Remove slf4j-api 1.8+ and use nimbus-jose-jwt 9.31 (#139)

* Use slf4j-api 1.7.25 and use nimbus-jose-jwt 9.31

slf4j-api 1.8+ is not backward compatible
nimbus-jose-jwt 9.31 is non-vulnerable

* Downgrade airlift to 221

* Remove exclusion from default platform since it does not matter internally

build.gradle

@@ -62,6 +62,29 @@ subprojects {
       //    library, but not any SLF4J-binding or any underlying logging system."
       // Our dependencies (e.g. hadoop-common) do bring in slf4j-log4j12 in their dependency graph so we exclude them
       exclude group: 'org.slf4j', module: 'slf4j-log4j12'
+
+      resolutionStrategy.dependencySubstitution {
+        substitute module('com.nimbusds:nimbus-jose-jwt:9.14') using module('com.nimbusds:nimbus-jose-jwt:9.31')
+        substitute module('org.slf4j:slf4j-api') using module ('org.slf4j:slf4j-api:1.7.25')
+        // Downgrade to airlift 221 because airlift 222+ consumes slf4j-api ver. 2+
+        substitute module('io.airlift:bootstrap:222') using module('io.airlift:bootstrap:221')
+        substitute module('io.airlift:concurrent:222') using module('io.airlift:concurrent:221')
+        substitute module('io.airlift:configuration:222') using module('io.airlift:configuration:221')
+        substitute module('io.airlift:discovery:222') using module('io.airlift:discovery:221')
+        substitute module('io.airlift:event:222') using module('io.airlift:event:221')
+        substitute module('io.airlift:http-client:222') using module('io.airlift:http-client:221')
+        substitute module('io.airlift:http-server:222') using module('io.airlift:http-server:221')
+        substitute module('io.airlift:jaxrs:222') using module('io.airlift:jaxrs:221')
+        substitute module('io.airlift:jmx:222') using module('io.airlift:jmx:221')
+        substitute module('io.airlift:jmx-http:222') using module('io.airlift:jmx-http:221')
+        substitute module('io.airlift:json:222') using module('io.airlift:json:221')
+        substitute module('io.airlift:log:222') using module('io.airlift:log:221')
+        substitute module('io.airlift:log-manager:222') using module('io.airlift:log-manager:221')
+        substitute module('io.airlift:node:222') using module('io.airlift:node:221')
+        substitute module('io.airlift:security:222') using module('io.airlift:security:221')
+        substitute module('io.airlift:stats:222') using module('io.airlift:stats:221')
+        substitute module('io.airlift:trace-token:222') using module('io.airlift:trace-token:221')
+      }
     }
   }
 

transportable-udfs-plugin/src/main/java/com/linkedin/transport/plugin/Defaults.java

@@ -78,13 +78,13 @@ private static final String getVersion(final String platform) {
           JavaLanguageVersion.of(17),
           ImmutableList.of(
               DependencyConfiguration.builder(IMPLEMENTATION, "com.linkedin.transport:transportable-udfs-trino", TRANSPORT_VERSION).build(),
-              DependencyConfiguration.builder(COMPILE_ONLY, "io.trino:trino-main", TRINO_VERSION).exclude("com.nimbusds").build()
+              DependencyConfiguration.builder(COMPILE_ONLY, "io.trino:trino-main", TRINO_VERSION).exclude("org.slf4j", "slf4j-api").build()
           ),
           ImmutableList.of(
               DependencyConfiguration.builder(RUNTIME_ONLY, "com.linkedin.transport:transportable-udfs-test-trino", TRANSPORT_VERSION).build(),
               // trino-main:tests is a transitive dependency of transportable-udfs-test-trino, but some POM -> IVY
               // converters drop dependencies with classifiers, so we apply this dependency explicitly
-              DependencyConfiguration.builder(RUNTIME_ONLY, "io.trino:trino-main", TRINO_VERSION).exclude("com.nimbusds").classifier("tests").build()
+              DependencyConfiguration.builder(RUNTIME_ONLY, "io.trino:trino-main", TRINO_VERSION).exclude("org.slf4j", "slf4j-api").classifier("tests").build()
           ),
           ImmutableList.of(new ThinJarPackaging(), new DistributionPackaging())),
       new Platform(HIVE,

transportable-udfs-test/transportable-udfs-test-trino/build.gradle

@@ -13,11 +13,9 @@ dependencies {
   implementation('com.google.guava:guava:24.1-jre')
   implementation(group:'io.trino', name: 'trino-main', version: project.ext.'trino-version') {
     exclude 'group': 'com.google.collections', 'module': 'google-collections'
-    exclude 'group': 'com.nimbusds'
   }
   implementation(group:'io.trino', name: 'trino-main', version: project.ext.'trino-version', classifier: 'tests') {
     exclude 'group': 'com.google.collections', 'module': 'google-collections'
-    exclude 'group': 'com.nimbusds'
   }
   implementation group: 'io.airlift', name: 'testing', version: '221'
   // The io.airlift.slice dependency below has to match its counterpart in trino-root's pom.xml file

transportable-udfs-trino-plugin/build.gradle

@@ -15,13 +15,9 @@ dependencies {
   implementation (group:'io.airlift', name: 'log', version: '221')
   implementation (group:'com.google.guava', name: 'guava', version: '24.1-jre')
   implementation (group:'io.trino', name: 'trino-plugin-toolkit', version: project.ext.'trino-version')
-  runtimeOnly (group:'io.trino', name: 'trino-main', version: project.ext.'trino-version') {
-    exclude 'group': 'com.nimbusds'
-  }
+  runtimeOnly (group:'io.trino', name: 'trino-main', version: project.ext.'trino-version')
   compileOnly(group:'io.trino', name: 'trino-spi', version: project.ext.'trino-version')
-  testImplementation (group:'io.trino', name: 'trino-main', version: project.ext.'trino-version') {
-    exclude 'group': 'com.nimbusds'
-  }
+  testImplementation (group:'io.trino', name: 'trino-main', version: project.ext.'trino-version')
 }
 
 // packaging as a shaded jar following the guideline from Trino plugin

transportable-udfs-trino/build.gradle

@@ -10,15 +10,12 @@ dependencies {
   implementation project(':transportable-udfs-utils')
   compileOnly(group:'io.trino', name: 'trino-main', version: project.ext.'trino-version') {
     exclude 'group': 'com.google.collections', 'module': 'google-collections'
-    exclude 'group': 'com.nimbusds'
   }
   testImplementation(group:'io.trino', name: 'trino-main', version: project.ext.'trino-version') {
     exclude 'group': 'com.google.collections', 'module': 'google-collections'
-    exclude 'group': 'com.nimbusds'
   }
   testImplementation(group:'io.trino', name: 'trino-main', version: project.ext.'trino-version', classifier: 'tests') {
     exclude 'group': 'com.google.collections', 'module': 'google-collections'
-    exclude 'group': 'com.nimbusds'
   }
   compileOnly(group:'io.trino', name: 'trino-spi', version: project.ext.'trino-version')
   implementation('org.apache.hadoop:hadoop-hdfs:2.7.4')