Skip to content

[BugFix][CVE] Exclude unused avro-ipc that bundles vulnerable jquery 1.4.2 (backport #76270)#76376

Closed
mergify[bot] wants to merge 1 commit into
branch-3.5from
mergify/bp/branch-3.5/pr-76270
Closed

[BugFix][CVE] Exclude unused avro-ipc that bundles vulnerable jquery 1.4.2 (backport #76270)#76376
mergify[bot] wants to merge 1 commit into
branch-3.5from
mergify/bp/branch-3.5/pr-76270

Conversation

@mergify

@mergify mergify Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Why I'm doing:

avro-ipc-1.11.4.jar ships jquery-1.4.2.min.js (CVE-2011-4969, CVE-2014-6071 and six more jQuery XSS CVEs, two of them rated critical by downstream scanners) as static assets of Avro's stats server, which StarRocks never runs. Scanning the whole build output, the only class that references org.apache.avro.ipc is avro-mapred's tether/TetheredProcess (Avro's tethered-MapReduce debugging feature, also unused), so the jar is dead weight on both sides it ships to:

  • FE classpath: spark-core_2.12 -> avro-mapred -> avro-ipc
  • BE hive-reader lib: direct avro-mapred dependency drags in avro-ipc + avro-ipc-jetty

Upgrading Avro does not help: the latest avro-ipc 1.12.1 still bundles the same jquery 1.4.2.

What I'm doing:

Pom/gradle-only, no Java code changes:

  1. Exclude avro-ipc from spark-core (fe) and avro-ipc/avro-ipc-jetty from avro-mapred (hive-reader). Avro core and avro-mapred stay untouched — org.apache.avro.mapred.FsInput etc. remain on the classpath for Hive Avro reads.
  2. Keep org.tukaani:xz as an explicit dependency: it used to reach fe/lib only through avro-ipc, while commons-compress, clickhouse-jdbc and 5 other shipped jars still reference it. Without this, the exclusion would silently drop the XZ codec.
  3. Ban avro-ipc/avro-ipc-jetty in the maven-enforcer gates (fe + java-extensions root poms) so a future dependency bump cannot re-introduce them.
  4. Mirror everything in the Gradle build (fe/build.gradle.kts, fe/fe-core/build.gradle.kts).

Verification (full FE rebuild + BE hive-reader repackage):

  • fe/lib is byte-identical minus avro-ipc-1.11.4.jar (the explicit xz keeps xz-1.9.jar in place); no jquery-1.4* asset remains anywhere in fe/lib.
  • FE starts clean, metadata queries work, zero ClassNotFound/NoClassDefFound in fe.log.
  • hive-reader-lib drops avro-ipc/avro-ipc-jetty; hive-reader's TestHiveScanner (real .avro file reads through AvroSerDe/AvroContainerInputFormat) passes with the exclusion in place.
  • Both maven reactors pass validate with the new enforcer bans active.

What type of PR is this:

  • BugFix
  • Feature
  • Enhancement
  • Refactor
  • UT
  • Doc
  • Tool

Does this PR entail a change in behavior?

  • Yes, this PR will result in a change in behavior.
  • No, this PR will not result in a change in behavior.

If yes, please specify the type of change:

  • Interface/UI changes: syntax, type conversion, expression evaluation, display information
  • Parameter changes: default values, similar parameters but with different default values
  • Policy changes: use new policy to replace old one, functionality automatically enabled
  • Feature removed
  • Miscellaneous: upgrade & downgrade compatibility, etc.

Checklist:

  • I have added test cases for my bug fix or my new feature
  • This pr needs user documentation (for new or modified features or behaviors)
    • I have added documentation for my new feature or new function
    • This pr needs auto generate documentation
  • This is a backport pr

Bugfix cherry-pick branch check:

  • I have checked the version labels which the pr will be auto-backported to the target branch
    • 4.1
    • 4.0
    • 3.5

🤖 Generated with Claude Code


This is an automatic backport of pull request #76270 done by Mergify.

…1.4.2 (#76270)

## Why I'm doing:

`avro-ipc-1.11.4.jar` ships `jquery-1.4.2.min.js` (CVE-2011-4969, CVE-2014-6071 and six more jQuery XSS CVEs, two of them rated critical by downstream scanners) as static assets of Avro's stats server, which StarRocks never runs. Scanning the whole build output, the only class that references `org.apache.avro.ipc` is avro-mapred's `tether/TetheredProcess` (Avro's tethered-MapReduce debugging feature, also unused), so the jar is dead weight on both sides it ships to:

- FE classpath: `spark-core_2.12 -> avro-mapred -> avro-ipc`
- BE hive-reader lib: direct `avro-mapred` dependency drags in `avro-ipc` + `avro-ipc-jetty`

Upgrading Avro does not help: the latest avro-ipc 1.12.1 still bundles the same jquery 1.4.2.

## What I'm doing:

Pom/gradle-only, no Java code changes:

1. **Exclude `avro-ipc`** from spark-core (fe) and **`avro-ipc`/`avro-ipc-jetty`** from avro-mapred (hive-reader). Avro core and avro-mapred stay untouched — `org.apache.avro.mapred.FsInput` etc. remain on the classpath for Hive Avro reads.
2. **Keep `org.tukaani:xz` as an explicit dependency**: it used to reach `fe/lib` only through avro-ipc, while commons-compress, clickhouse-jdbc and 5 other shipped jars still reference it. Without this, the exclusion would silently drop the XZ codec.
3. **Ban `avro-ipc`/`avro-ipc-jetty` in the maven-enforcer gates** (fe + java-extensions root poms) so a future dependency bump cannot re-introduce them.
4. **Mirror everything in the Gradle build** (`fe/build.gradle.kts`, `fe/fe-core/build.gradle.kts`).

Verification (full FE rebuild + BE hive-reader repackage):

- `fe/lib` is byte-identical minus `avro-ipc-1.11.4.jar` (the explicit xz keeps `xz-1.9.jar` in place); no `jquery-1.4*` asset remains anywhere in `fe/lib`.
- FE starts clean, metadata queries work, zero `ClassNotFound`/`NoClassDefFound` in fe.log.
- `hive-reader-lib` drops `avro-ipc`/`avro-ipc-jetty`; hive-reader's `TestHiveScanner` (real `.avro` file reads through `AvroSerDe`/`AvroContainerInputFormat`) passes with the exclusion in place.
- Both maven reactors pass `validate` with the new enforcer bans active.

Signed-off-by: Joob1n <Joob1n@outlook.com>
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
(cherry picked from commit 4f9d892)

# Conflicts:
#	fe/fe-core/build.gradle.kts
#	fe/fe-core/pom.xml
@mergify mergify Bot added the conflicts label Jul 15, 2026
@mergify

mergify Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor Author

Cherry-pick of 4f9d892 has failed:

On branch mergify/bp/branch-3.5/pr-76270
Your branch is up to date with 'origin/branch-3.5'.

You are currently cherry-picking commit 4f9d89297d.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   fe/build.gradle.kts
	modified:   fe/pom.xml
	modified:   java-extensions/hive-reader/pom.xml
	modified:   java-extensions/hive-reader/src/test/java/com/starrocks/hive/reader/TestHiveScanner.java
	modified:   java-extensions/pom.xml

Unmerged paths:
  (use "git add/rm <file>..." as appropriate to mark resolution)
	deleted by us:   fe/fe-core/build.gradle.kts
	both modified:   fe/fe-core/pom.xml

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

@wanpengfei-git wanpengfei-git enabled auto-merge (squash) July 15, 2026 02:26
@mergify mergify Bot closed this Jul 15, 2026
auto-merge was automatically disabled July 15, 2026 02:26

Pull request was closed

@mergify

mergify Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor Author

@mergify[bot]: Backport conflict, please reslove the conflict and resubmit the pr

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant