From 4889bfedd5fdefc49de2ba6c3fffa21bf747f4fa Mon Sep 17 00:00:00 2001
From: Jan Werner <105367074+janjwerner-confluent@users.noreply.github.com>
Date: Mon, 4 Dec 2023 16:18:42 -0500
Subject: [PATCH] update guava to 32.0.1-jre to address CVEs (#15482)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Update guava to 32.0.1-jre to address two CVEs: CVE-2020-8908, CVE-2023-2976
This change requires a minor test change to remove assumptions about ordering.

---------

Co-authored-by: Xavier Léauté <xl+github@xvrl.net>
---
 licenses.yaml                                                 | 2 +-
 pom.xml                                                       | 2 +-
 .../apache/druid/metadata/SqlSegmentsMetadataManagerTest.java | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/licenses.yaml b/licenses.yaml
index 1237b07f9ea2..f6ed8e46229a 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -364,7 +364,7 @@ name: Guava
 license_category: binary
 module: java-core
 license_name: Apache License version 2.0
-version: 31.1-jre
+version: 32.0.1-jre
 libraries:
   - com.google.guava: guava
 
diff --git a/pom.xml b/pom.xml
index c974b657eb70..c72dc3bc8b3a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -94,7 +94,7 @@
         <dropwizard.metrics.version>4.2.22</dropwizard.metrics.version>
         <errorprone.version>2.20.0</errorprone.version>
         <fastutil.version>8.5.4</fastutil.version>
-        <guava.version>31.1-jre</guava.version>
+        <guava.version>32.0.1-jre</guava.version>
         <guice.version>4.1.0</guice.version>
         <hamcrest.version>1.3</hamcrest.version>
         <jetty.version>9.4.53.v20231009</jetty.version>
diff --git a/server/src/test/java/org/apache/druid/metadata/SqlSegmentsMetadataManagerTest.java b/server/src/test/java/org/apache/druid/metadata/SqlSegmentsMetadataManagerTest.java
index ca8113af62f8..7a23234761ee 100644
--- a/server/src/test/java/org/apache/druid/metadata/SqlSegmentsMetadataManagerTest.java
+++ b/server/src/test/java/org/apache/druid/metadata/SqlSegmentsMetadataManagerTest.java
@@ -283,11 +283,11 @@ public void testPollPeriodicallyAndOnDemandInterleave() throws Exception
     Assert.assertTrue(sqlSegmentsMetadataManager.getLatestDatabasePoll() instanceof SqlSegmentsMetadataManager.PeriodicDatabasePoll);
     dataSourcesSnapshot = sqlSegmentsMetadataManager.getDataSourcesSnapshot();
     Assert.assertEquals(
-        ImmutableList.of("wikipedia3", "wikipedia", "wikipedia2"),
+        ImmutableSet.of("wikipedia2", "wikipedia3", "wikipedia"),
         dataSourcesSnapshot.getDataSourcesWithAllUsedSegments()
                            .stream()
                            .map(ImmutableDruidDataSource::getName)
-                           .collect(Collectors.toList())
+                           .collect(Collectors.toSet())
     );
   }