chore: bump hbase, phoenix and hbase-operator-tools

CHANGELOG.md

@@ -21,6 +21,7 @@ All notable changes to this project will be documented in this file.
 - java: Add JDK/JRE 23 ([#992]).
 - trino: Add 469 ([#993]).
 - trino-cli: Add version 469 ([#993]).
+- hbase: Support for 2.6.1 ([#997]).
 - trino-storage-connector: Add version 469 ([#996]).
 - trino: Add 470 ([#999]).
 - trino-cli: Add version 470 ([#999]).
@@ -67,6 +68,7 @@ All notable changes to this project will be documented in this file.
 [#993]: https://github.com/stackabletech/docker-images/pull/993
 [#995]: https://github.com/stackabletech/docker-images/pull/995
 [#996]: https://github.com/stackabletech/docker-images/pull/996
+[#997]: https://github.com/stackabletech/docker-images/pull/997
 [#999]: https://github.com/stackabletech/docker-images/pull/999
 [#1000]: https://github.com/stackabletech/docker-images/pull/1000
 

hbase/stackable/patches/2.6.1/02-patch-updates.patch

@@ -0,0 +1,113 @@
+diff --git a/pom.xml b/pom.xml
+index 01123cb..3734fb1 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -567,7 +567,7 @@
+       modules and cause trouble if we only rely on transitive dependencies.
+     -->
+     <netty3.version>3.10.6.Final</netty3.version>
+-    <netty4.version>4.1.112.Final</netty4.version>
++    <netty4.version>4.1.117.Final</netty4.version>
+     <!-- end HBASE-15925 default hadoop compatibility values -->
+     <audience-annotations.version>0.13.0</audience-annotations.version>
+     <!--
+@@ -576,28 +576,28 @@
+     -->
+     <javadoc.audience-annotations.version>0.13.0</javadoc.audience-annotations.version>
+     <avro.version>1.11.4</avro.version>
+-    <caffeine.version>2.8.1</caffeine.version>
++    <caffeine.version>2.8.8</caffeine.version>
+     <commons-codec.version>1.15</commons-codec.version>
+     <commons-io.version>2.11.0</commons-io.version>
+     <commons-lang3.version>3.9</commons-lang3.version>
+     <commons-math.version>3.6.1</commons-math.version>
+     <commons-cli.version>1.5.0</commons-cli.version>
+     <disruptor.version>3.4.4</disruptor.version>
+-    <httpclient.version>4.5.13</httpclient.version>
+-    <httpcore.version>4.4.13</httpcore.version>
++    <httpclient.version>4.5.14</httpclient.version>
++    <httpcore.version>4.4.16</httpcore.version>
+     <metrics-core.version>3.2.6</metrics-core.version>
+     <!--
+       Note that the version of jackson-[annotations,core,databind] must be kept in sync with the
+       version of jackson-jaxrs-json-provider shipped in hbase-thirdparty.
+     -->
+-    <jackson.version>2.17.2</jackson.version>
+-    <jackson.databind.version>2.17.2</jackson.databind.version>
++    <jackson.version>2.17.3</jackson.version>
++    <jackson.databind.version>2.17.3</jackson.databind.version>
+     <jaxb-api.version>2.3.1</jaxb-api.version>
+     <servlet.api.version>3.1.0</servlet.api.version>
+     <wx.rs.api.version>2.1.1</wx.rs.api.version>
+-    <glassfish.jsp.version>2.3.2</glassfish.jsp.version>
+-    <glassfish.el.version>3.0.1-b08</glassfish.el.version>
+-    <jruby.version>9.3.13.0</jruby.version>
++    <glassfish.jsp.version>2.3.4</glassfish.jsp.version>
++    <glassfish.el.version>3.0.1-b12</glassfish.el.version>
++    <jruby.version>9.3.15.0</jruby.version>
+     <junit.version>4.13.2</junit.version>
+     <hamcrest.version>1.3</hamcrest.version>
+     <opentelemetry.version>1.15.0</opentelemetry.version>
+@@ -615,19 +615,19 @@
+     <internal.protobuf.version>4.28.2</internal.protobuf.version>
+     <protobuf.plugin.version>0.6.1</protobuf.plugin.version>
+     <thrift.path>thrift</thrift.path>
+-    <thrift.version>0.14.1</thrift.version>
++    <thrift.version>0.14.2</thrift.version>
+     <zookeeper.version>3.8.4</zookeeper.version>
+     <jline.version>2.11</jline.version>
+-    <slf4j.version>1.7.33</slf4j.version>
++    <slf4j.version>1.7.36</slf4j.version>
+     <clover.version>4.0.3</clover.version>
+     <jamon-runtime.version>2.4.1</jamon-runtime.version>
+     <jettison.version>1.5.4</jettison.version>
+     <!--Make sure these joni/jcodings are compatible with the versions used by jruby-->
+-    <joni.version>2.2.1</joni.version>
+-    <jcodings.version>1.0.58</jcodings.version>
+-    <spy.version>2.12.2</spy.version>
+-    <bouncycastle.version>1.78</bouncycastle.version>
+-    <skyscreamer.version>1.5.1</skyscreamer.version>
++    <joni.version>2.2.3</joni.version>
++    <jcodings.version>1.0.61</jcodings.version>
++    <spy.version>2.12.3</spy.version>
++    <bouncycastle.version>1.78.1</bouncycastle.version>
++    <skyscreamer.version>1.5.3</skyscreamer.version>
+     <kerby.version>1.0.1</kerby.version>
+     <commons-crypto.version>1.1.0</commons-crypto.version>
+     <curator.version>4.2.0</curator.version>
+@@ -644,27 +644,27 @@
+     <lifecycle.mapping.version>1.0.0</lifecycle.mapping.version>
+     <maven.antrun.version>1.8</maven.antrun.version>
+     <maven.bundle.version>3.3.0</maven.bundle.version>
+-    <maven.checkstyle.version>3.1.0</maven.checkstyle.version>
++    <maven.checkstyle.version>3.1.2</maven.checkstyle.version>
+     <maven.eclipse.version>2.10</maven.eclipse.version>
+     <maven.gpg.version>3.0.1</maven.gpg.version>
+-    <maven.javadoc.version>3.4.0</maven.javadoc.version>
+-    <maven.warbucks.version>1.1.0</maven.warbucks.version>
++    <maven.javadoc.version>3.4.1</maven.javadoc.version>
++    <maven.warbucks.version>1.1.2</maven.warbucks.version>
+     <maven.project.info.report.version>3.1.2</maven.project.info.report.version>
+     <os.maven.version>1.5.0.Final</os.maven.version>
+     <findbugs-annotations.version>1.3.9-1</findbugs-annotations.version>
+     <spotbugs.version>4.7.3</spotbugs.version>
+-    <spotbugs.maven.version>4.7.2.1</spotbugs.maven.version>
+-    <surefire.version>3.1.0</surefire.version>
++    <spotbugs.maven.version>4.7.3.6</spotbugs.maven.version>
++    <surefire.version>3.1.2</surefire.version>
+     <wagon.ssh.version>2.12</wagon.ssh.version>
+     <xml.maven.version>1.0.1</xml.maven.version>
+     <spotless.version>2.27.2</spotless.version>
+-    <maven-site.version>3.12.0</maven-site.version>
++    <maven-site.version>3.12.1</maven-site.version>
+     <!-- compression -->
+     <aircompressor.version>0.27</aircompressor.version>
+     <brotli4j.version>1.11.0</brotli4j.version>
+     <lz4.version>1.8.0</lz4.version>
+-    <snappy.version>1.1.10.4</snappy.version>
+-    <zstd-jni.version>1.5.5-2</zstd-jni.version>
++    <snappy.version>1.1.10.7</snappy.version>
++    <zstd-jni.version>1.5.6-9</zstd-jni.version>
+     <!--
+         Note that the version of protobuf shipped in hbase-thirdparty must match the version used
+         in hbase-protocol-shaded and hbase-examples. The version of jackson-[annotations,core,

hbase/stackable/patches/2.6.1/03-include-dataformat-xml.patch

@@ -0,0 +1,58 @@
+Include jackson-dataformat-xml.
+
+From: Lars Francke <[email protected]>
+
+This is needed for XmlLayout to work so our structured logging works.
+It is an optional dependency of log4j2 so we need to make sure to include
+it.
+---
+ hbase-assembly/pom.xml |    5 +++++
+ pom.xml                |   12 ++++++++++++
+ 2 files changed, 17 insertions(+)
+
+diff --git a/hbase-assembly/pom.xml b/hbase-assembly/pom.xml
+index 1564851b85..0786288a84 100644
+--- a/hbase-assembly/pom.xml
++++ b/hbase-assembly/pom.xml
+@@ -222,6 +222,11 @@
+       <groupId>org.apache.logging.log4j</groupId>
+       <artifactId>log4j-core</artifactId>
+     </dependency>
++    <dependency>
++      <!-- This is an optional dependency of log4j which is needed to use XmlLayout -->
++      <groupId>com.fasterxml.jackson.dataformat</groupId>
++      <artifactId>jackson-dataformat-xml</artifactId>
++    </dependency>
+     <dependency>
+       <groupId>org.apache.logging.log4j</groupId>
+       <artifactId>log4j-slf4j-impl</artifactId>
+diff --git a/pom.xml b/pom.xml
+index b420025c6c..819e021d86 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -1149,6 +1149,11 @@
+         <artifactId>log4j-core</artifactId>
+         <version>${log4j2.version}</version>
+       </dependency>
++      <dependency>
++        <groupId>org.apache.logging.log4j</groupId>
++        <artifactId>log4j-core</artifactId>
++        <version>${log4j2.version}</version>
++      </dependency>
+       <dependency>
+         <groupId>org.apache.logging.log4j</groupId>
+         <artifactId>log4j-slf4j-impl</artifactId>
+@@ -1159,6 +1164,13 @@
+         <artifactId>log4j-1.2-api</artifactId>
+         <version>${log4j2.version}</version>
+       </dependency>
++      <dependency>
++        <!-- This is an optional dependency of log4j which is needed to use XmlLayout -->
++        <groupId>com.fasterxml.jackson.dataformat</groupId>
++        <artifactId>jackson-dataformat-xml</artifactId>
++        <version>${jackson.databind.version}</version>
++      </dependency>
++
+       <!-- Avro dependencies we mostly get transitively, manual version coallescing -->
+       <dependency>
+         <groupId>org.apache.avro</groupId>

hbase/stackable/patches/2.6.1/04-patch-cyclonedx-plugin.patch

@@ -0,0 +1,17 @@
+diff --git a/pom.xml b/pom.xml
+index 918cdaa..2a83794 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -3218,7 +3218,11 @@
+           <plugin>
+             <groupId>org.cyclonedx</groupId>
+             <artifactId>cyclonedx-maven-plugin</artifactId>
+-            <version>2.7.10</version>
++            <version>2.9.1</version>
++            <configuration>
++                <projectType>application</projectType>
++                <schemaVersion>1.5</schemaVersion>
++            </configuration>
+             <executions>
+               <execution>
+                 <goals>

hbase/stackable/patches/hbase-operator-tools/1.3.0-fd5a5fb/01-cyclonedx-plugin.patch

@@ -0,0 +1,28 @@
+diff --git a/pom.xml b/pom.xml
+index caa032a..0025687 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -549,6 +549,23 @@
+           </formats>
+         </configuration>
+       </plugin>
++      <plugin>
++        <groupId>org.cyclonedx</groupId>
++        <artifactId>cyclonedx-maven-plugin</artifactId>
++        <version>2.9.1</version>
++        <configuration>
++          <projectType>application</projectType>
++          <schemaVersion>1.5</schemaVersion>
++        </configuration>
++        <executions>
++          <execution>
++          <goals>
++            <goal>makeBom</goal>
++          </goals>
++          <phase>package</phase>
++          </execution>
++        </executions>
++      </plugin>
+     </plugins>
+   </build>
+   <profiles>

hbase/stackable/patches/phoenix/5.2.1/01-cyclonedx-plugin.patch

@@ -0,0 +1,28 @@
+diff --git a/pom.xml b/pom.xml
+index bce2398..4abcb5a 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -680,6 +680,23 @@
+         <extensions>true</extensions>
+         <inherited>true</inherited>
+       </plugin>
++      <plugin>
++        <groupId>org.cyclonedx</groupId>
++        <artifactId>cyclonedx-maven-plugin</artifactId>
++        <version>2.9.1</version>
++        <configuration>
++          <projectType>application</projectType>
++          <schemaVersion>1.5</schemaVersion>
++        </configuration>
++        <executions>
++          <execution>
++          <goals>
++            <goal>makeBom</goal>
++          </goals>
++          <phase>package</phase>
++          </execution>
++        </executions>
++      </plugin>
+     </plugins>
+   </build>
+

hbase/stackable/patches/phoenix/5.2.1/02-CVE-2023-34455-update-snappy-version.patch

@@ -0,0 +1,97 @@
+Fix CVE-2023-34455
+
+See https://github.com/stackabletech/vulnerabilities/issues/558
+
+diff --git a/phoenix-core-client/pom.xml b/phoenix-core-client/pom.xml
+index f711b0f6f..3cfbffef9 100644
+--- a/phoenix-core-client/pom.xml
++++ b/phoenix-core-client/pom.xml
+@@ -230,6 +230,12 @@
+       <groupId>org.apache.hadoop</groupId>
+       <artifactId>hadoop-auth</artifactId>
+     </dependency>
++    <!-- Fix CVE-2023-34455 -->
++    <dependency>
++      <groupId>org.xerial.snappy</groupId>
++      <artifactId>snappy-java</artifactId>
++      <version>1.1.10.4</version>
++    </dependency>
+
+     <!-- HBase dependencies -->
+     <dependency>
+diff --git a/phoenix-core-server/pom.xml b/phoenix-core-server/pom.xml
+index d5032ece2..e47fb0837 100644
+--- a/phoenix-core-server/pom.xml
++++ b/phoenix-core-server/pom.xml
+@@ -59,6 +59,12 @@
+             <groupId>org.apache.hadoop</groupId>
+             <artifactId>hadoop-mapreduce-client-core</artifactId>
+         </dependency>
++        <!-- Fix CVE-2023-34455 -->
++        <dependency>
++          <groupId>org.xerial.snappy</groupId>
++          <artifactId>snappy-java</artifactId>
++          <version>1.1.10.4</version>
++        </dependency>
+
+         <!-- HBase dependencies -->
+         <dependency>
+@@ -192,4 +198,4 @@
+             </plugin>
+         </plugins>
+     </build>
+-</project>
+\ No newline at end of file
++</project>
+diff --git a/phoenix-pherf/pom.xml b/phoenix-pherf/pom.xml
+index c03fff9a1..cdcce2f98 100644
+--- a/phoenix-pherf/pom.xml
++++ b/phoenix-pherf/pom.xml
+@@ -159,6 +159,12 @@
+       <groupId>org.apache.hbase</groupId>
+       <artifactId>hbase-server</artifactId>
+     </dependency>
++    <!-- Fix CVE-2023-34455 -->
++    <dependency>
++      <groupId>org.xerial.snappy</groupId>
++      <artifactId>snappy-java</artifactId>
++      <version>1.1.10.4</version>
++    </dependency>
+
+     <!-- Test Dependencies -->
+     <dependency>
+diff --git a/phoenix-tracing-webapp/pom.xml b/phoenix-tracing-webapp/pom.xml
+index d2d1549ef..c8054159e 100755
+--- a/phoenix-tracing-webapp/pom.xml
++++ b/phoenix-tracing-webapp/pom.xml
+@@ -89,6 +89,12 @@
+         <groupId>org.apache.hbase</groupId>
+         <artifactId>hbase-common</artifactId>
+       </dependency>
++      <!-- Fix CVE-2023-34455 -->
++      <dependency>
++        <groupId>org.xerial.snappy</groupId>
++        <artifactId>snappy-java</artifactId>
++        <version>1.1.10.4</version>
++      </dependency>
+     </dependencies>
+
+     <build>
+diff --git a/pom.xml b/pom.xml
+index 4abcb5a28..21dcf71ad 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -850,6 +850,13 @@
+           </exclusion>
+         </exclusions>
+       </dependency>
++      <!-- Fix CVE-2023-34455 -->
++      <dependency>
++        <groupId>org.xerial.snappy</groupId>
++        <artifactId>snappy-java</artifactId>
++        <version>1.1.10.4</version>
++      </dependency>
++
+       <dependency>
+         <groupId>org.apache.hadoop</groupId>
+         <artifactId>hadoop-common</artifactId>

hbase/versions.py

@@ -12,21 +12,21 @@
         "hbase_profile": "2.4",
         "hadoop": "3.3.6",
         "jmx_exporter": "1.0.1-stackable",  # update the stackable/jmx/config<version> folder too
-        "opa_authorizer": "",  # only for HBase 2.6.0
+        "opa_authorizer": "",  # only for HBase 2.6.1
         "delete_caches": "true",
     },
     {
-        "product": "2.6.0",
-        "hbase_thirdparty": "4.1.7",
-        "hbase_operator_tools": "1.3.0-7c738fc",
+        "product": "2.6.1",
+        "hbase_thirdparty": "4.1.9",
+        "hbase_operator_tools": "1.3.0-fd5a5fb",
         "java-base": "11",
         "java-devel": "11",
         "async_profiler": "2.9",
-        "phoenix": "5.3.0-4afe457",
+        "phoenix": "5.2.1",
         "hbase_profile": "2.6",
         "hadoop": "3.3.6",
         "jmx_exporter": "",  # 2.6 exports jmx and prometheus metrics by default
-        "opa_authorizer": "0.1.0",  # only for HBase 2.6.0
+        "opa_authorizer": "0.1.0",  # only for HBase 2.6.1
         "delete_caches": "true",
     },
 ]