Skip to content

[Testing] [Don't review] fix(pinot): Fix CVE-2025-48924: Remove commons-lang from presto-pinot #26248

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

[Testing] [Don't review] fix(pinot): Fix CVE-2025-48924: Remove commons-lang from presto-pinot #26248

wants to merge 1 commit into from
+8 −9

Conversation

Mariamalmesfer
Copy link
Contributor

@Mariamalmesfer Mariamalmesfer commented Oct 7, 2025
edited
Loading

Description

Fix CVE-2025-48924: Remove commons-lang from presto-pinot

Motivation and Context

Commons-lang 2.x is end-of-life (last version 2.6, released 2011) and no longer receives security updates. It has been replaced by commons-lang3. This PR moves the project to use commons-lang3 instead.

Impact

Test Plan

Contributor checklist

  • Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

General Changes
* ... 
* ... 

Hive Connector Changes
* ... 
* ...

If release note is NOT required, use:

== NO RELEASE NOTE ==

@prestodb-ci prestodb-ci added the from:IBM PR from IBM label Oct 7, 2025
@linux-foundation-easycla Linux Foundation: EasyCLA
Copy link

linux-foundation-easycla bot commented Oct 7, 2025
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: Mariamalmesfer / name: Mariam AlMesfer (ac69b96)

@sourcery-ai Sourcery AI
Copy link
Contributor

sourcery-ai bot commented Oct 7, 2025
edited
Loading

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR addresses CVE-2025-48924 by eliminating the older commons-lang 2.x dependency from presto-pinot and presto-accumulo modules, exclusively relying on commons-lang3 and ensuring no transitive inclusion of the vulnerable library.

File-Level Changes

Change Details Files
Exclude commons-lang from presto-pinot-toolkit
  • Add commons-lang exclusion under the commons-codec dependency
  • Add commons-lang exclusion under the commons-logging dependency
 presto-pinot-toolkit/pom.xml
Remove direct commons-lang dependency in presto-accumulo
  • Delete the explicit commons-lang 2.6 dependency block
  • Confirm migration to commons-lang3 only
 presto-accumulo/pom.xml
Clean up Accumulo code to drop commons-lang imports
  • Remove unused commons-lang imports in core classes
  • Adjust StringUtils calls to use commons-lang3 or JDK alternatives
 presto-accumulo/src/main/java/com/facebook/presto/accumulo/index/Indexer.java
presto-accumulo/src/main/java/com/facebook/presto/accumulo/io/AccumuloRecordCursor.java
presto-accumulo/src/main/java/com/facebook/presto/accumulo/model/Row.java
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@Mariamalmesfer Mariamalmesfer changed the title fix(pinot): Fix CVE-2025-48924: Remove commons-lang from presto-pinot [Testing] [Don't review] fix(pinot): Fix CVE-2025-48924: Remove commons-lang from presto-pinot Oct 7, 2025
@Mariamalmesfer Mariamalmesfer force-pushed the fix-commons-lang branch 7 times, most recently from 01b265f to 400db10 Compare October 8, 2025 22:59
@imjalpreet imjalpreet self-requested a review October 9, 2025 09:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@imjalpreet imjalpreet Awaiting requested review from imjalpreet

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

from:IBM PR from IBM

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Mariamalmesfer @prestodb-ci