fix(hive): Upgrade nimbus-jose-jwt in Hive to fix CVE-2025-53864 (#1249)

Author: xeniape

hive/stackable/patches/4.1.0/0001-Include-Postgres-driver.patch

@@ -0,0 +1,34 @@
+From d6ef8813ba42cf47aefadc6068778f797ea00166 Mon Sep 17 00:00:00 2001
+From: xeniape <[email protected]>
+Date: Fri, 12 Sep 2025 17:25:00 +0200
+Subject: Include Postgres driver
+
+---
+ standalone-metastore/metastore-server/pom.xml | 1 -
+ standalone-metastore/pom.xml                  | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/standalone-metastore/metastore-server/pom.xml b/standalone-metastore/metastore-server/pom.xml
+index 13f08ad92d..3f88c67e1c 100644
+--- a/standalone-metastore/metastore-server/pom.xml
++++ b/standalone-metastore/metastore-server/pom.xml
+@@ -348,7 +348,6 @@
+     <dependency>
+       <groupId>org.postgresql</groupId>
+       <artifactId>postgresql</artifactId>
+-      <optional>true</optional>
+     </dependency>
+     <dependency>
+       <groupId>org.eclipse.jetty</groupId>
+diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
+index da0612dcf9..4d1a08742a 100644
+--- a/standalone-metastore/pom.xml
++++ b/standalone-metastore/pom.xml
+@@ -407,7 +407,6 @@
+         <groupId>org.postgresql</groupId>
+         <artifactId>postgresql</artifactId>
+         <version>${postgres.version}</version>
+-        <scope>runtime</scope>
+       </dependency>
+       <dependency>
+         <groupId>org.apache.httpcomponents</groupId>

hive/stackable/patches/4.1.0/0002-Include-logging-dependencies.patch

@@ -0,0 +1,25 @@
+From 56a982e562e33558b9cd20dd3afa9a57920a390d Mon Sep 17 00:00:00 2001
+From: xeniape <[email protected]>
+Date: Fri, 12 Sep 2025 17:25:42 +0200
+Subject: Include logging dependencies
+
+---
+ standalone-metastore/pom.xml | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
+index 4d1a08742a..6b2bd5273a 100644
+--- a/standalone-metastore/pom.xml
++++ b/standalone-metastore/pom.xml
+@@ -513,6 +513,11 @@
+       <groupId>com.fasterxml.jackson.core</groupId>
+       <artifactId>jackson-databind</artifactId>
+     </dependency>
++    <dependency>
++      <!-- Optional log4j dependency to be able to use the XmlLayout -->
++      <groupId>com.fasterxml.jackson.dataformat</groupId>
++      <artifactId>jackson-dataformat-xml</artifactId>
++    </dependency>
+   </dependencies>
+   <build>
+     <pluginManagement>

hive/stackable/patches/4.1.0/0003-Add-CycloneDX-plugin.patch

@@ -0,0 +1,45 @@
+From e41e6a49f3e27a785d80f0d9f446d97cf3aa59de Mon Sep 17 00:00:00 2001
+From: xeniape <[email protected]>
+Date: Fri, 12 Sep 2025 17:39:34 +0200
+Subject: Add CycloneDX plugin
+
+---
+ standalone-metastore/pom.xml | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
+index 6b2bd5273a..d976d51b48 100644
+--- a/standalone-metastore/pom.xml
++++ b/standalone-metastore/pom.xml
+@@ -46,6 +46,7 @@
+     <maven.cyclonedx.plugin.version>2.7.10</maven.cyclonedx.plugin.version>
+     <maven.repo.local>${settings.localRepository}</maven.repo.local>
+     <maven.exec.plugin.version>3.1.0</maven.exec.plugin.version>
++    <maven.cyclonedx.plugin.version>2.8.0</maven.cyclonedx.plugin.version>
+     <checkstyle.conf.dir>${basedir}/${standalone.metastore.path.to.root}/checkstyle</checkstyle.conf.dir>
+     <!-- Test Properties -->
+     <log4j.conf.dir>${project.basedir}/src/test/resources</log4j.conf.dir>
+@@ -592,6 +593,23 @@
+           </excludes>
+         </configuration>
+       </plugin>
++      <plugin>
++        <groupId>org.cyclonedx</groupId>
++        <artifactId>cyclonedx-maven-plugin</artifactId>
++        <version>${maven.cyclonedx.plugin.version}</version>
++        <configuration>
++          <projectType>application</projectType>
++          <schemaVersion>1.5</schemaVersion>
++        </configuration>
++        <executions>
++          <execution>
++            <phase>package</phase>
++            <goals>
++              <goal>makeBom</goal>
++            </goals>
++          </execution>
++        </executions>
++      </plugin>
+     </plugins>
+   </build>
+   <profiles>

hive/stackable/patches/4.1.0/0004-Fix-CVE-2024-36114.patch

@@ -0,0 +1,26 @@
+From 7784d902ad2d5a443119e0e6796995c3089c20ab Mon Sep 17 00:00:00 2001
+From: xeniape <[email protected]>
+Date: Fri, 12 Sep 2025 17:40:28 +0200
+Subject: Fix CVE-2024-36114
+
+---
+ standalone-metastore/pom.xml | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
+index d976d51b48..b5b06e3842 100644
+--- a/standalone-metastore/pom.xml
++++ b/standalone-metastore/pom.xml
+@@ -131,6 +131,12 @@
+   </properties>
+   <dependencyManagement>
+     <dependencies>
++      <!-- Mitigate CVE-2024-36114: See https://github.com/stackabletech/vulnerabilities/issues/834 -->
++      <dependency>
++        <groupId>io.airlift</groupId>
++        <artifactId>aircompressor</artifactId>
++        <version>0.27</version>
++      </dependency>
+       <dependency>
+         <groupId>org.apache.orc</groupId>
+         <artifactId>orc-core</artifactId>

hive/stackable/patches/4.1.0/0005-Upgrade-nimbus-jose-jwt-to-9.37.4-to-fix-CVE-2025-53.patch

@@ -0,0 +1,36 @@
+From f49ecc00f69c999b668d44b75cccd784860081a0 Mon Sep 17 00:00:00 2001
+From: xeniape <[email protected]>
+Date: Fri, 12 Sep 2025 17:43:16 +0200
+Subject: Upgrade-nimbus-jose-jwt-to-9.37.4-to-fix-CVE-2025-53864
+
+---
+ service/pom.xml              | 2 +-
+ standalone-metastore/pom.xml | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/service/pom.xml b/service/pom.xml
+index f002924b39..69dfc9aeb1 100644
+--- a/service/pom.xml
++++ b/service/pom.xml
+@@ -25,7 +25,7 @@
+   <name>Hive Service</name>
+   <properties>
+     <hive.path.to.root>..</hive.path.to.root>
+-    <nimbus-jose-jwt.version>9.37.3</nimbus-jose-jwt.version>
++    <nimbus-jose-jwt.version>9.37.4</nimbus-jose-jwt.version>
+   </properties>
+   <dependencies>
+     <!-- dependencies are always listed in sorted order by groupId, artifactId -->
+diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
+index b5b06e3842..ad295a2c40 100644
+--- a/standalone-metastore/pom.xml
++++ b/standalone-metastore/pom.xml
+@@ -115,7 +115,7 @@
+     <httpcomponents.core.version>4.4.13</httpcomponents.core.version>
+     <httpcomponents.client.version>4.5.13</httpcomponents.client.version>
+     <pac4j-core.version>4.5.8</pac4j-core.version>
+-    <nimbus-jose-jwt.version>9.37.3</nimbus-jose-jwt.version>
++    <nimbus-jose-jwt.version>9.37.4</nimbus-jose-jwt.version>
+     <jetty.version>9.4.57.v20241219</jetty.version>
+     <javax.annotation-api.version>1.3.2</javax.annotation-api.version>
+     <!-- If upgrading, upgrade atlas as well in ql/pom.xml, which brings in some springframework dependencies transitively -->

hive/stackable/patches/4.1.0/patchable.toml

@@ -0,0 +1,2 @@
+mirror = "https://github.com/stackabletech/hive.git"
+base = "75e40b7537c91a70ccaa31c397d21823c7528eeb"