From 7b39acd554d4f06aa0673fe17af432f4c8dd3d07 Mon Sep 17 00:00:00 2001
From: yan zhang <dirtysalt1987@gmail.com>
Date: Sat, 31 May 2025 00:34:33 +0800
Subject: [PATCH] [Enhancement] upgrade hudi-common and fix CVEs (#59501)

Upgrade hudi-common package so we can keep fixing latest CVEs.

Signed-off-by: yan zhang <dirtysalt1987@gmail.com>
---
 .../java/com/starrocks/catalog/HudiTable.java |  2 +-
 .../connector/hudi/HudiRemoteFileIO.java      |  3 +-
 fe/pom.xml                                    | 36 ++++++++++++++++---
 java-extensions/hudi-reader/pom.xml           |  2 +-
 java-extensions/pom.xml                       |  8 +++++
 trivy.yaml                                    |  4 ---
 6 files changed, 44 insertions(+), 11 deletions(-)

diff --git a/fe/fe-core/src/main/java/com/starrocks/catalog/HudiTable.java b/fe/fe-core/src/main/java/com/starrocks/catalog/HudiTable.java
index 11429c6ddf3..5ab0d1a2ff1 100644
--- a/fe/fe-core/src/main/java/com/starrocks/catalog/HudiTable.java
+++ b/fe/fe-core/src/main/java/com/starrocks/catalog/HudiTable.java
@@ -298,7 +298,7 @@ public class HudiTable extends Table {
         }
 
         if (tableType == HudiTableType.MOR) {
-            tHudiTable.setInstant_time(lastInstant == null ? "" : lastInstant.getTimestamp());
+            tHudiTable.setInstant_time(lastInstant == null ? "" : lastInstant.getCompletionTime());
         }
 
         tHudiTable.setHive_column_names(hudiProperties.get(HUDI_TABLE_COLUMN_NAMES));
diff --git a/fe/fe-core/src/main/java/com/starrocks/connector/hudi/HudiRemoteFileIO.java b/fe/fe-core/src/main/java/com/starrocks/connector/hudi/HudiRemoteFileIO.java
index 4d55bfae595..8e933eae7e1 100644
--- a/fe/fe-core/src/main/java/com/starrocks/connector/hudi/HudiRemoteFileIO.java
+++ b/fe/fe-core/src/main/java/com/starrocks/connector/hudi/HudiRemoteFileIO.java
@@ -118,7 +118,8 @@ public class HudiRemoteFileIO implements RemoteFileIO {
             }
 
             Iterator<FileSlice> hoodieFileSliceIterator = scanContext.hudiFsView
-                    .getLatestMergedFileSlicesBeforeOrOn(partitionName, scanContext.hudiLastInstant.getTimestamp()).iterator();
+                    .getLatestMergedFileSlicesBeforeOrOn(partitionName, scanContext.hudiLastInstant.getCompletionTime())
+                    .iterator();
             while (hoodieFileSliceIterator.hasNext()) {
                 FileSlice fileSlice = hoodieFileSliceIterator.next();
                 Optional<HoodieBaseFile> baseFile = fileSlice.getBaseFile().toJavaOptional();
diff --git a/fe/pom.xml b/fe/pom.xml
index 079402bfb66..f2363902bf3 100644
--- a/fe/pom.xml
+++ b/fe/pom.xml
@@ -50,7 +50,7 @@ under the License.
         <hadoop.version>3.4.1</hadoop.version>
         <gcs.connector.version>hadoop3-2.2.26</gcs.connector.version>
         <skip.plugin>false</skip.plugin>
-        <hudi.version>0.15.0</hudi.version>
+        <hudi.version>1.0.2</hudi.version>
         <hive-apache.version>3.1.2-22</hive-apache.version>
         <dlf-metastore-client.version>0.2.14</dlf-metastore-client.version>
         <sonar.organization>starrocks</sonar.organization>
@@ -79,6 +79,8 @@ under the License.
         <!-- azure native sdk -->
         <azure.version>1.2.34</azure.version>
         <fastutil.version>8.5.15</fastutil.version>
+        <commons-beanutils.version>1.11.0</commons-beanutils.version>
+        <hbase.version>2.6.2</hbase.version>
     </properties>
 
     <profiles>
@@ -796,6 +798,12 @@ under the License.
                 </exclusions>
             </dependency>
 
+            <dependency>
+                <groupId>commons-beanutils</groupId>
+                <artifactId>commons-beanutils</artifactId>
+                <version>${commons-beanutils.version}</version>
+            </dependency>
+
             <dependency>
                 <groupId>org.apache.hadoop</groupId>
                 <artifactId>hadoop-hdfs</artifactId>
@@ -1007,17 +1015,37 @@ under the License.
                         <groupId>org.apache.zookeeper</groupId>
                         <artifactId>zookeeper</artifactId>
                     </exclusion>
+                </exclusions>
+            </dependency>
+
+            <dependency>
+                <groupId>org.apache.hbase</groupId>
+                <artifactId>hbase-client</artifactId>
+                <version>${hbase.version}</version>
+                <exclusions>
                     <exclusion>
-                        <groupId>org.apache.hadoop</groupId>
-                        <artifactId>hadoop-hdfs</artifactId>
+                        <groupId>org.apache.hbase.thirdparty</groupId>
+                        <artifactId>hbase-shaded-jetty</artifactId>
                     </exclusion>
+                    <exclusion>
+                        <groupId>org.apache.hbase.thirdparty</groupId>
+                        <artifactId>hbase-shaded-netty</artifactId>
+                    </exclusion>
+                </exclusions>
+            </dependency>
+
+            <dependency>
+                <groupId>org.apache.hbase</groupId>
+                <artifactId>hbase-server</artifactId>
+                <version>${hbase.version}</version>
+                <exclusions>
                     <exclusion>
                         <groupId>org.apache.hbase</groupId>
                         <artifactId>hbase-http</artifactId>
                     </exclusion>
                     <exclusion>
                         <groupId>org.apache.hbase.thirdparty</groupId>
-                        <artifactId>hbase-shaded-jetty</artifactId>
+                        <artifactId>hbase-shaded-netty</artifactId>
                     </exclusion>
                 </exclusions>
             </dependency>
diff --git a/java-extensions/hudi-reader/pom.xml b/java-extensions/hudi-reader/pom.xml
index 5dd09911b6c..91f95533f03 100644
--- a/java-extensions/hudi-reader/pom.xml
+++ b/java-extensions/hudi-reader/pom.xml
@@ -13,7 +13,7 @@
 
     <properties>
         <java-extensions.home>${basedir}/../</java-extensions.home>
-        <hudi.version>0.15.0</hudi.version>
+        <hudi.version>1.0.2</hudi.version>
     </properties>
 
     <dependencies>
diff --git a/java-extensions/pom.xml b/java-extensions/pom.xml
index b747e81a4b1..d2a09e9ceb3 100644
--- a/java-extensions/pom.xml
+++ b/java-extensions/pom.xml
@@ -58,6 +58,7 @@
         <avro.version>1.12.0</avro.version>
         <luben.zstd.jni.version>1.5.4-2</luben.zstd.jni.version>
         <kryo.version>4.0.2</kryo.version>
+        <commons-beanutils.version>1.11.0</commons-beanutils.version>
     </properties>
 
     <dependencyManagement>
@@ -160,6 +161,13 @@
                     </exclusion>
                 </exclusions>
             </dependency>
+
+            <dependency>
+                <groupId>commons-beanutils</groupId>
+                <artifactId>commons-beanutils</artifactId>
+                <version>${commons-beanutils.version}</version>
+            </dependency>
+
             <dependency>
                 <groupId>org.apache.hadoop</groupId>
                 <artifactId>hadoop-hdfs-client</artifactId>
diff --git a/trivy.yaml b/trivy.yaml
index 6ccabbe2850..542a380caf5 100644
--- a/trivy.yaml
+++ b/trivy.yaml
@@ -8,10 +8,6 @@ scan:
   skip-files:
     # hdfs required
     - "**/hadoop-client-runtime-3.4.1.jar"
-    # hudi required
-    - "**/htrace-core4-4.2.0-incubating.jar"
-    - "**/hbase-protocol-shaded-2.4.13.jar"
-    - "**/hbase-shaded-netty-4.1.1.jar"
     # kudu required
     - "**/kudu-client-1.17.1.jar"
     # paimon required