readd 4.0.0

Author: maltesander

CHANGELOG.md

@@ -15,10 +15,6 @@ All notable changes to this project will be documented in this file.
 - airflow: Bump celery version to 5.5.3 for Airflow 3.x ([#1343]).
 - hive: fixed 4.0.1 shaded hive-metastore-opa-authorizer jar by relocating dependencies ([#1356]).
 
-### Removed
-
-- hive: Remove `4.0.0` ([#1340]).
-
 [#1336]: https://github.com/stackabletech/docker-images/pull/1336
 [#1337]: https://github.com/stackabletech/docker-images/pull/1337
 [#1343]: https://github.com/stackabletech/docker-images/pull/1343

hive/boil-config.toml

@@ -13,6 +13,21 @@ aws-java-sdk-bundle-version = "1.12.367"
 azure-storage-version = "7.0.1"
 azure-keyvault-core-version = "1.0.0"
 
+[versions."4.0.0".local-images]
+# Hive 4 must be built with Java 8 (according to GitHub README) but seems to run on Java 11
+java-base = "11"
+java-devel = "8"
+"hadoop/hadoop" = "3.3.6"
+# hive-metastore-opa-authorizer from: https://github.com/boschglobal/hive-metastore-opa-authorizer
+"hive/hive-metastore-opa-authorizer" = "v1.0.0-hive-4.0.0-hadoop-3.3.6"
+
+[versions."4.0.0".build-arguments]
+jmx-exporter-version = "1.3.0"
+# Keep consistent with the dependency from Hadoop: https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-aws/3.3.6
+aws-java-sdk-bundle-version = "1.12.367"
+azure-storage-version = "7.0.1"
+azure-keyvault-core-version = "1.0.0"
+
 [versions."4.0.1".local-images]
 # Hive 4.0 must be built with Java 8 (according to GitHub README) but seems to run on Java 11
 java-base = "11"

hive/hive-metastore-opa-authorizer/Dockerfile

@@ -53,8 +53,8 @@ mvn versions:set -DnewVersion=${AUTHORIZER_VERSION}
 if [[ "${HIVE_VERSION}" == "3.1.3" ]]; then
   mvn clean package -DskipTests -Dhive.version=${HIVE_VERSION} -Dhadoop.version=${HADOOP_VERSION} -f hms-v3/pom.xml
   mv hms-v3/target/com.bosch.bdps.hms3-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar /stackable/opa-authorizer-bin/hms3-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar
-# Hive 4.0.1 only works with the shaded jar
-elif [[ "${HIVE_VERSION}" == "4.0.1" ]]; then
+# Hive 4.0.* only works with the shaded jar
+elif [[ "${HIVE_VERSION}" == "4.0.*" ]]; then
   mvn clean package -DskipTests -Dhive.version=${HIVE_VERSION} -Dhadoop.version=${HADOOP_VERSION} -f hms-v4/pom.xml
   mv hms-v4/target/com.bosch.bdps.hms4-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar /stackable/opa-authorizer-bin/hms4-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar
 # Hive 4.1.0 only works with the non shaded jar

hive/hive-metastore-opa-authorizer/boil-config.toml

@@ -7,6 +7,15 @@ authorizer-version = "v1.0.0"
 hive-version = "3.1.3"
 delete-caches = "true"
 
+[versions."v1.0.0-hive-4.0.0-hadoop-3.3.6".local-images]
+"java-devel" = "11"
+"hadoop/hadoop" = "3.3.6"
+
+[versions."v1.0.0-hive-4.0.0-hadoop-3.3.6".build-arguments]
+authorizer-version = "v1.0.0"
+hive-version = "4.0.0"
+delete-caches = "true"
+
 [versions."v1.0.0-hive-4.0.1-hadoop-3.3.6".local-images]
 "java-devel" = "11"
 "hadoop/hadoop" = "3.3.6"

hive/stackable/patches/4.0.0/0001-Include-Postgres-driver.patch

@@ -0,0 +1,34 @@
+From c5eb86648fe96b048723372024fa7278c9e108db Mon Sep 17 00:00:00 2001
+From: Sebastian Bernauer <sebastian.bernauer@stackable.de>
+Date: Tue, 3 Sep 2024 11:13:24 +0200
+Subject: Include Postgres driver
+
+---
+ standalone-metastore/metastore-server/pom.xml | 1 -
+ standalone-metastore/pom.xml                  | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/standalone-metastore/metastore-server/pom.xml b/standalone-metastore/metastore-server/pom.xml
+index a8f680928c..7102f1b5ca 100644
+--- a/standalone-metastore/metastore-server/pom.xml
++++ b/standalone-metastore/metastore-server/pom.xml
+@@ -334,7 +334,6 @@
+     <dependency>
+       <groupId>org.postgresql</groupId>
+       <artifactId>postgresql</artifactId>
+-      <optional>true</optional>
+     </dependency>
+     <dependency>
+       <groupId>org.eclipse.jetty</groupId>
+diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
+index 28ac5ceb65..e3cbd821bd 100644
+--- a/standalone-metastore/pom.xml
++++ b/standalone-metastore/pom.xml
+@@ -397,7 +397,6 @@
+         <groupId>org.postgresql</groupId>
+         <artifactId>postgresql</artifactId>
+         <version>${postgres.version}</version>
+-        <scope>runtime</scope>
+       </dependency>
+       <dependency>
+         <groupId>org.apache.httpcomponents</groupId>

hive/stackable/patches/4.0.0/0002-Include-logging-dependencies.patch

@@ -0,0 +1,26 @@
+From 69071d4d4525a8ceb27cbefa9a093d0678a1f3dd Mon Sep 17 00:00:00 2001
+From: Lars Francke <lars.francke@stackable.tech>
+Date: Tue, 13 Aug 2024 13:38:12 +0200
+Subject: Include logging dependencies
+
+This adds dependencies required for use of the XmlLayout for logging
+---
+ standalone-metastore/pom.xml | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
+index e3cbd821bd..205fc31ec7 100644
+--- a/standalone-metastore/pom.xml
++++ b/standalone-metastore/pom.xml
+@@ -493,6 +493,11 @@
+       <groupId>com.fasterxml.jackson.core</groupId>
+       <artifactId>jackson-databind</artifactId>
+     </dependency>
++    <dependency>
++      <!-- Optional log4j dependency to be able to use the XmlLayout -->
++      <groupId>com.fasterxml.jackson.dataformat</groupId>
++      <artifactId>jackson-dataformat-xml</artifactId>
++    </dependency>
+   </dependencies>
+   <build>
+     <pluginManagement>

hive/stackable/patches/4.0.0/0003-Add-CycloneDX-plugin.patch

@@ -0,0 +1,45 @@
+From 23995b6c1ef70e4e119ce0493e63ff3a75ea1378 Mon Sep 17 00:00:00 2001
+From: Lukas Voetmand <lukas.voetmand@stackable.tech>
+Date: Fri, 6 Sep 2024 17:53:52 +0200
+Subject: Add CycloneDX plugin
+
+---
+ standalone-metastore/pom.xml | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
+index 205fc31ec7..2982a45ca0 100644
+--- a/standalone-metastore/pom.xml
++++ b/standalone-metastore/pom.xml
+@@ -41,6 +41,7 @@
+     <maven.compiler.useIncrementalCompilation>false</maven.compiler.useIncrementalCompilation>
+     <maven.repo.local>${settings.localRepository}</maven.repo.local>
+     <maven.exec.plugin.version>3.1.0</maven.exec.plugin.version>
++    <maven.cyclonedx.plugin.version>2.8.0</maven.cyclonedx.plugin.version>
+     <checkstyle.conf.dir>${basedir}/${standalone.metastore.path.to.root}/checkstyle</checkstyle.conf.dir>
+     <!-- Test Properties -->
+     <log4j.conf.dir>${project.basedir}/src/test/resources</log4j.conf.dir>
+@@ -594,6 +595,23 @@
+           </excludes>
+         </configuration>
+       </plugin>
++      <plugin>
++        <groupId>org.cyclonedx</groupId>
++        <artifactId>cyclonedx-maven-plugin</artifactId>
++        <version>${maven.cyclonedx.plugin.version}</version>
++        <configuration>
++          <projectType>application</projectType>
++          <schemaVersion>1.5</schemaVersion>
++        </configuration>
++        <executions>
++          <execution>
++            <phase>package</phase>
++            <goals>
++              <goal>makeBom</goal>
++            </goals>
++          </execution>
++        </executions>
++      </plugin>
+     </plugins>
+   </build>
+   <profiles>

hive/stackable/patches/4.0.0/0004-Fix-CVE-2024-36114.patch

@@ -0,0 +1,44 @@
+From 4a85ad5ec7b0dbfb9f2c4524531ae0198a352b3d Mon Sep 17 00:00:00 2001
+From: Malte Sander <malte.sander.it@gmail.com>
+Date: Tue, 12 Nov 2024 11:49:57 +0100
+Subject: Fix CVE-2024-36114
+
+see https://github.com/stackabletech/vulnerabilities/issues/834
+
+Aircompressor is a library with ports of the Snappy, LZO, LZ4, and
+Zstandard compression algorithms to Java. All decompressor
+implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash
+the JVM for certain input, and in some cases also leak the content of
+other memory of the Java process (which could contain sensitive
+information). When decompressing certain data, the decompressors try to
+access memory outside the bounds of the given byte arrays or byte
+buffers. Because Aircompressor uses the JDK class sun.misc.Unsafe to
+speed up memory access, no additional bounds checks are performed and
+this has similar security consequences as out-of-bounds access in C or
+C++, namely it can lead to non-deterministic behavior or crash the JVM.
+Users should update to Aircompressor 0.27 or newer where these issues
+have been fixed. When decompressing data from untrusted users, this can
+be exploited for a denial-of-service attack by crashing the JVM, or to
+leak other sensitive information from the Java process. There are no
+known workarounds for this issue.
+---
+ standalone-metastore/pom.xml | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
+index 2982a45ca0..cd34884e3b 100644
+--- a/standalone-metastore/pom.xml
++++ b/standalone-metastore/pom.xml
+@@ -121,6 +121,12 @@
+   </properties>
+   <dependencyManagement>
+     <dependencies>
++      <!-- Mitigate CVE-2024-36114: See https://github.com/stackabletech/vulnerabilities/issues/834 -->
++      <dependency>
++        <groupId>io.airlift</groupId>
++        <artifactId>aircompressor</artifactId>
++        <version>0.27</version>
++      </dependency>
+       <dependency>
+         <groupId>org.apache.orc</groupId>
+         <artifactId>orc-core</artifactId>

hive/stackable/patches/4.0.0/0005-Fix-CVE-2024-1597.patch

@@ -0,0 +1,47 @@
+From 85fab788520b73e514e52e0753d36dafdf513e5b Mon Sep 17 00:00:00 2001
+From: Nick Larsen <nick.larsen@stackable.tech>
+Date: Thu, 15 May 2025 14:14:28 +0200
+Subject: Fix CVE-2024-1597
+
+See https://github.com/stackabletech/vulnerabilities/issues/681
+
+pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using
+PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there
+is no vulnerability. A placeholder for a numeric value must be immediately
+preceded by a minus. There must be a second placeholder for a string value after
+the first placeholder; both must be on the same line. By constructing a matching
+string payload, the attacker can inject SQL to alter the query,bypassing the
+protections that parameterized queries bring against SQL Injection attacks.
+Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are
+affected.
+---
+ pom.xml                      | 2 +-
+ standalone-metastore/pom.xml | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/pom.xml b/pom.xml
+index a4dfc8d1e4..699228cba3 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -178,7 +178,7 @@
+     <mariadb.version>2.5.0</mariadb.version>
+     <mssql.version>6.2.1.jre8</mssql.version>
+     <mysql.version>8.0.31</mysql.version>
+-    <postgres.version>42.5.1</postgres.version>
++    <postgres.version>42.5.6</postgres.version>
+     <oracle.version>21.3.0.0</oracle.version>
+     <opencsv.version>2.3</opencsv.version>
+     <orc.version>1.8.5</orc.version>
+diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
+index cd34884e3b..da84c8928e 100644
+--- a/standalone-metastore/pom.xml
++++ b/standalone-metastore/pom.xml
+@@ -72,7 +72,7 @@
+     <mariadb.version>2.5.0</mariadb.version>
+     <mssql.version>6.2.1.jre8</mssql.version>
+     <mysql.version>8.0.31</mysql.version>
+-    <postgres.version>42.5.1</postgres.version>
++    <postgres.version>42.5.6</postgres.version>
+     <oracle.version>21.3.0.0</oracle.version>
+     <dropwizard-metrics-hadoop-metrics2-reporter.version>0.1.2
+     </dropwizard-metrics-hadoop-metrics2-reporter.version>

hive/stackable/patches/4.0.0/patchable.toml

@@ -0,0 +1,2 @@
+base = "183f8cb41d3dbed961ffd27999876468ff06690c"
+mirror = "https://github.com/stackabletech/hive.git"