snakeyaml cve fix

[nishithakbhaskaran]

Description

• Upgrade snakeyaml version to 2.0

• Presto Cassandra Tests were failing because the cassandra-server version 2.1.16-1 using sankeyaml 1.x as tranistiive dependency and if we update the version it will cause some methodNotFound Error. Inorder to overcome this we removed the cassandra-server from presto and cherrypicked the dockerised cassandra in tests as done in Use dockerized Cassandra in tests trinodb/trino#2377 . This approach will resolve the issue.

Motivation and Context

• snakeyaml 1.x version which is coming as a transitive dependency introduces below High and Medium CVEs in Mend Scan.

CVE-2022-1471
CVE-2022-25857
CVE-2017-18640
CVE-2022-38752
CVE-2022-38751
CVE-2022-38750
CVE-2022-38749
CVE-2022-41854

• Presto Cassandra Tests were failing because the cassandra-server version 2.1.16-1 using sankeyaml 1.x as tranistiive dependency and if we update the version it will cause some methodNotFound Error. Inorder to overcome this we removed the cassandra-server from presto and cherrypicked the dockerised cassandra in tests as done in Use dockerized Cassandra in tests trinodb/trino#2377 . This approach will resolve the issue.

Impact

Test Plan

Contributor checklist

• Please make sure your submission complies with our development, formatting, commit message, and attribution guidelines.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Fixes
* Upgrade snakeyaml to 2.0 in response to `CVE-2022-1471 <https://nvd.nist.gov/vuln/detail/CVE-2022-1471>`_. :pr:`24099`
* Upgrade snakeyaml to 2.0 in response to `CVE-2022-25857 <https://nvd.nist.gov/vuln/detail/cve-2022-25857>`_. :pr:`24099`
* Upgrade snakeyaml to 2.0 in response to `CVE-2017-18640 <https://nvd.nist.gov/vuln/detail/cve-2017-18640>`_. :pr:`24099`
* Upgrade snakeyaml to 2.0 in response to `CVE-2022-38752 <https://nvd.nist.gov/vuln/detail/CVE-2022-38752>`_. :pr:`24099`
* Upgrade snakeyaml to 2.0 in response to `CVE-2022-38751 <https://nvd.nist.gov/vuln/detail/CVE-2022-38751>`_. :pr:`24099`
* Upgrade snakeyaml to 2.0 in response to `CVE-2022-38750 <https://nvd.nist.gov/vuln/detail/CVE-2022-38750>`_. :pr:`24099`
* Upgrade snakeyaml to 2.0 in response to `CVE-2022-38749 <https://nvd.nist.gov/vuln/detail/CVE-2022-38749>`_. :pr:`24099`
* Upgrade snakeyaml to 2.0 in response to `CVE-2022-41854 <https://nvd.nist.gov/vuln/detail/CVE-2022-41854>`_. :pr:`24099`

[nishithakbhaskaran]

Presto Cassandra Tests were failing because the cassandra-server version 2.1.16-1 using sankeyaml 1.x as tranistiive dependency and if we update the version it will cause some methodNotFound Error. Inorder to overcome this we removed the cassandra-server from presto and cherrypicked the dockerised cassandra in tests as done in Trino . This approach will resolve the issue.

[yingsu00]

Move this private member to the private section below.

[nishithakbhaskaran]

Updated

[yingsu00]

What would happen if /var/lib/cassandra does not exist?

[nishithakbhaskaran]

This is the path in Cassandra container and when we start the Cassandra by default will write its data files there.

[yingsu00]

For line 109:

Since you removed data_directory from cu-cassandra.yaml, this is no longer needed. However we need to make sure the path you specified always exist and won't cause error on different platforms.

[nishithakbhaskaran]

Sure I have removed the line. Also the path is inside cassandra docker container and it will be independent of the platforms, so I believe this won't cause issues. I have updated the cherrypick id in the description of the PR.

[yingsu00]

Where is this bring used?

[nishithakbhaskaran]

This dependencyManagement section is to fix the Require upper bound dependencies error for slf4j while building the cassandra module.

[yingsu00]

Can you explain a little bit about why the error happens if this one was not added? Is org.testcontainers dependent on slf4j or something else?

[nishithakbhaskaran]

Yes @yingsu00 .

slf4j comes as a transitive dependency in org.testcontainers. If we do not add this dependencymanagement tag
the following error will come.

Rule 0: org.apache.maven.plugins.enforcer.RequireUpperBoundDeps failed with message:
Failed while enforcing RequireUpperBoundDeps.
.....
.....

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0-M2:enforce (default) on project presto-cassandra: Some Enforcer rules have failed. Look above for specific messages explaining why the rule failed. 

Inorder to fix this I have added the slf4j version as dependencyManagement tag.

[yingsu00]

Yes @yingsu00 .

slf4j comes as a transitive dependency in org.testcontainers. If we do not add this dependencymanagement tag the following error will come.

Rule 0: org.apache.maven.plugins.enforcer.RequireUpperBoundDeps failed with message:
Failed while enforcing RequireUpperBoundDeps.
.....
.....

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0-M2:enforce (default) on project presto-cassandra: Some Enforcer rules have failed. Look above for specific messages explaining why the rule failed. 

Inorder to fix this I have added the slf4j version as dependencyManagement tag.

If that's the case, can you please add a comment in the code?

[nishithakbhaskaran]

@yingsu00 Added the comment.

[yingsu00]

In the commit message, there should be an empty line after the commit tile.

[nishithakbhaskaran]

In the commit message, there should be an empty line after the commit tile.

@yingsu00 Updated the commit message.Please verify