hive icon indicating copy to clipboard operation
hive copied to clipboard
verified publisher icon apache

[WIP] HIVE-29000: Upgrade nimbus-jose-jwt

Open arorasimran0309 opened this issue 6 months ago • 2 comments

What changes were proposed in this pull request?

Upgrading nimbus-jose-jwt to resolve CVEs

Why are the changes needed?

Due to CVEs

Does this PR introduce any user-facing change?

No

How was this patch tested?

Existing tests

arorasimran0309 avatar Jun 10 '25 05:06 arorasimran0309

@arorasimran0309 , I can still see nimbus older version in iceberg/patched-iceberg-core/pom.xml

[INFO] |  +- org.apache.hadoop:hadoop-auth:jar:3.4.1:compile (optional)
[INFO] |  |  +- com.nimbusds:nimbus-jose-jwt:jar:9.37.2:compile (optional)
[INFO] |  |  |  \- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile (optional)

Also, this is a major version change, please check for any incompatiblities in api's (from release notes). As we are forcing hadoop 3.4.1 to work with 10.3 instead of 9.37.2

Aggarwal-Raghav avatar Jun 10 '25 06:06 Aggarwal-Raghav

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud[bot] avatar Jun 11 '25 08:06 sonarqubecloud[bot]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Feel free to reach out on the [email protected] list if the patch is in need of reviews.

github-actions[bot] avatar Aug 11 '25 00:08 github-actions[bot]

Quality Gate Passed Quality Gate passed

Issues
28 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud[bot] avatar Aug 20 '25 18:08 sonarqubecloud[bot]

@arorasimran0309 , I can still see nimbus older version in iceberg/patched-iceberg-core/pom.xml

[INFO] |  +- org.apache.hadoop:hadoop-auth:jar:3.4.1:compile (optional)
[INFO] |  |  +- com.nimbusds:nimbus-jose-jwt:jar:9.37.2:compile (optional)
[INFO] |  |  |  \- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile (optional)

Also, this is a major version change, please check for any incompatiblities in api's (from release notes). As we are forcing hadoop 3.4.1 to work with 10.3 instead of 9.37.2

@Aggarwal-Raghav older version from iceberg/patched-iceberg-core/pom.xml is handled now. Also, checked release notes for 9.37.2 → 10.4.2 and confirmed no usage of features impacted by notable changes (null‑claim serialization, HS384/HS512 key length enforcement, RSA‑OAEP mode fix). The full build/test suite passes.

arorasimran0309 avatar Aug 21 '25 05:08 arorasimran0309

Waiting for @Aggarwal-Raghav's approval to merge this patch

saihemanth-cloudera avatar Aug 21 '25 18:08 saihemanth-cloudera

Dependency tree looks good, packaing also contains onty nimbus-jose-jwt-10.4.2.jar. LGTM +1

Aggarwal-Raghav avatar Aug 21 '25 18:08 Aggarwal-Raghav