Fix PRISMA-2023-0067 upgrade jackson core to 2.15.4

[Mariamalmesfer]

Description

fixes the jackson-core security vulnerability PRISMA-2023-0067 by upgrading from version 2.11.0 to 2.15.4
PRISMA-2023-0067: Details

Motivation and Context

Reasons for upgradation:
This PR upgrades jackson-core to address a Denial of Service (DoS) vulnerability caused by improper input validation during numeric type conversions. This upgrade prevents resource exhaustion by ensuring proper input validation.

Impact

Image Scan showed the vulnerability have been removed.
Image scan report :
Image-scan-report-9 Sep.csv

Test Plan

Contributor checklist

• Please make sure your submission complies with our development, formatting, commit message, and attribution guidelines.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.

Release Notes

 == RELEASE NOTES == =

Security Changes
* Upgrade Jackson-core to 2.15.4 :pr:`23753`

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: Mariamalmesfer / name: Mariam AlMesfer (de07533)

[elharo]

Why not a later version like 2.17.1?

[elharo]

I know @steveburnett disagrees with me about this, but I really don't think we should be including dependency upgrades in the release notes.

[elharo]

Looks like the most recent version is 2.18.0

[Mariamalmesfer]

Looks like the most recent version is 2.18.0

The CVS scan suggests upgrading to version 2.15.0, as that's where the vulnerability was fixed. But if we want the latest updates, we can go with 2.18.0. Let me know your preference

[elharo]

I'd prefer to go to the latest (honestly I'd prefer not to depend on jackson at all) but this is still an improvement.

[agrawalreetika]

@Mariamalmesfer @elharo Maybe we can update to the one version before the very latest which is 2.17.2 what do you think?

[Mariamalmesfer]

@Mariamalmesfer @elharo Maybe we can update to the one version before the very latest which is 2.17.2 what do you think?

Sounds good to me. We can go with 2.17.2 if that works for everyone.
cc: @elharo

[elharo]

why not 2.18.0?

[Mariamalmesfer]

@Mariamalmesfer @elharo Maybe we can update to the one version before the very latest which is 2.17.2 what do you think?

We can proceed with either version, but since Reetika mentioned updating to 2.17.2, Let me know what you think.

[agrawalreetika]

@elharo Since version 2.18.0 is the very latest, I was thinking we could use the previous version instead to avoid potential issues with the latest release.

[Mariamalmesfer]

@elharo, @agrawalreetika pointed out the option to update to 2.17.2 instead of the latest 2.18.0. Please advise on the preferred version.

[tdcmeehan]

Can you make <ignoredClassPatterns combine.children="append"> so we don't duplicate this in the submodules?

[Mariamalmesfer]

done

[steveburnett]

Please update the release note entry to the version being updated to. For example

 == RELEASE NOTES == =

Security Changes
* Upgrade Jackson-core to 2.17.2 :pr:`#23753`

[elharo]

I prefer 2.18.0 but I'm not sure others agree with this. Don't overthink it. Either 2.17.2 or 2.18 is better than what we have now.

[tdcmeehan]

Why do we need this addition to the enforcer plugin?

[Mariamalmesfer]

to prevent issues with different Java versions. Java 8 was trying to load JDK 11-specific classes

[tdcmeehan]

Where were the the JDK 11 specific classes being loaded, inside the enforcer plugin? By the way, why is the version of the enforcer plugin upgraded as well?

[Mariamalmesfer]

The JDK 11-specific classes were being loaded as part of Jackson's multi-release JAR (META-INF/versions/11/). These classes are intended to be loaded only on JDK 11 and above, but Maven was attempting to load them in my JDK 8 environment, causing compatibility issues.

[tdcmeehan]

Can you please root cause why we are attempting to load JDK 11 classes and revert this change?

[Mariamalmesfer]

The root cause of the issue lies in the multi-release JAR feature in Jackson. The JDK 11-specific classes (located under META-INF/versions/11/) were being loaded even though the build was running on Java 8. This happened because Maven was attempting to load these classes during the build, which caused compatibility issues.

Upgrading the Enforcer plugin to version 3.3.0, along with the extra-enforcer-rules dependency, ensures that Java 8 doesn't attempt to load these JDK 11 classes, as it properly handles multi-release JARs by excluding versioned classes not compatible with the current JDK version.

[tdcmeehan]

Can you not override the configuration, and use plugin management to update the version?

[Mariamalmesfer]

The enforcer plugin and its version upgrade are already managed in the pluginManagement section

[Mariamalmesfer]

I have removed the section, but I suggest keeping the extra-enforcer-rules dependency. It helps resolve compatibility issues with multi-release JARs.This prevents build failures. Would it be okay to keep it for stability?

[tdcmeehan]

SG

[tdcmeehan]

How is this related to the Jackson upgrade?

[Mariamalmesfer]

to prevent conflicts between multiple versions. Different versions were causing a RequireUpperBoundDeps error in the build, and excluding it ensures the correct version is used.

[tdcmeehan]

Where was the conflict originating from? I don't understand how a Jackson upgrade causes a Google proto conflict.

[Mariamalmesfer]

The conflict originates from transitive dependencies in Google Cloud libraries, specifically google-cloud-bigquery and related modules like google-cloud-core and gax-grpc, which bring in different versions of proto-google-common-protos. When upgrading Jackson, the build system caught these conflicts due to the RequireUpperBoundDeps rule, which enforces the use of a single version for shared dependencies. Excluding the older version ensures that the build uses the latest, compatible version of proto-google-common-protos.

[tdcmeehan]

Isn't this excluding the enforcement of duplicate dependencies, not "excluding the older version"?

[Mariamalmesfer]

You're right that this is more about managing duplicate dependencies than directly "excluding the older version." When I say "excluding the older version," I mean that by using the tag, we're preventing Maven from including conflicting transitive versions of proto-google-common-protos. This ensures that the build system selects the correct, non-conflicting version that is compatible with the rest of the dependencies.

[tdcmeehan]

I do not follow. Isn't this just excluding enforcement of upper bound dependencies? What tag?

[Mariamalmesfer]

Sorry for the confusion. What I meant is that the tag in the enforcer plugin is used to manage conflicting transitive dependencies by preventing Maven from enforcing the upper-bound rule on specific dependencies like proto-google-common-protos. This way, the build process doesn’t fail due to multiple versions being pulled in from different Google Cloud libraries. ensures that Maven doesn’t enforce a version mismatch for proto-google-common-protos, allowing the correct version to be used without causing a conflict.Let me know if this clears things up!

[tdcmeehan]

Sorry but I still don't understand, how does this exclusion ensure only one version is being used? Aren't multiple being used and we're just ignoring the dependency? What happens if you remove this line of code?

[Mariamalmesfer]

The exclusion is not just ignoring the dependency it helps resolve a version conflict that occurs specifically in the presto-bigquery module. This conflict arises because different transitive dependencies (like google-cloud-core, gax-grpc, and others) pull in multiple versions of proto-google-common-protos. Without the exclusion, Maven fails the build due to version conflicts, as seen in the error log for presto-bigquery.

By excluding this from the enforcer's upper-bound rule, Maven allows the correct version to be selected during dependency resolution. This issue only occurs in presto-bigquery, so we could limit this exclusion to that module in the enforcer configuration.

Would it be okay to apply it just to presto-bigquery ?

[tdcmeehan]

Sorry but I still don't understand, how does this exclusion ensure only one version is being used? Aren't multiple being used and we're just ignoring the dependency? What happens if you remove this line of code?

[tdcmeehan]

LGTM but please fix this typo in the commit message: [Upgraded jakcson-core to 2.15.4](https://github.com/prestodb/presto/pull/23753/commits/7b94b0459c7024b8e3880a06dbb3dbcecc49d8a0). jakcson->jackson

[agrawalreetika]

I see this is already included in root pom - https://github.com/prestodb/presto/pull/23753/files#diff-9c5fb3d1b7e3b0f54bc5c4182965c4fe1f9023d449017cece3005d3f90e8e4d8R795

Do we still need version here? Is it coming in higher version as transitive dependency from other place?

[Mariamalmesfer]

The specific issue with jackson-databind 2.15.0 and above affects Presto-Hive tests. Downgrading jackson-databind to 2.14.3 here has stabilized the tests without impacting the rest of the engine.

[elharo]

Seems the serialized test data should be updated instead. This is going in the wrong direction

[steveburnett]

Nit I didn't notice earlier, please remove the # from the release note entry

 == RELEASE NOTES == =

Security Changes
* Upgrade Jackson-core to 2.15.4. :pr:`23753`