HIVE-28856: Remove Jetty-Runner

[ramitg254]

What changes were proposed in this pull request?

Removal of jetty-runner dependency

Why are the changes needed?

Not jetty-runner as a whole was needed only tomcat-jasper was required

Does this PR introduce any user-facing change?

No

Is the change a dependency upgrade?

No

How was this patch tested?

on local machine, I tested it for successful mvn build and testing it with hive-precommit-tests .

[soumyakanti3578]

It's better to create a variable for versions so that we can reuse them elsewhere. You can probably add

<tomcat.version>9.0.82</tomcat.version>

in the root pom's properties.

[ramitg254]

added variable

[soumyakanti3578]

Create a property variable for this too.

[ramitg254]

added variable

[soumyakanti3578]

Replace this with {tomcat.version}

[ramitg254]

replaced

[soumyakanti3578]

In the "How was this patch tested?" section, can you please include the tests that were run on your local machine?

It is easier for reviewers who are not familiar with the specifics to verify the tests if the steps are listed.

[deniskuzZ]

i think we should be using apache-jsp instead. that would simplify the upgrades of jetty dependencies

<groupId>org.eclipse.jetty</groupId>
<artifactId>apache-jsp</artifactId>
<version>${jetty.version}</version>

[ramitg254]

Actually, I thought of it but as per apache-jsp from org.eclipse.jetty has test dependencies with 3 cve for the current jetty version so i thought of not taking risk of adding it although it is under test scope and also as apache-jsp from org.mortbay.jasper was not alone enough to prevent compilation failures so i also dropped for apache-jsp from org.eclipse.jetty

[ramitg254]

also on using apache-jsp it is giving ant build error on service pom due to absance of org.apache.jasper.JspC so that's why only apache-jsp won't be enough

[deniskuzZ]

@ramitg254, try

<jetty.version>9.4.57.v20241219</jetty.version>

<dependency>
  <groupId>org.eclipse.jetty</groupId>
  <artifactId>apache-jsp</artifactId>
  <version>${jetty.version}</version>
</dependency>

that removes a number of CVEs from org.eclipse.jetty deps:

Direct vulnerabilities:
[CVE-2024-8184](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8184)
[CVE-2023-26049](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26049)
[CVE-2023-26048](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26048)

Vulnerabilities from dependencies:
[CVE-2023-40167](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167)
[CVE-2022-2047](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2047)

ref: #5599 (comment)

[deniskuzZ]

remove_jetty-runner.patch

mvn clean install -DskipTests -T4 -Pdist,itests -Dmaven.javadoc.skip=true -Drat.skip=true

[ramitg254]

made the changes

[ramitg254]

I have upgraded to 9.0.98 of tomcat-jasper because from version 10 and onwards there was migration from javax.servlet.* to jakarta.servlet.* and we are still using javax.servlet.* so it won't build

[deniskuzZ]

LGTM, pending tests

[deniskuzZ]

@ramitg254, have you tried to start HS2 in Docker and check the WebUI?

[ramitg254]

@ramitg254, have you tried to start HS2 in Docker and check the WebUI?

Yeah, I am able to start hs2 in docker and see the webui of it

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud