[release-2.35.0][BEAM-13499] Add warning about log4j to hcatalog javadoc #16311

tvalentyn · web-flow · commit 1ff38aac6b32 · 2021-12-21T11:56:53.000-08:00
diff --git a/sdks/java/extensions/sql/hcatalog/src/main/java/org/apache/beam/sdk/extensions/sql/meta/provider/hcatalog/package-info.java b/sdks/java/extensions/sql/hcatalog/src/main/java/org/apache/beam/sdk/extensions/sql/meta/provider/hcatalog/package-info.java
@@ -16,7 +16,16 @@
  * limitations under the License.
  */
 
-/** Table schema for HCatalog. */
+/**
+ * Table schema for HCatalog.
+ *
+ * <p><b>WARNING:</b>This package requires users to declare their own dependency on
+ * org.apache.hive:hive-exec and org.apache.hive.hcatalog. At the time of this Beam release every
+ * released version of those packages had a transitive dependency on a version of log4j vulnerable
+ * to CVE-2021-44228. We strongly encourage users to pin a non-vulnerable version of log4j when
+ * using this package. See <a
+ * href="https://issues.apache.org/jira/browse/BEAM-13499">BEAM-13499</a>.
+ */
 @Experimental
 package org.apache.beam.sdk.extensions.sql.meta.provider.hcatalog;
 
diff --git a/sdks/java/io/hcatalog/src/main/java/org/apache/beam/sdk/io/hcatalog/HCatalogIO.java b/sdks/java/io/hcatalog/src/main/java/org/apache/beam/sdk/io/hcatalog/HCatalogIO.java
@@ -70,6 +70,13 @@
 /**
  * IO to read and write data using HCatalog.
  *
+ * <p><b>WARNING:</b>This package requires users to declare their own dependency on
+ * org.apache.hive:hive-exec and org.apache.hive.hcatalog. At the time of this Beam release every
+ * released version of those packages had a transitive dependency on a version of log4j vulnerable
+ * to CVE-2021-44228. We strongly encourage users to pin a non-vulnerable version of log4j when
+ * using this package. See <a
+ * href="https://issues.apache.org/jira/browse/BEAM-13499">BEAM-13499</a>.
+ *
  * <h3>Reading using HCatalog</h3>
  *
  * <p>HCatalog source supports reading of HCatRecord from a HCatalog managed source, for eg. Hive.
diff --git a/sdks/java/io/hcatalog/src/main/java/org/apache/beam/sdk/io/hcatalog/package-info.java b/sdks/java/io/hcatalog/src/main/java/org/apache/beam/sdk/io/hcatalog/package-info.java
@@ -16,7 +16,16 @@
  * limitations under the License.
  */
 
-/** Transforms for reading and writing using HCatalog. */
+/**
+ * Transforms for reading and writing using HCatalog.
+ *
+ * <p><b>WARNING:</b>This package requires users to declare their own dependency on
+ * org.apache.hive:hive-exec and org.apache.hive.hcatalog. At the time of this Beam release every
+ * released version of those packages had a transitive dependency on a version of log4j vulnerable
+ * to CVE-2021-44228. We strongly encourage users to pin a non-vulnerable version of log4j when
+ * using this package. See <a
+ * href="https://issues.apache.org/jira/browse/BEAM-13499">BEAM-13499</a>.
+ */
 @Experimental(Kind.SOURCE_SINK)
 package org.apache.beam.sdk.io.hcatalog;
 

Original file line number	Diff line number	Diff line change
`@@ -70,6 +70,13 @@`
`70`	`70`	`/**`
`71`	`71`	`* IO to read and write data using HCatalog.`
`72`	`72`	`*`
	`73`	`+ * <p><b>WARNING:</b>This package requires users to declare their own dependency on`
	`74`	`+ * org.apache.hive:hive-exec and org.apache.hive.hcatalog. At the time of this Beam release every`
	`75`	`+ * released version of those packages had a transitive dependency on a version of log4j vulnerable`
	`76`	`+ * to CVE-2021-44228. We strongly encourage users to pin a non-vulnerable version of log4j when`
	`77`	`+ * using this package. See <a`
	`78`	`+ * href="https://issues.apache.org/jira/browse/BEAM-13499">BEAM-13499</a>.`
	`79`	`+ *`
`73`	`80`	`* <h3>Reading using HCatalog</h3>`
`74`	`81`	`*`
`75`	`82`	`* <p>HCatalog source supports reading of HCatRecord from a HCatalog managed source, for eg. Hive.`