You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@arrow.apache.org by li...@apache.org on 2022/07/08 20:31:50 UTC
[arrow] branch master updated: ARROW-16996: [Java] Configure Netty/GRPC/Protobuf base on BOM configuration + upgrade of dependencies by CVE (#13544)
This is an automated email from the ASF dual-hosted git repository.
lidavidm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/arrow.git
The following commit(s) were added to refs/heads/master by this push:
new 17d6fdc0e9 ARROW-16996: [Java] Configure Netty/GRPC/Protobuf base on BOM configuration + upgrade of dependencies by CVE (#13544)
17d6fdc0e9 is described below
commit 17d6fdc0e9c00534e4de7bfb193c33c86cab7e15
Author: david dali susanibar arce <da...@gmail.com>
AuthorDate: Fri Jul 8 15:31:45 2022 -0500
ARROW-16996: [Java] Configure Netty/GRPC/Protobuf base on BOM configuration + upgrade of dependencies by CVE (#13544)
- Configure Netty/GRPC/Protobuf base on BOM Bill Of Material configuration to dependencies versions be added by configuration (https://github.com/netty/netty/issues/5994).
- Upgrade Netty/GRPC/Protobuf dependencies. Netty [CVE](https://github.com/advisories/GHSA-269q-hmxg-m83q)
Authored-by: david dali susanibar arce <da...@gmail.com>
Signed-off-by: David Li <li...@gmail.com>
---
docs/source/developers/java/building.rst | 5 ---
java/flight/flight-core/pom.xml | 49 ++--------------------------
java/flight/flight-grpc/pom.xml | 9 ++---
java/flight/flight-integration-tests/pom.xml | 1 -
java/flight/flight-sql/pom.xml | 4 ---
java/flight/pom.xml | 10 ++----
java/pom.xml | 40 ++++++++++++++---------
7 files changed, 31 insertions(+), 87 deletions(-)
diff --git a/docs/source/developers/java/building.rst b/docs/source/developers/java/building.rst
index 38c03d0e48..e50142d285 100644
--- a/docs/source/developers/java/building.rst
+++ b/docs/source/developers/java/building.rst
@@ -186,11 +186,6 @@ Arrow repository, and update the following settings:
Settings > Build, Execution, Deployment > Compiler > Java Compiler and disable
"Use '--release' option for cross-compilation (Java 9 and later)". Otherwise
you will get an error like "package sun.misc does not exist".
-* You may need to disable the ``linux-netty-native`` or ``mac-netty-native``
- profile in the Maven tool window if you get an error like the following::
-
- Unresolved dependency: 'io.netty:netty-transport-native-unix-common:jar:4.1.72.Final'
-
* If using IntelliJ's Maven integration to build, you may need to change
``<fork>`` to ``false`` in the pom.xml files due to an `IntelliJ bug
<https://youtrack.jetbrains.com/issue/IDEA-278903>`__.
diff --git a/java/flight/flight-core/pom.xml b/java/flight/flight-core/pom.xml
index 072be1e995..28325e9bff 100644
--- a/java/flight/flight-core/pom.xml
+++ b/java/flight/flight-core/pom.xml
@@ -53,27 +53,22 @@
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-netty</artifactId>
- <version>${dep.grpc.version}</version>
</dependency>
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-core</artifactId>
- <version>${dep.grpc.version}</version>
</dependency>
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-context</artifactId>
- <version>${dep.grpc.version}</version>
</dependency>
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-protobuf</artifactId>
- <version>${dep.grpc.version}</version>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-tcnative-boringssl-static</artifactId>
- <version>${dep.netty-tcnative.version}</version>
</dependency>
<dependency>
<groupId>io.netty</groupId>
@@ -82,12 +77,10 @@
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-handler</artifactId>
- <version>${dep.netty.version}</version>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-transport</artifactId>
- <version>${dep.netty.version}</version>
</dependency>
<dependency>
<groupId>com.google.guava</groupId>
@@ -96,17 +89,14 @@
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-stub</artifactId>
- <version>${dep.grpc.version}</version>
</dependency>
<dependency>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
- <version>${dep.protobuf.version}</version>
</dependency>
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-api</artifactId>
- <version>${dep.grpc.version}</version>
</dependency>
<dependency>
@@ -224,10 +214,10 @@
<artifactId>protobuf-maven-plugin</artifactId>
<version>0.6.1</version>
<configuration>
- <protocArtifact>com.google.protobuf:protoc:${dep.protobuf.version}:exe:${os.detected.classifier}</protocArtifact>
+ <protocArtifact>com.google.protobuf:protoc:${dep.protobuf-bom.version}:exe:${os.detected.classifier}</protocArtifact>
<clearOutputDirectory>false</clearOutputDirectory>
<pluginId>grpc-java</pluginId>
- <pluginArtifact>io.grpc:protoc-gen-grpc-java:${dep.grpc.version}:exe:${os.detected.classifier}</pluginArtifact>
+ <pluginArtifact>io.grpc:protoc-gen-grpc-java:${dep.grpc-bom.version}:exe:${os.detected.classifier}</pluginArtifact>
</configuration>
<executions>
<execution>
@@ -257,6 +247,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
+ <version>3.3.0</version>
<executions>
<execution>
<id>analyze</id>
@@ -311,38 +302,4 @@
</plugin>
</plugins>
</build>
- <profiles>
- <profile>
- <id>linux-netty-native</id>
- <activation>
- <os>
- <family>linux</family>
- </os>
- </activation>
- <dependencies>
- <dependency>
- <groupId>io.netty</groupId>
- <artifactId>netty-transport-native-unix-common</artifactId>
- <version>${dep.netty.version}</version>
- <classifier>${os.detected.name}-${os.detected.arch}</classifier>
- </dependency>
- </dependencies>
- </profile>
- <profile>
- <id>mac-netty-native</id>
- <activation>
- <os>
- <family>mac</family>
- </os>
- </activation>
- <dependencies>
- <dependency>
- <groupId>io.netty</groupId>
- <artifactId>netty-transport-native-unix-common</artifactId>
- <version>${dep.netty.version}</version>
- <classifier>${os.detected.name}-${os.detected.arch}</classifier>
- </dependency>
- </dependencies>
- </profile>
- </profiles>
</project>
diff --git a/java/flight/flight-grpc/pom.xml b/java/flight/flight-grpc/pom.xml
index 22067b1fbf..5c113be861 100644
--- a/java/flight/flight-grpc/pom.xml
+++ b/java/flight/flight-grpc/pom.xml
@@ -50,12 +50,10 @@
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-core</artifactId>
- <version>${dep.grpc.version}</version>
</dependency>
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-stub</artifactId>
- <version>${dep.grpc.version}</version>
</dependency>
<dependency>
<groupId>org.apache.arrow</groupId>
@@ -72,7 +70,6 @@
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-protobuf</artifactId>
- <version>${dep.grpc.version}</version>
</dependency>
<dependency>
<groupId>com.google.guava</groupId>
@@ -81,12 +78,10 @@
<dependency>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
- <version>${dep.protobuf.version}</version>
</dependency>
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-api</artifactId>
- <version>${dep.grpc.version}</version>
</dependency>
</dependencies>
@@ -105,10 +100,10 @@
<artifactId>protobuf-maven-plugin</artifactId>
<version>0.6.1</version>
<configuration>
- <protocArtifact>com.google.protobuf:protoc:${dep.protobuf.version}:exe:${os.detected.classifier}</protocArtifact>
+ <protocArtifact>com.google.protobuf:protoc:${dep.protobuf-bom.version}:exe:${os.detected.classifier}</protocArtifact>
<clearOutputDirectory>false</clearOutputDirectory>
<pluginId>grpc-java</pluginId>
- <pluginArtifact>io.grpc:protoc-gen-grpc-java:${dep.grpc.version}:exe:${os.detected.classifier}</pluginArtifact>
+ <pluginArtifact>io.grpc:protoc-gen-grpc-java:${dep.grpc-bom.version}:exe:${os.detected.classifier}</pluginArtifact>
</configuration>
<executions>
<execution>
diff --git a/java/flight/flight-integration-tests/pom.xml b/java/flight/flight-integration-tests/pom.xml
index 1fbab61a67..e676be979d 100644
--- a/java/flight/flight-integration-tests/pom.xml
+++ b/java/flight/flight-integration-tests/pom.xml
@@ -48,7 +48,6 @@
<dependency>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
- <version>${dep.protobuf.version}</version>
</dependency>
<dependency>
<groupId>commons-cli</groupId>
diff --git a/java/flight/flight-sql/pom.xml b/java/flight/flight-sql/pom.xml
index 54637ef0f2..63785d7584 100644
--- a/java/flight/flight-sql/pom.xml
+++ b/java/flight/flight-sql/pom.xml
@@ -60,7 +60,6 @@
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-protobuf</artifactId>
- <version>${dep.grpc.version}</version>
</dependency>
<dependency>
<groupId>com.google.guava</groupId>
@@ -69,17 +68,14 @@
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-stub</artifactId>
- <version>${dep.grpc.version}</version>
</dependency>
<dependency>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
- <version>${dep.protobuf.version}</version>
</dependency>
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-api</artifactId>
- <version>${dep.grpc.version}</version>
</dependency>
<dependency>
<groupId>org.apache.arrow</groupId>
diff --git a/java/flight/pom.xml b/java/flight/pom.xml
index 670e763af7..151bc58221 100644
--- a/java/flight/pom.xml
+++ b/java/flight/pom.xml
@@ -24,12 +24,6 @@
<packaging>pom</packaging>
- <properties>
- <dep.grpc.version>1.44.1</dep.grpc.version>
- <dep.netty-tcnative.version>2.0.46.Final</dep.netty-tcnative.version>
- <dep.protobuf.version>3.19.4</dep.protobuf.version>
- </properties>
-
<modules>
<module>flight-core</module>
<module>flight-grpc</module>
@@ -46,10 +40,10 @@
<version>0.6.1</version>
<configuration>
<protocArtifact>
- com.google.protobuf:protoc:${dep.protobuf.version}:exe:${os.detected.classifier}
+ com.google.protobuf:protoc:${dep.protobuf-bom.version}:exe:${os.detected.classifier}
</protocArtifact>
<pluginId>grpc-java</pluginId>
- <pluginArtifact>io.grpc:protoc-gen-grpc-java:${dep.grpc.version}:exe:${os.detected.classifier}
+ <pluginArtifact>io.grpc:protoc-gen-grpc-java:${dep.grpc-bom.version}:exe:${os.detected.classifier}
</pluginArtifact>
</configuration>
</plugin>
diff --git a/java/pom.xml b/java/pom.xml
index 6f2ed823cf..578b80c497 100644
--- a/java/pom.xml
+++ b/java/pom.xml
@@ -33,7 +33,9 @@
<dep.junit.jupiter.version>5.4.0</dep.junit.jupiter.version>
<dep.slf4j.version>1.7.25</dep.slf4j.version>
<dep.guava.version>30.1.1-jre</dep.guava.version>
- <dep.netty.version>4.1.72.Final</dep.netty.version>
+ <dep.netty-bom.version>4.1.78.Final</dep.netty-bom.version>
+ <dep.grpc-bom.version>1.47.0</dep.grpc-bom.version>
+ <dep.protobuf-bom.version>3.21.2</dep.protobuf-bom.version>
<dep.jackson-bom.version>2.13.2.20220328</dep.jackson-bom.version>
<dep.hadoop.version>2.7.1</dep.hadoop.version>
<dep.fbs.version>1.12.0</dep.fbs.version>
@@ -524,21 +526,6 @@
<artifactId>guava</artifactId>
<version>${dep.guava.version}</version>
</dependency>
- <dependency>
- <groupId>io.netty</groupId>
- <artifactId>netty-handler</artifactId>
- <version>${dep.netty.version}</version>
- </dependency>
- <dependency>
- <groupId>io.netty</groupId>
- <artifactId>netty-buffer</artifactId>
- <version>${dep.netty.version}</version>
- </dependency>
- <dependency>
- <groupId>io.netty</groupId>
- <artifactId>netty-common</artifactId>
- <version>${dep.netty.version}</version>
- </dependency>
<dependency>
<groupId>com.google.code.findbugs</groupId>
<artifactId>jsr305</artifactId>
@@ -578,6 +565,27 @@
<type>pom</type>
<scope>import</scope>
</dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-bom</artifactId>
+ <version>${dep.netty-bom.version}</version>
+ <type>pom</type>
+ <scope>import</scope>
+ </dependency>
+ <dependency>
+ <groupId>io.grpc</groupId>
+ <artifactId>grpc-bom</artifactId>
+ <version>${dep.grpc-bom.version}</version>
+ <type>pom</type>
+ <scope>import</scope>
+ </dependency>
+ <dependency>
+ <groupId>com.google.protobuf</groupId>
+ <artifactId>protobuf-bom</artifactId>
+ <version>${dep.protobuf-bom.version}</version>
+ <type>pom</type>
+ <scope>import</scope>
+ </dependency>
</dependencies>
</dependencyManagement>