Use alluxio-core instead of shaded deps to get rid of CVEs

[denodo-research-labs]

Description

Replace alluxio-shaded-client by alluxio-core-client-hdfs, alluxio-core-client-fs and alluxio-core-common.
This change fixes the following Critical and HIGH CVEs introduced by alluxio-shaded-client v313:

CRITICAL

• zookeeper: CVE-2023-44981

HIGH

• protobuf-java: CVE-2024-7254
• commons-io: CVE-2024-47554
• netty-codec-http2: GHSA-xpw8-rcwv-8f8p
• commons-compress: CVE-2024-25710
• ion-java: CVE-2024-21634

The following dependencies need to be upgraded due to this change:

• errorprone 2.28.0
• commons-lang3 3.14.0
• gson 2.11.0
• httpclient 4.5.14
• httpcore 4.4.16
• guice 5.1.0, this change forces the exclusion of guice-multibindings from some libraries that depend on earlier versions of Guice, since guice-multibindings has been moved to guice-core v4.2.

Motivation and Context

Using the alluxio-core libraries instead of the shaded version prevents a lot of CVEs of Critical and HIGH severity.
In general, the shaded versions should be avoided for this reason.

Contributor checklist

• Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• If release notes are required, they follow the release notes guidelines.
• CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes
* Replace `alluxio-shaded-client` with `alluxio-core` libraries libraries in response to `CVE-2023-44981
 <https://github.com/advisories/GHSA-7286-pgfv-vxvh>`_. :pr:`24231`

[ZacBlanco]

I have one question

[ZacBlanco]

one nit, otherwise looks good

[infvg]

Tested in IBM lakehouse successfully

[steveburnett]

Suggest including at least the critical CVE in the release note for visibility. This suggestion would look like this:

== RELEASE NOTES ==

Security Changes
* Replace `alluxio-shaded-client` with `alluxio-core` libraries in response to `CVE-2023-44981
 <https://github.com/advisories/GHSA-7286-pgfv-vxvh>`_. :pr:`24231`

[steveburnett]

I don't find any documentation to review.

[denodo-research-labs]

@ZacBlanco, could you review again, please? We just merged the conflicting changes.

Failing checks in test other modules are due to #24334.
And the ones from prestocpp: No space left on device and ld: library 'velox_dwio_arrow_parquet_writer_lib' not found

[denodo-research-labs]

@tdcmeehan, any possibility of merging it?

[denodo-research-labs]

Could someone run test (:presto-spark-base -P presto-spark-tests-smoke) again, please?
It is running successfully in our local environment.

[denodo-research-labs]

Could it be merged now? The prestocpp errors are due to No space left on the device and ld: library 'velox_dwio_arrow_parquet_writer_lib' not found

[tdcmeehan]

@denodo-research-labs can you please rebase to fix the flaky C++ tests above?

[denodo-research-labs]

• TestIcebergParquetMetadataCaching.testParquetMetadataCaching has been reported before, in TestIcebergParquetMetadataCaching.testParquetMetadataCaching looks flaky #22422
• prestocpp-linux-build-engine fails due: (https://github.com/prestodb/presto/actions/runs/12864005363/job/35861649844?pr=24231#logs) /opt/rh/gcc-toolset-12/root/usr/libexec/gcc/x86_64-redhat-linux/12/ld: final link failed: No space left on device
• prestocpp-linux-spark-e2e-tests seems flaky as errors vary: (https://github.com/prestodb/presto/actions/runs/12864005350/job/35864903217?pr=24231#logs)