reviewed and merged. >> > >> > Francis >> > >> > [1] https://github.com/apache/calcite-avatica/pull/251 >> > >> > On 21/09/2024 9:54 am, Julian Hyde wrote: >> >>> Apache Pig hasn't released a new version for a long time. >> >> >> >> We should consider removing the Pig adapter at some point. >> >> >> >> Also upgrade the Spark adapter to a version that uses Hadoop 3.x >> >> rather than Hadoop 2.x. >> > >> >> > > -- > *István Tóth* | Sr. Staff Software Engineer > *Email*: st...@cloudera.com > cloudera.com <https://www.cloudera.com> > [image: Cloudera] <https://www.cloudera.com/> > [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: > Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: > Cloudera on LinkedIn] <https://www.linkedin.com/company/cloudera> > ------------------------------ > ------------------------------ > -- *István Tóth* | Sr. Staff Software Engineer *Email*: st...@cloudera.com cloudera.com <https://www.cloudera.com> [image: Cloudera] <https://www.cloudera.com/> [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: Cloudera on LinkedIn] <https://www.linkedin.com/company/cloudera> ------------------------------ ------------------------------
