Upgrade arrow and jackson versions to fix vulnerabilities (#894)

* update Arrow dependency

Co-authored-by: sfc-gh-mknister <[email protected]>
Co-authored-by: Lorna Barber <[email protected]>

FIPS/pom.xml

@@ -37,12 +37,12 @@
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    <arrow.version>0.15.1</arrow.version>
+    <arrow.version>7.0.0</arrow.version>
     <slf4j.version>1.7.25</slf4j.version>
     <jsoup.version>1.14.2</jsoup.version>
     <tika.version>1.25</tika.version>
-    <jackson.version>2.11.0</jackson.version>
-    <jacksondatabind.version>2.11.0</jacksondatabind.version>
+    <jackson.version>2.13.2</jackson.version>
+    <jacksondatabind.version>2.13.2.2</jacksondatabind.version>
     <httpclient.version>4.5.5</httpclient.version>
     <jacoco.version>0.8.4</jacoco.version>
     <jacoco.skip.instrument>true</jacoco.skip.instrument>
@@ -264,6 +264,30 @@
       <groupId>org.apache.arrow</groupId>
       <artifactId>arrow-vector</artifactId>
       <version>${arrow.version}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-annotations</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-databind</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.arrow</groupId>
+      <artifactId>arrow-memory-netty</artifactId>
+      <version>${arrow.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.arrow</groupId>
+      <artifactId>arrow-memory-unsafe</artifactId>
+      <version>${arrow.version}</version>
     </dependency>
     <dependency>
       <groupId>com.google.auth</groupId>
@@ -332,16 +356,61 @@
         <version>3.0.0-M1</version>
         <executions>
           <execution>
-            <id>install-arrow-memory</id>
+            <id>install-arrow-memory-pom</id>
             <phase>validate</phase>
             <goals>
               <goal>install-file</goal>
             </goals>
             <configuration>
-              <file>${basedir}/../dependencies/arrow-memory-${arrow.version}.jar</file>
+              <file>${basedir}/../dependencies/arrow-memory-${arrow.version}.pom</file>
               <groupId>org.apache.arrow</groupId>
               <artifactId>arrow-memory</artifactId>
               <version>${arrow.version}</version>
+              <packaging>pom</packaging>
+              <generatePom>true</generatePom>
+            </configuration>
+          </execution>
+          <execution>
+            <id>install-arrow-memory-core</id>
+            <phase>validate</phase>
+            <goals>
+              <goal>install-file</goal>
+            </goals>
+            <configuration>
+              <file>${basedir}/../dependencies/arrow-memory-core-${arrow.version}.jar</file>
+              <groupId>org.apache.arrow</groupId>
+              <artifactId>arrow-memory-core</artifactId>
+              <version>${arrow.version}</version>
+              <packaging>jar</packaging>
+              <generatePom>true</generatePom>
+            </configuration>
+          </execution>
+          <execution>
+            <id>install-arrow-memory-unsafe</id>
+            <phase>validate</phase>
+            <goals>
+              <goal>install-file</goal>
+            </goals>
+            <configuration>
+              <file>${basedir}/../dependencies/arrow-memory-unsafe-${arrow.version}.jar</file>
+              <groupId>org.apache.arrow</groupId>
+              <artifactId>arrow-memory-unsafe</artifactId>
+              <version>${arrow.version}</version>
+              <packaging>jar</packaging>
+              <generatePom>true</generatePom>
+            </configuration>
+          </execution>
+          <execution>
+            <id>install-arrow-memory-netty</id>
+            <phase>validate</phase>
+            <goals>
+              <goal>install-file</goal>
+            </goals>
+            <configuration>
+              <file>${basedir}/../dependencies/arrow-memory-netty-${arrow.version}.jar</file>
+              <groupId>org.apache.arrow</groupId>
+              <artifactId>arrow-memory-netty</artifactId>
+              <version>${arrow.version}</version>
               <packaging>jar</packaging>
               <generatePom>true</generatePom>
             </configuration>

TestOnly/pom.xml

@@ -12,7 +12,7 @@
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    <arrow.version>0.15.1</arrow.version>
+    <arrow.version>7.0.0</arrow.version>
     <jacksondatabind.version>2.11.0</jacksondatabind.version>
     <jacoco.version>0.8.4</jacoco.version>
     <jacoco.skip.instrument>true</jacoco.skip.instrument>
@@ -131,6 +131,16 @@
       <artifactId>arrow-vector</artifactId>
       <version>${arrow.version}</version>
     </dependency>
+    <dependency>
+      <groupId>org.apache.arrow</groupId>
+      <artifactId>arrow-memory-unsafe</artifactId>
+      <version>${arrow.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.arrow</groupId>
+      <artifactId>arrow-memory-netty</artifactId>
+      <version>${arrow.version}</version>
+    </dependency>
     <dependency>
       <groupId>com.zaxxer</groupId>
       <artifactId>HikariCP</artifactId>
@@ -199,10 +209,55 @@
               <goal>install-file</goal>
             </goals>
             <configuration>
-              <file>${project.basedir}/../dependencies/arrow-memory-${arrow.version}.jar</file>
+              <file>${project.basedir}/../dependencies/arrow-memory-${arrow.version}.pom</file>
               <groupId>org.apache.arrow</groupId>
               <artifactId>arrow-memory</artifactId>
               <version>${arrow.version}</version>
+              <packaging>pom</packaging>
+              <generatePom>true</generatePom>
+            </configuration>
+          </execution>
+          <execution>
+            <id>install-arrow-memory-core</id>
+            <phase>validate</phase>
+            <goals>
+              <goal>install-file</goal>
+            </goals>
+            <configuration>
+              <file>${project.basedir}/../dependencies/arrow-memory-core-${arrow.version}.jar</file>
+              <groupId>org.apache.arrow</groupId>
+              <artifactId>arrow-memory-core</artifactId>
+              <version>${arrow.version}</version>
+              <packaging>jar</packaging>
+              <generatePom>true</generatePom>
+            </configuration>
+          </execution>
+          <execution>
+            <id>install-arrow-memory-unsafe</id>
+            <phase>validate</phase>
+            <goals>
+              <goal>install-file</goal>
+            </goals>
+            <configuration>
+              <file>${project.basedir}/../dependencies/arrow-memory-unsafe-${arrow.version}.jar</file>
+              <groupId>org.apache.arrow</groupId>
+              <artifactId>arrow-memory-unsafe</artifactId>
+              <version>${arrow.version}</version>
+              <packaging>jar</packaging>
+              <generatePom>true</generatePom>
+            </configuration>
+          </execution>
+          <execution>
+            <id>install-arrow-memory-netty</id>
+            <phase>validate</phase>
+            <goals>
+              <goal>install-file</goal>
+            </goals>
+            <configuration>
+              <file>${project.basedir}/../dependencies/arrow-memory-netty-${arrow.version}.jar</file>
+              <groupId>org.apache.arrow</groupId>
+              <artifactId>arrow-memory-netty</artifactId>
+              <version>${arrow.version}</version>
               <packaging>jar</packaging>
               <generatePom>true</generatePom>
             </configuration>

dependencies/arrow-memory-7.0.0.pom

@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor
+  license agreements. See the NOTICE file distributed with this work for additional
+  information regarding copyright ownership. The ASF licenses this file to
+  You under the Apache License, Version 2.0 (the "License"); you may not use
+  this file except in compliance with the License. You may obtain a copy of
+  the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required
+  by applicable law or agreed to in writing, software distributed under the
+  License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
+  OF ANY KIND, either express or implied. See the License for the specific
+  language governing permissions and limitations under the License. -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>org.apache.arrow</groupId>
+    <artifactId>arrow-java-root</artifactId>
+    <version>7.0.0</version>
+  </parent>
+  <artifactId>arrow-memory</artifactId>
+  <name>Arrow Memory</name>
+  <packaging>pom</packaging>
+
+  <modules>
+    <module>memory-core</module>
+    <module>memory-unsafe</module>
+    <module>memory-netty</module>
+  </modules>
+
+</project>

pom.xml

@@ -37,12 +37,12 @@
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    <arrow.version>0.15.1</arrow.version>
+    <arrow.version>7.0.0</arrow.version>
     <slf4j.version>1.7.25</slf4j.version>
     <jsoup.version>1.14.2</jsoup.version>
     <tika.version>1.25</tika.version>
-    <jackson.version>2.12.1</jackson.version>
-    <jacksondatabind.version>2.12.1</jacksondatabind.version>
+    <jackson.version>2.13.2</jackson.version>
+    <jacksondatabind.version>2.13.2.2</jacksondatabind.version>
     <!-- Caution: version 4.5.12 and onward of apache httpclient causes a regression in recognizing S3 certificates (SNOW-259063) -->
     <httpclient.version>4.5.11</httpclient.version>
     <jacoco.version>0.8.4</jacoco.version>
@@ -290,8 +290,30 @@
           <groupId>commons-codec</groupId>
           <artifactId>commons-codec</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-annotations</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-databind</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
+    <dependency>
+      <groupId>org.apache.arrow</groupId>
+      <artifactId>arrow-memory-unsafe</artifactId>
+      <version>${arrow.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.arrow</groupId>
+      <artifactId>arrow-memory-netty</artifactId>
+      <version>${arrow.version}</version>
+    </dependency>
     <dependency>
       <groupId>com.google.auth</groupId>
       <artifactId>google-auth-library-oauth2-http</artifactId>
@@ -352,16 +374,61 @@
         <version>3.0.0-M1</version>
         <executions>
           <execution>
-            <id>install-arrow-memory</id>
+            <id>install-arrow-memory-pom</id>
             <phase>validate</phase>
             <goals>
               <goal>install-file</goal>
             </goals>
             <configuration>
-              <file>${project.basedir}/dependencies/arrow-memory-${arrow.version}.jar</file>
+              <file>${project.basedir}/dependencies/arrow-memory-${arrow.version}.pom</file>
               <groupId>org.apache.arrow</groupId>
               <artifactId>arrow-memory</artifactId>
               <version>${arrow.version}</version>
+              <packaging>pom</packaging>
+              <generatePom>true</generatePom>
+            </configuration>
+          </execution>
+          <execution>
+            <id>install-arrow-memory-core</id>
+            <phase>validate</phase>
+            <goals>
+              <goal>install-file</goal>
+            </goals>
+            <configuration>
+              <file>${project.basedir}/dependencies/arrow-memory-core-${arrow.version}.jar</file>
+              <groupId>org.apache.arrow</groupId>
+              <artifactId>arrow-memory-core</artifactId>
+              <version>${arrow.version}</version>
+              <packaging>jar</packaging>
+              <generatePom>true</generatePom>
+            </configuration>
+          </execution>
+          <execution>
+            <id>install-arrow-memory-unsafe</id>
+            <phase>validate</phase>
+            <goals>
+              <goal>install-file</goal>
+            </goals>
+            <configuration>
+              <file>${project.basedir}/dependencies/arrow-memory-unsafe-${arrow.version}.jar</file>
+              <groupId>org.apache.arrow</groupId>
+              <artifactId>arrow-memory-unsafe</artifactId>
+              <version>${arrow.version}</version>
+              <packaging>jar</packaging>
+              <generatePom>true</generatePom>
+            </configuration>
+          </execution>
+          <execution>
+            <id>install-arrow-memory-netty</id>
+            <phase>validate</phase>
+            <goals>
+              <goal>install-file</goal>
+            </goals>
+            <configuration>
+              <file>${project.basedir}/dependencies/arrow-memory-netty-${arrow.version}.jar</file>
+              <groupId>org.apache.arrow</groupId>
+              <artifactId>arrow-memory-netty</artifactId>
+              <version>${arrow.version}</version>
               <packaging>jar</packaging>
               <generatePom>true</generatePom>
             </configuration>