Commit to remove vulnerabilities raised for: HADOOP-19074

[prathapsagar]

1. Update Gauva to Version: 32.0.1-jre
2. Update Protobuf to Version: 3.21.12
3. Update Avro to Version: 1.11.3
4. Updated private access in the below files for Avro compability:

• hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/io/serializer/avro/TestAvroSerialization.java
• hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/jobhistory/JobQueueChangeEvent.java
• hadoop-tools/hadoop-rumen/src/main/java/org/apache/hadoop/tools/rumen/JobBuilder.java
• hadoop-tools/hadoop-rumen/src/main/java/org/apache/hadoop/tools/rumen/JobHistoryUtils.java
• hadoop-tools/hadoop-rumen/src/main/java/org/apache/hadoop/tools/rumen/LoggedTask.java
• hadoop-tools/hadoop-rumen/src/main/java/org/apache/hadoop/tools/rumen/LoggedTaskAttempt.java

Description of PR

How was this patch tested?

For code changes:

• Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
• Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
• If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 48s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 1s		codespell was not available.
+0 🆗	detsecrets	0m 1s		detect-secrets was not available.
+0 🆗	xmllint	0m 1s		xmllint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 1 new or modified test files.
			_ trunk Compile Tests _
+0 🆗	mvndep	35m 42s		Maven dependency ordering for branch
+1 💚	mvninstall	41m 11s		trunk passed
+1 💚	compile	19m 54s		trunk passed with JDK Ubuntu-11.0.21+9-post-Ubuntu-0ubuntu120.04
+1 💚	compile	17m 57s		trunk passed with JDK Private Build-1.8.0_392-8u392-ga-1~20.04-b08
+1 💚	checkstyle	4m 57s		trunk passed
+1 💚	mvnsite	4m 1s		trunk passed
+1 💚	javadoc	3m 23s		trunk passed with JDK Ubuntu-11.0.21+9-post-Ubuntu-0ubuntu120.04
+1 💚	javadoc	2m 41s		trunk passed with JDK Private Build-1.8.0_392-8u392-ga-1~20.04-b08
+0 🆗	spotbugs	0m 41s		branch/hadoop-project no spotbugs output file (spotbugsXml.xml)
-1 ❌	spotbugs	2m 31s	/branch-spotbugs-hadoop-common-project_hadoop-common-warnings.html	hadoop-common-project/hadoop-common in trunk has 1 extant spotbugs warnings.
+1 💚	shadedclient	38m 35s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 53s		Maven dependency ordering for patch
+1 💚	mvninstall	2m 8s		the patch passed
+1 💚	compile	18m 50s		the patch passed with JDK Ubuntu-11.0.21+9-post-Ubuntu-0ubuntu120.04
+1 💚	javac	18m 50s		the patch passed
+1 💚	compile	17m 41s		the patch passed with JDK Private Build-1.8.0_392-8u392-ga-1~20.04-b08
+1 💚	javac	17m 41s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
-0 ⚠️	checkstyle	4m 56s	/results-checkstyle-root.txt	root: The patch generated 1 new + 89 unchanged - 0 fixed = 90 total (was 89)
+1 💚	mvnsite	3m 58s		the patch passed
+1 💚	javadoc	3m 12s		the patch passed with JDK Ubuntu-11.0.21+9-post-Ubuntu-0ubuntu120.04
+1 💚	javadoc	2m 49s		the patch passed with JDK Private Build-1.8.0_392-8u392-ga-1~20.04-b08
+0 🆗	spotbugs	0m 36s		hadoop-project has no data from spotbugs
-1 ❌	shadedclient	2m 44s		patch has errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	0m 35s		hadoop-project in the patch passed.
+1 💚	unit	20m 29s		hadoop-common in the patch passed.
+1 💚	unit	7m 32s		hadoop-mapreduce-client-core in the patch passed.
+1 💚	unit	0m 46s		hadoop-rumen in the patch passed.
+1 💚	asflicense	1m 4s		The patch does not generate ASF License warnings.
		276m 38s

Subsystem	Report/Notes
Docker	ClientAPI=1.44 ServerAPI=1.44 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6586/1/artifact/out/Dockerfile
GITHUB PR	#6586
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets xmllint
uname	Linux eaae40a63a9a 5.15.0-94-generic #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 5b8e2af
Default Java	Private Build-1.8.0_392-8u392-ga-1~20.04-b08
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.21+9-post-Ubuntu-0ubuntu120.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_392-8u392-ga-1~20.04-b08
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6586/1/testReport/
Max. process+thread count	1257 (vs. ulimit of 5500)
modules	C: hadoop-project hadoop-common-project/hadoop-common hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core hadoop-tools/hadoop-rumen U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6586/1/console
versions	git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[dineshchitlangia]

Hi @prathapsagar , thank you for contributing this improvement.
Could you pls address the checkstyle violation?

Thank you.

[prathapsagar]

Hi @dineshchitlangia I have resolved the check style violation and raised a new PR with the changes please validate: #6586

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	17m 23s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 1s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	xmllint	0m 0s		xmllint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 1 new or modified test files.
			_ trunk Compile Tests _
+0 🆗	mvndep	14m 29s		Maven dependency ordering for branch
+1 💚	mvninstall	37m 3s		trunk passed
+1 💚	compile	20m 16s		trunk passed with JDK Ubuntu-11.0.22+7-post-Ubuntu-0ubuntu220.04.1
+1 💚	compile	18m 26s		trunk passed with JDK Private Build-1.8.0_392-8u392-ga-1~20.04-b08
+1 💚	checkstyle	4m 50s		trunk passed
+1 💚	mvnsite	4m 1s		trunk passed
+1 💚	javadoc	3m 17s		trunk passed with JDK Ubuntu-11.0.22+7-post-Ubuntu-0ubuntu220.04.1
+1 💚	javadoc	2m 49s		trunk passed with JDK Private Build-1.8.0_392-8u392-ga-1~20.04-b08
+0 🆗	spotbugs	0m 41s		branch/hadoop-project no spotbugs output file (spotbugsXml.xml)
-1 ❌	spotbugs	2m 31s	/branch-spotbugs-hadoop-common-project_hadoop-common-warnings.html	hadoop-common-project/hadoop-common in trunk has 1 extant spotbugs warnings.
+1 💚	shadedclient	38m 38s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 41s		Maven dependency ordering for patch
+1 💚	mvninstall	2m 7s		the patch passed
+1 💚	compile	18m 47s		the patch passed with JDK Ubuntu-11.0.22+7-post-Ubuntu-0ubuntu220.04.1
+1 💚	javac	18m 47s		the patch passed
+1 💚	compile	18m 8s		the patch passed with JDK Private Build-1.8.0_392-8u392-ga-1~20.04-b08
+1 💚	javac	18m 8s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	checkstyle	4m 50s		the patch passed
+1 💚	mvnsite	4m 1s		the patch passed
+1 💚	javadoc	3m 13s		the patch passed with JDK Ubuntu-11.0.22+7-post-Ubuntu-0ubuntu220.04.1
+1 💚	javadoc	2m 50s		the patch passed with JDK Private Build-1.8.0_392-8u392-ga-1~20.04-b08
+0 🆗	spotbugs	0m 36s		hadoop-project has no data from spotbugs
-1 ❌	shadedclient	2m 44s		patch has errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	0m 36s		hadoop-project in the patch passed.
+1 💚	unit	20m 27s		hadoop-common in the patch passed.
+1 💚	unit	7m 30s		hadoop-mapreduce-client-core in the patch passed.
+1 💚	unit	0m 47s		hadoop-rumen in the patch passed.
+1 💚	asflicense	1m 4s		The patch does not generate ASF License warnings.
		268m 44s

Subsystem	Report/Notes
Docker	ClientAPI=1.44 ServerAPI=1.44 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6586/2/artifact/out/Dockerfile
GITHUB PR	#6586
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets xmllint
uname	Linux 283fc36b66d6 5.15.0-94-generic #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 2d96b0c
Default Java	Private Build-1.8.0_392-8u392-ga-1~20.04-b08
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.22+7-post-Ubuntu-0ubuntu220.04.1 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_392-8u392-ga-1~20.04-b08
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6586/2/testReport/
Max. process+thread count	1256 (vs. ulimit of 5500)
modules	C: hadoop-project hadoop-common-project/hadoop-common hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core hadoop-tools/hadoop-rumen U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6586/2/console
versions	git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[steveloughran]

each artifact updatate needs to be managed separately so we can rollback. that even includes a surefire update.

anything where we fix up to the shaded dependencies in hadoop-thirdparty need to go in there first and we can then cut a new version of that for 3.4.1.

for avro, we should look at cutting the unshaded version entirely. do we need to publish it?

[steveloughran]

obsoleted by HADOOP-19065. Update Protocol Buffers installation to 3.21.12 (#6526); needs a version change in hadoop-thirdparty which MUST come out before changing things here.

[steveloughran]

tried that and already had to revert. Now, if you are offering to fix all the test failures which surfaced, you can try again.

HADOOP-19071. Update maven-surefire-plugin from 3.0.0 to 3.2.5. (#6537)" (#6578)

[steveloughran]

@prathapsagar thanks for starting this. you are about to discover why it so hard to update dependencies.

Everything we want to use in our own code should be defined in the thirdparty module, https://github.com/apache/hadoop-thirdparty

the version numbers of things like protobuf in our own code must match those of the library version we build with, but they aren't where the values are incremented. (note: we should add comments there).

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
-1 ❌	patch	0m 54s		#6586 does not apply to trunk. Rebase required? Wrong Branch? See https://cwiki.apache.org/confluence/display/HADOOP/How+To+Contribute for help.

Subsystem	Report/Notes
GITHUB PR	#6586
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch-windows-10/job/PR-6586/1/console
versions	git=2.44.0.windows.1
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.