From 5b2187ddca148312ab6545ba3162c6d872fa463e Mon Sep 17 00:00:00 2001
From: Fokko Driesprong <fokko@apache.org>
Date: Wed, 16 Oct 2019 15:38:54 -0700
Subject: [PATCH] [SPARK-29483][BUILD] Bump Jackson to 2.10.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Release blog: https://medium.com/cowtowncoder/jackson-2-10-features-cd880674d8a2

Fixes the following CVE's:
https://www.cvedetails.com/cve/CVE-2019-16942/
https://www.cvedetails.com/cve/CVE-2019-16943/

Looking back, there were 3 major goals for this minor release:

- Resolve the growing problem of “endless CVE patches”, a stream of fixes for reported CVEs related to “Polymorphic Deserialization” problem (described in “On Jackson CVEs… ”) that resulted in security tools forcing Jackson upgrades. 2.10 now includes “Safe Default Typing” that is hoped to resolve this problem.
- Evolve 2.x API towards 3.0, based on changes that were done in master, within limits of 2.x API backwards-compatibility requirements.
- Add JDK support for versions beyond Java 8: specifically add“module-info.class” for JDK9+, defining proper module definitions for Jackson components

Full changelog: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10

Improved Scala 2.13 support: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10#scala

Patches CVE's reported by the vulnerability scanner.

No

Ran `mvn clean install -DskipTests` locally.

Closes #26131 from Fokko/SPARK-29483.

Authored-by: Fokko Driesprong <fokko@apache.org>
Signed-off-by: Dongjoon Hyun <dhyun@apple.com>
---
 LICENSE-binary                      | 11 ++++++++++-
 dev/deps/spark-deps-hadoop-palantir | 30 +++++++++++++++--------------
 pom.xml                             |  2 +-
 3 files changed, 27 insertions(+), 16 deletions(-)

diff --git a/LICENSE-binary b/LICENSE-binary
index f3f3a714d9dd1..27b2544a6b54d 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -488,7 +488,16 @@ org.glassfish.jersey.core:jersey-server
 org.glassfish.jersey.media:jersey-media-jaxb
 
 
-Mozilla Public License (MPL) 1.1
+Eclipse Distribution License (EDL) 1.0
+--------------------------------------
+
+org.glassfish.jaxb:jaxb-runtime
+jakarta.activation:jakarta.activation-api
+jakarta.xml.bind:jakarta.xml.bind-api
+com.sun.istack:istack-commons-runtime
+
+
+Eclipse Public License (EPL) 2.0
 --------------------------------
 
 com.github.rwl:jtransforms https://sourceforge.net/projects/jtransforms/
diff --git a/dev/deps/spark-deps-hadoop-palantir b/dev/deps/spark-deps-hadoop-palantir
index b813b19101108..eaded4f223029 100644
--- a/dev/deps/spark-deps-hadoop-palantir
+++ b/dev/deps/spark-deps-hadoop-palantir
@@ -92,23 +92,25 @@ htrace-core4-4.1.0-incubating.jar
 httpclient-4.5.6.jar
 httpcore-4.4.10.jar
 ivy-2.4.0.jar
-jackson-annotations-2.9.7.jar
-jackson-core-2.9.7.jar
+jackson-annotations-2.10.0.jar
+jackson-core-2.10.0.jar
 jackson-core-asl-1.9.13.jar
-jackson-databind-2.9.7.jar
-jackson-dataformat-cbor-2.9.7.jar
-jackson-dataformat-yaml-2.9.7.jar
-jackson-datatype-guava-2.9.7.jar
-jackson-datatype-jdk8-2.9.7.jar
-jackson-datatype-joda-2.9.7.jar
-jackson-datatype-jsr310-2.9.7.jar
+jackson-databind-2.10.0.jar
+jackson-dataformat-cbor-2.10.0.jar
+jackson-dataformat-yaml-2.10.0.jar
+jackson-datatype-guava-2.10.0.jar
+jackson-datatype-jdk8-2.10.0.jar
+jackson-datatype-joda-2.10.0.jar
+jackson-datatype-jsr310-2.10.0.jar
 jackson-jaxrs-1.9.13.jar
 jackson-mapper-asl-1.9.13.jar
-jackson-module-afterburner-2.9.7.jar
-jackson-module-jaxb-annotations-2.9.7.jar
-jackson-module-paranamer-2.9.7.jar
-jackson-module-scala_2.11-2.9.7.jar
+jackson-module-afterburner-2.10.0.jar
+jackson-module-jaxb-annotations-2.10.0.jar
+jackson-module-paranamer-2.10.0.jar
+jackson-module-scala_2.11-2.10.0.jar
 jackson-xc-1.9.13.jar
+jakarta.activation-api-1.2.1.jar
+jakarta.xml.bind-api-2.3.2.jar
 janino-3.0.11.jar
 javassist-3.20.0-GA.jar
 javax.annotation-api-1.2.jar
@@ -192,7 +194,7 @@ scala-xml_2.11-1.0.5.jar
 shapeless_2.11-2.3.2.jar
 slf4j-api-1.7.25.jar
 slf4j-log4j12-1.7.25.jar
-snakeyaml-1.23.jar
+snakeyaml-1.24.jar
 snappy-java-1.1.7.3.jar
 spire-macros_2.11-0.13.0.jar
 spire_2.11-0.13.0.jar
diff --git a/pom.xml b/pom.xml
index 50ab77d568a0d..1582f8aaea112 100644
--- a/pom.xml
+++ b/pom.xml
@@ -179,7 +179,7 @@
     <!-- for now, not running scalafmt as part of default verify pipeline -->
     <scalafmt.skip>true</scalafmt.skip>
     <codehaus.jackson.version>1.9.13</codehaus.jackson.version>
-    <fasterxml.jackson.version>2.9.7</fasterxml.jackson.version>
+    <fasterxml.jackson.version>2.10.0</fasterxml.jackson.version>
     <snappy.version>1.1.7.3</snappy.version>
     <netlib.java.version>1.1.2</netlib.java.version>
     <calcite.version>1.2.0-incubating</calcite.version>