Upgrade jackson-databind to 2.12.7 (apache#14770)

The current version of jackson-databind is flagged for vulnerabilities CVE-2020-28491 (Although cbor format is not used in druid), CVE-2020-36518 (Seems genuine as deeply nested json in can cause resource exhaustion). Updating the dependency to the latest version 2.12.7 to fix these vulnerabilities.

extensions-contrib/compressed-bigdecimal/pom.xml

@@ -126,7 +126,6 @@
     <dependency>
       <groupId>joda-time</groupId>
       <artifactId>joda-time</artifactId>
-      <version>2.10.5</version>
       <scope>provided</scope>
     </dependency>
     <dependency>
@@ -138,12 +137,10 @@
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-core</artifactId>
-      <version>2.10.2</version>
     </dependency>
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-annotations</artifactId>
-      <version>2.10.2</version>
     </dependency>
   </dependencies>
 </project>

extensions-contrib/kafka-emitter/pom.xml

@@ -81,6 +81,11 @@
       <artifactId>jackson-core</artifactId>
       <scope>provided</scope>
     </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.datatype</groupId>
+      <artifactId>jackson-datatype-joda</artifactId>
+      <scope>provided</scope>
+    </dependency>
     <dependency>
       <groupId>org.slf4j</groupId>
       <artifactId>slf4j-api</artifactId>

extensions-contrib/kafka-emitter/src/test/java/org/apache/druid/emitter/kafka/KafkaEmitterTest.java

@@ -20,6 +20,7 @@
 package org.apache.druid.emitter.kafka;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.datatype.joda.JodaModule;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import org.apache.druid.java.util.common.DateTimes;
@@ -102,9 +103,11 @@ public void testKafkaEmitter() throws InterruptedException
         requestTopic == null ? totalEventsExcludingRequestLogEvents : totalEvents);
 
     final KafkaProducer<String, String> producer = mock(KafkaProducer.class);
+    ObjectMapper mapper = new ObjectMapper();
+    mapper.registerModule(new JodaModule());
     final KafkaEmitter kafkaEmitter = new KafkaEmitter(
         new KafkaEmitterConfig("", eventsType, "metrics", "alerts", requestTopic, "metadata", "test-cluster", null),
-        new ObjectMapper()
+        mapper
     )
     {
       @Override

licenses.yaml

@@ -248,7 +248,7 @@ name: Jackson
 license_category: binary
 module: java-core
 license_name: Apache License version 2.0
-version: 2.10.5
+version: 2.12.7
 libraries:
   - com.fasterxml.jackson.core: jackson-annotations
   - com.fasterxml.jackson.core: jackson-core
@@ -289,7 +289,7 @@ name: Jackson
 license_category: binary
 module: java-core
 license_name: Apache License version 2.0
-version: 2.10.5.1
+version: 2.12.7
 libraries:
   - com.fasterxml.jackson.core: jackson-databind
 notice: |
@@ -3592,7 +3592,7 @@ libraries:
 ---
 
 name: Jackson Dataformat Yaml
-version: 2.10.5
+version: 2.12.7
 license_category: binary
 module: extensions/druid-avro-extensions
 license_name: Apache License version 2.0

owasp-dependency-check-suppressions.xml

@@ -117,13 +117,6 @@
      -->
     <cve>CVE-2022-42003</cve>
     <cve>CVE-2022-42004</cve>
-    <!-- CVE-2021-46877 only applies to jdk serialization which we do not use
-    https://nvd.nist.gov/vuln/detail/CVE-2021-46877
-    https://github.com/FasterXML/jackson-databind/issues/3328
-    -->
-    <cve>CVE-2021-46877</cve>
-    <!-- According to jackson community, this is not a security issue, see https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098, https://github.com/jeremylong/DependencyCheck/issues/5779 -->
-    <cve>CVE-2023-35116</cve>
   </suppress>
 
 
@@ -638,7 +631,6 @@
     <notes><![CDATA[
    file name: *jackson-*.jar
    ]]></notes>
-    <cve>CVE-2020-36518</cve>
     <cve>CVE-2022-45688</cve>
   </suppress>
 
@@ -675,14 +667,6 @@
     <cve>CVE-2020-17516</cve>
   </suppress>
 
-  <suppress>
-    <!-- jackson-dataformat-cbor-2.10.5.jar -->
-    <notes><![CDATA[
-   file name: jackson-dataformat-cbor-2.10.5.jar
-   ]]></notes>
-    <cve>CVE-2020-28491</cve>
-  </suppress>
-
   <suppress>
     <!-- okhttp -->
     <notes><![CDATA[

pom.xml

@@ -98,7 +98,7 @@
         <hamcrest.version>1.3</hamcrest.version>
         <jetty.version>9.4.51.v20230217</jetty.version>
         <jersey.version>1.19.4</jersey.version>
-        <jackson.version>2.10.5.20201202</jackson.version>
+        <jackson.version>2.12.7</jackson.version>
         <codehaus.jackson.version>1.9.13</codehaus.jackson.version>
         <log4j.version>2.18.0</log4j.version>
         <mysql.version>5.1.49</mysql.version>

processing/src/main/java/org/apache/druid/guice/GuiceAnnotationIntrospector.java

@@ -24,6 +24,7 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.databind.introspect.Annotated;
 import com.fasterxml.jackson.databind.introspect.AnnotatedClass;
+import com.fasterxml.jackson.databind.introspect.AnnotatedField;
 import com.fasterxml.jackson.databind.introspect.AnnotatedMember;
 import com.fasterxml.jackson.databind.introspect.AnnotatedMethod;
 import com.fasterxml.jackson.databind.introspect.AnnotatedParameter;
@@ -33,19 +34,31 @@
 import org.apache.druid.java.util.common.IAE;
 
 import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
 import java.util.Map;
 
 /**
  */
 public class GuiceAnnotationIntrospector extends NopAnnotationIntrospector
 {
   @Override
-  public Object findInjectableValueId(AnnotatedMember m)
+  public JacksonInject.Value findInjectableValue(AnnotatedMember m)
+  {
+    Object id = findGuiceInjectId(m);
+    if (id == null) {
+      return null;
+    }
+    return JacksonInject.Value.forId(id);
+  }
+
+  private Object findGuiceInjectId(AnnotatedMember m)
   {
     if (m.getAnnotation(JacksonInject.class) == null) {
       return null;
     }
 
+    Type genericType = null;
+
     Annotation guiceAnnotation = null;
     for (Annotation annotation : m.annotations()) {
       if (annotation.annotationType().isAnnotationPresent(BindingAnnotation.class)) {
@@ -54,39 +67,54 @@ public Object findInjectableValueId(AnnotatedMember m)
       }
     }
 
+    // Annotated.getGenericType() is removed since jackson-databind 2.11 version. We need the generic type so that we can inject values of the type such as List<XYZ> correctly.
+    // Jackson library removed the method on the abstract class but the methods are still there in the implementations of AnnotatedMember. The method signatures are implementation specific and we are calling those methods to get the generic type.
+
+    if (m instanceof AnnotatedField) {
+      genericType = ((AnnotatedField) m).getAnnotated().getGenericType();
+    } else if (m instanceof AnnotatedMethod) {
+      genericType = ((AnnotatedMethod) m).getAnnotated().getGenericReturnType();
+    } else if (m instanceof AnnotatedParameter) {
+      genericType = ((AnnotatedParameter) m).getOwner().getGenericParameterType(((AnnotatedParameter) m).getIndex());
+    }
+
+    if (genericType == null) {
+      // Fall back to type-erased raw type in case we missed an implementation. We are unlikely to ever get here though
+      genericType = m.getRawType();
+    }
     if (guiceAnnotation == null) {
       if (m instanceof AnnotatedMethod) {
         throw new IAE("Annotated methods don't work very well yet...");
       }
-      return Key.get(m.getGenericType());
+      return Key.get(genericType);
     }
-    return Key.get(m.getGenericType(), guiceAnnotation);
+    return Key.get(genericType, guiceAnnotation);
   }
 
-  /**
-   * This method is used to find what property to ignore in deserialization. Jackson calls this method
-   * per every class and every constructor parameter.
-   *
-   * This implementation returns a {@link JsonIgnoreProperties.Value#empty()} that allows empty names if
-   * the parameters has the {@link JsonProperty} annotation. Otherwise, it returns
-   * {@code JsonIgnoreProperties.Value.forIgnoredProperties("")} that does NOT allow empty names.
-   * This behavior is to work around a bug in Jackson deserializer (see the below comment for details) and
-   * can be removed in the future after the bug is fixed.
-   * For example, suppose a constructor like below:
-   *
-   * <pre>{@code
-   * @JsonCreator
-   * public ClassWithJacksonInject(
-   *   @JsonProperty("val") String val,
-   *   @JacksonInject InjectedParameter injected
-   * )
-   * }</pre>
-   *
-   * During deserializing a JSON string into this class, this method will be called at least twice,
-   * one for {@code val} and another for {@code injected}. It will return {@code Value.empty()} for {@code val},
-   * while {Value.forIgnoredProperties("")} for {@code injected} because the later does not have {@code JsonProperty}.
-   * As a result, {@code injected} will be ignored during deserialization since it has no name.
-   */
+    /**
+     * This method is used to find what property to ignore in deserialization. Jackson calls this method
+     * per every class and every constructor parameter.
+     *
+     * This implementation returns a {@link JsonIgnoreProperties.Value#empty()} that allows empty names if
+     * the parameters has the {@link JsonProperty} annotation. Otherwise, it returns
+     * {@code JsonIgnoreProperties.Value.forIgnoredProperties("")} that does NOT allow empty names.
+     * This behavior is to work around a bug in Jackson deserializer (see the below comment for details) and
+     * can be removed in the future after the bug is fixed.
+     * For example, suppose a constructor like below:
+     *
+     * <pre>{@code
+     * @JsonCreator
+     * public ClassWithJacksonInject(
+     *   @JsonProperty("val") String val,
+     *   @JacksonInject InjectedParameter injected
+     * )
+     * }</pre>
+     *
+     * During deserializing a JSON string into this class, this method will be called at least twice,
+     * one for {@code val} and another for {@code injected}. It will return {@code Value.empty()} for {@code val},
+     * while {Value.forIgnoredProperties("")} for {@code injected} because the later does not have {@code JsonProperty}.
+     * As a result, {@code injected} will be ignored during deserialization since it has no name.
+     */
   @Override
   public JsonIgnoreProperties.Value findPropertyIgnorals(Annotated ac)
   {

processing/src/test/java/org/apache/druid/segment/TestHelper.java

@@ -19,6 +19,7 @@
 
 package org.apache.druid.segment;
 
+import com.fasterxml.jackson.annotation.JacksonInject;
 import com.fasterxml.jackson.databind.AnnotationIntrospector;
 import com.fasterxml.jackson.databind.InjectableValues;
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -85,7 +86,7 @@ public static AnnotationIntrospector makeAnnotationIntrospector()
     return new GuiceAnnotationIntrospector()
     {
       @Override
-      public Object findInjectableValueId(AnnotatedMember m)
+      public JacksonInject.Value findInjectableValue(AnnotatedMember m)
       {
         return null;
       }

server/src/test/java/org/apache/druid/client/cache/CacheConfigTest.java

@@ -130,22 +130,22 @@ public void testValidationInsaneError()
     throw new IllegalStateException("Should have already failed");
   }
 
-  @Test(expected = ProvisionException.class)
+  @Test
   public void testTRUE()
   {
     properties.put(PROPERTY_PREFIX + ".populateCache", "TRUE");
     configProvider.inject(properties, configurator);
     CacheConfig config = configProvider.get();
-    throw new IllegalStateException("Should have already failed");
+    Assert.assertTrue(config.isPopulateCache());
   }
 
-  @Test(expected = ProvisionException.class)
+  @Test
   public void testFALSE()
   {
     properties.put(PROPERTY_PREFIX + ".populateCache", "FALSE");
     configProvider.inject(properties, configurator);
     CacheConfig config = configProvider.get();
-    throw new IllegalStateException("Should have already failed");
+    Assert.assertFalse(config.isPopulateCache());
   }