Upgrading mysql jar in presto

[namya28]

Description

This PR is for upgrading the mysql jar version to the latest version 9.2.0.
This fixes CVE-2023-22102.

Motivation and Context

Impact

Test Plan

Contributor checklist

• Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes

* Upgrade the MySQL to version 9.2.0 in response to `CVE-2023-22102 <https://github.com/advisories/GHSA-m6vm-37g8-gqvh>`_. :pr:`24754`

[agrawalreetika]

Whats the specific exception here? Should we catch that here?

[namya28]

Hi @agrawalreetika , thank you for your feedback. Based on my research , The code is building fine without an exception as well. Since it is optional and if required , would you recommend me adding an IllegalArgumentException instead of Exception?

[agrawalreetika]

Earlier code was throwing SQLException which is why it was added now in your current implementation I don't think try-catch is even needed.
Please check and update the code accordingly.

[agrawalreetika]

Thanks for the changes, please squash your changes into 1 with the relevant commit message.

[ZacBlanco]

Do we need to exclude this or can we just pull up the dependency version through the dependencyManagement section? Or is it due to duplicate class conflicts?

[namya28]

@ZacBlanco, Excluding this as it is resulting in upper bound dependencies error.

[agrawalreetika]

Can't we try to just upgrade the dependency to the required version?

[namya28]

@agrawalreetika , thank you for your feedback! I tried removing the exclusions and tried upgrading the protobuf-java version to 4.29.0 using 2 approaches :

1. upgraded the version to 4.29.0 in root pom. It is resulting in error in presto-main

2. Kept the earlier version as is in the root pom (3.25.5) and tried upgrading the version to 4.29.0 using dependency management in the module pom (presto-function-namespace-managers) and it is resulting in the same error in presto-main . (same in the case of presto-product-tests module as well). 3. Also tried ignoring it under and under duplicate-finder-maven-plugin. Resulting in the same error.

[agrawalreetika]

If with 4.29.0 version upgrade we are hitting duplicate class error then I am ok with excluding it from <artifactId>mysql-connector-j</artifactId> if the CI tests are passing.

@ZacBlanco Do you have any concern with exclusion? Or have any other approach to handle this?

[ZacBlanco]

I am not a fan of excluding random dependencies. The conflicts aren't even on Java classes, so this could potentially lead to runtime issues if we're excluding core protobuf classes. In this case I would rather add exceptions to the duplicate finder for the .proto files

[namya28]

Upgraded the protobuf-java version in the root pom and ignored the dependency ratis-thirdparty-misc under duplicate-finder-maven-plugin since directly adding <ignoredResourcePattern>google/protobuf/*.proto</ignoredResourcePattern> was resulting in the same error.

[ZacBlanco]

Do we have a PR to upgrade the testing-mysql-server? I would prefer if we updated that + released a new version for Presto first before this gets merged in order to reduce the number of exclusions

[ZacBlanco]

Are these not defined/available in the new mysql client? Where is this documented?

[namya28]

These are sql error codes corresponding to the mysql error code. https://dev.mysql.com/doc/connector-j/en/connector-j-reference-error-sqlstates.html.

[ZacBlanco]

I think for the syntax error, we should instead catch the SQLSyntaxError exception from the client rather than catching and comparing the code. For the table exists error, there isn't a corresponding exception type, so we can keep the current approach. Though we should leave a comment with a link to the documentation of error codes for future developers to know where the code came from

[namya28]

Added the SQLSyntaxError exception as well. Had to keep the SQLException as well as I was getting the error Unhandled exception: java.sql.SQLException .

[ZacBlanco]

I am not a fan of excluding random dependencies. The conflicts aren't even on Java classes, so this could potentially lead to runtime issues if we're excluding core protobuf classes. In this case I would rather add exceptions to the duplicate finder for the .proto files

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: namya28 / name: Namya Sehgal (0348d9b)

[namya28]

Do we have a PR to upgrade the testing-mysql-server? I would prefer if we updated that + released a new version for Presto first before this gets merged in order to reduce the number of exclusions

There already is a release for testing mysql-server 8 for the version being used. https://repo.maven.apache.org/maven2/com/facebook/presto/testing-mysql-server-8/ .

[namya28]

@ZacBlanco @agrawalreetika , I have addressed the review comments. Could you please help review once again whenever convenient.

[agrawalreetika]

LGTM. Please squash all your commits into one.

[ZacBlanco]

one minor nit

[ZacBlanco]

LGTM! Thanks for the upgrade!