From 009caf9277924c4d5c70cac915e2e4e7c014a5b4 Mon Sep 17 00:00:00 2001 From: Calvin Kirs Date: Wed, 29 Apr 2026 11:07:12 +0800 Subject: [PATCH 1/3] [fix](fe) address dependency check findings (#62858) address dependency check findings --- fe/pom.xml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/fe/pom.xml b/fe/pom.xml index c03a91b1b78a97..0b7d9f575ff135 100644 --- a/fe/pom.xml +++ b/fe/pom.xml @@ -278,8 +278,8 @@ under the License. 6.0.0 0.16.0 9.0.104 - 2.25.3 - 2.25.3 + 2.25.4 + 2.25.4 1.2.5 2.0.17 4.0.2 @@ -364,8 +364,8 @@ under the License. 4.13.1 2.8.1 github - 3.5.7 - 6.2.12 + 3.5.14 + 6.2.18 1.8.4 3.9.3 2.4 @@ -930,6 +930,11 @@ under the License. log4j-core ${log4j2.version} + + org.apache.logging.log4j + log4j-web + ${log4j2.version} + org.apache.logging.log4j log4j-iostreams From 20dc056768087c900b4717ef1d695b6449043a9f Mon Sep 17 00:00:00 2001 From: Calvin Kirs Date: Tue, 9 Jun 2026 10:00:30 +0800 Subject: [PATCH 2/3] [chore](deps) remove unused commons-lang (2.x) from fe (#64196) commons-lang 2.x is not referenced by any fe source code. It was only declared in java-common and preload-extensions (bundled into the BE java-extensions runtime classpath via the assembly) without being used. - drop the commons-lang dependencyManagement entry and version property from fe/pom.xml - drop the unused direct dependency from java-common and preload-extensions - migrate the only affected usage (regression-test StringTest UDF) from org.apache.commons.lang.StringUtils to org.apache.commons.lang3.StringUtils **Note: this removes commons-lang 2.x from the BE Java UDF runtime classpath; legacy user UDFs importing org.apache.commons.lang.* must migrate to lang3.** --- fe/be-java-extensions/java-common/pom.xml | 5 ----- fe/be-java-extensions/preload-extensions/pom.xml | 5 ----- fe/pom.xml | 8 -------- .../src/main/java/org/apache/doris/udf/StringTest.java | 2 +- 4 files changed, 1 insertion(+), 19 deletions(-) diff --git a/fe/be-java-extensions/java-common/pom.xml b/fe/be-java-extensions/java-common/pom.xml index 883615bcf78600..d09224bf6b68a8 100644 --- a/fe/be-java-extensions/java-common/pom.xml +++ b/fe/be-java-extensions/java-common/pom.xml @@ -95,11 +95,6 @@ under the License. com.google.guava guava - - commons-lang - commons-lang - ${commons-lang.version} - software.amazon.awssdk diff --git a/fe/be-java-extensions/preload-extensions/pom.xml b/fe/be-java-extensions/preload-extensions/pom.xml index c7d22571797fa8..ecdecf236a3ace 100644 --- a/fe/be-java-extensions/preload-extensions/pom.xml +++ b/fe/be-java-extensions/preload-extensions/pom.xml @@ -147,11 +147,6 @@ under the License. com.google.guava guava - - commons-lang - commons-lang - ${commons-lang.version} - com.qcloud.cos diff --git a/fe/pom.xml b/fe/pom.xml index 0b7d9f575ff135..972838dc3ce855 100644 --- a/fe/pom.xml +++ b/fe/pom.xml @@ -257,7 +257,6 @@ under the License. 1.6.0 2.11.0 1.13 - 2.6 3.19.0 2.2 1.5.1 @@ -801,13 +800,6 @@ under the License. commons-codec ${commons-codec.version} - - - - commons-lang - commons-lang - ${commons-lang.version} - org.apache.commons diff --git a/regression-test/java-udf-src/src/main/java/org/apache/doris/udf/StringTest.java b/regression-test/java-udf-src/src/main/java/org/apache/doris/udf/StringTest.java index 822c484c70660e..fc8e6803b703cc 100644 --- a/regression-test/java-udf-src/src/main/java/org/apache/doris/udf/StringTest.java +++ b/regression-test/java-udf-src/src/main/java/org/apache/doris/udf/StringTest.java @@ -17,7 +17,7 @@ package org.apache.doris.udf; -import org.apache.commons.lang.StringUtils; +import org.apache.commons.lang3.StringUtils; import org.apache.hadoop.hive.ql.exec.UDF; public class StringTest extends UDF { From 0ff99d5b4c8903ff9469f493c819d5cbe05fcb6d Mon Sep 17 00:00:00 2001 From: Calvin Kirs Date: Mon, 15 Jun 2026 11:52:29 +0800 Subject: [PATCH 3/3] [chore](dep)Upgrade dependencies (#64208) Upgrade FE dependency versions for dependency scan findings: - Exclude transitive dependencies from `hive-exec` in `fe/hive-udf`: - `org.apache.calcite:calcite-core` - `org.apache.calcite:calcite-druid` - `log4j:log4j` - Upgrade Netty managed version from `4.1.132.Final` to `4.2.15.Final`, covering Netty BOM-managed jars such as `netty-codec-memcache`, `netty-codec-mqtt`, and `netty-transport`. - Upgrade Azure SDK BOM from `1.3.4` to `1.3.7`, updating: - `azure-storage-blob` `12.33.1` -> `12.34.0` - `azure-core` `1.57.1` -> `1.58.0` - `azure-core-http-netty` `1.16.3` -> `1.16.4` - `azure-storage-common` `12.32.1` -> `12.33.0` - `azure-storage-internal-avro` `12.18.1` -> `12.19.0` - `azure-identity` `1.18.2` -> `1.18.3` - Override Azure transitive dependencies: - `msal4j` `1.23.1` -> `1.25.0` - `azure-keyvault-core` `1.0.0` -> `1.2.6` - Manage `commons-net:commons-net` to `3.13.0`, replacing older transitive resolutions such as `3.6` from the Hive/Hadoop path and `3.9.0` from Hadoop common. --- fe/hive-udf/pom.xml | 14 ++++++++++++++ fe/pom.xml | 28 ++++++++++++++++++++++++---- 2 files changed, 38 insertions(+), 4 deletions(-) diff --git a/fe/hive-udf/pom.xml b/fe/hive-udf/pom.xml index 7d48ac5c0ca30f..a30a2a5ac6fed1 100644 --- a/fe/hive-udf/pom.xml +++ b/fe/hive-udf/pom.xml @@ -53,6 +53,20 @@ under the License. hive-exec ${hive.version} provided + + + org.apache.calcite + calcite-core + + + org.apache.calcite + calcite-druid + + + log4j + log4j + + ${project.groupId} diff --git a/fe/pom.xml b/fe/pom.xml index 972838dc3ce855..e1267cc64bd50f 100644 --- a/fe/pom.xml +++ b/fe/pom.xml @@ -258,6 +258,7 @@ under the License. 2.11.0 1.13 3.19.0 + 3.13.0 2.2 1.5.1 1.10.0 @@ -282,9 +283,8 @@ under the License. 1.2.5 2.0.17 4.0.2 - - - 4.1.130.Final + + 4.2.15.Final 3.10.6.Final 2.1 @@ -394,8 +394,10 @@ under the License. 2.1.1 9.4 202 - 1.3.4 + 1.3.7 12.22.0 + 1.25.0 + 1.2.6 5.3.0 3.15.0 @@ -806,6 +808,12 @@ under the License. commons-lang3 ${commons-lang3.version} + + + commons-net + commons-net + ${commons-net.version} + org.apache.commons @@ -1789,6 +1797,18 @@ under the License. pom import + + + com.microsoft.azure + msal4j + ${msal4j.version} + + + + com.microsoft.azure + azure-keyvault-core + ${azure.keyvault.core.version} + com.qcloud