[Snyk] Fix for 69 vulnerabilities

[jdelamar]

Snyk has created this PR to fix 69 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Command Injection SNYK-JAVA-ORGAPACHESPARK-2774680	869	Mature
	Deserialization of Untrusted Data SNYK-JAVA-LOG4J-572732	811	Proof of Concept
	Arbitrary Code Execution SNYK-JAVA-ORGAPACHECOMMONS-3043138	791	Mature
	Command Injection SNYK-JAVA-ORGAPACHESPARK-5496635	761	Proof of Concept
	SQL Injection SNYK-JAVA-LOG4J-2342645	726	Proof of Concept
	Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JAVA-ORGAPACHEHADOOP-174573	704	No Known Exploit
	Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JAVA-ORGAPACHEHADOOP-2443177	704	No Known Exploit
	Arbitrary Code Execution SNYK-JAVA-ORGAPACHEHADOOP-2975400	704	No Known Exploit
	Information Exposure SNYK-JAVA-ORGAPACHEHADOOP-32047	704	No Known Exploit
	Improper Input Validation SNYK-JAVA-ORGCODEHAUSJACKSON-3326362	704	No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-ORGXERIALSNAPPY-5710960	696	Proof of Concept
	Allocation of Resources Without Limits or Throttling SNYK-JAVA-ORGXERIALSNAPPY-5918282	696	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-ORGAPACHEAVRO-8161188	679	No Known Exploit
	Improper Verification of Cryptographic Signature SNYK-JAVA-ORGAPACHESPARK-13553868	664	No Known Exploit
	Integer Overflow SNYK-JAVA-COMGOOGLEPROTOBUF-173761	654	No Known Exploit
	Uncontrolled Recursion SNYK-JAVA-COMMONSLANG-10734077	654	No Known Exploit
	Directory Traversal SNYK-JAVA-COMMONSIO-1277109	651	Mature
	Arbitrary Code Execution SNYK-JAVA-LOG4J-2316893	651	Proof of Concept
	Stack-based Buffer Overflow SNYK-JAVA-COMFASTERXMLJACKSONCORE-10500754	649	No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538	649	No Known Exploit
	Stack-based Buffer Overflow SNYK-JAVA-COMGOOGLEPROTOBUF-8055227	649	No Known Exploit
	Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') SNYK-JAVA-COMMONSBEANUTILS-10259368	649	No Known Exploit
	XML External Entity (XXE) Injection SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302	624	No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-LOG4J-2342646	619	No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-LOG4J-2342647	619	No Known Exploit
	Infinite loop SNYK-JAVA-ORGAPACHECOMMONS-6254296	619	No Known Exploit
	Authorization Bypass Through User-Controlled Key SNYK-JAVA-ORGAPACHEZOOKEEPER-5961102	619	No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424	616	Proof of Concept
	Denial of Service (DoS) SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426	616	Proof of Concept
	Integer Overflow or Wraparound SNYK-JAVA-ORGXERIALSNAPPY-5710959	616	Proof of Concept
	Integer Overflow or Wraparound SNYK-JAVA-ORGXERIALSNAPPY-5710961	616	Proof of Concept
	Denial of Service (DoS) SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244	589	No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-COMGOOGLEPROTOBUF-2331703	589	No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-COMGOOGLEPROTOBUF-3167772	589	No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-ORGAPACHECOMMONS-1316641	589	No Known Exploit
	Directory Traversal SNYK-JAVA-ORGAPACHEIVY-3106929	589	No Known Exploit
	Arbitrary Command Execution SNYK-JAVA-ORGAPACHESPARK-2432301	589	No Known Exploit
	XML External Entity (XXE) Injection SNYK-JAVA-ORGCODEHAUSJACKSON-534878	589	No Known Exploit
	XML Entity Expansion SNYK-JAVA-ORGGLASSFISHJERSEYMEDIA-595972	589	No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-XERCES-2359991	589	No Known Exploit
	Improper Privilege Management SNYK-JAVA-ORGAPACHESPARK-5425123	584	No Known Exploit
	Information Exposure SNYK-JAVA-COMFASTERXMLJACKSONCORE-10332631	576	Proof of Concept
	Directory Traversal SNYK-JAVA-ORGAPACHEIVY-3106014	569	No Known Exploit
	Allocation of Resources Without Limits or Throttling SNYK-JAVA-COMMONSCONFIGURATION-10116124	559	No Known Exploit
	Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JAVA-COMMONSIO-8161190	559	No Known Exploit
	Creation of Temporary File in Directory with Insecure Permissions SNYK-JAVA-ORGAPACHEHADOOP-8089372	554	No Known Exploit
	Cryptographic Issues SNYK-JAVA-ORGAPACHEDIRECTORYSERVER-1063040	550	No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMGOOGLECODEGSON-1730327	539	No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-ORGAPACHECOMMONS-1316638	539	No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-ORGAPACHECOMMONS-1316639	539	No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-ORGAPACHECOMMONS-1316640	539	No Known Exploit
	XML External Entity Injection (XXE) SNYK-JAVA-ORGAPACHEHADOOP-2329722	539	No Known Exploit
	Information Exposure SNYK-JAVA-ORGAPACHEHADOOP-461004	539	No Known Exploit
	Information Disclosure SNYK-JAVA-ORGGLASSFISHJERSEYCORE-1255637	524	No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMGOOGLEGUAVA-32236	509	com.google.guava:guava: 14.0.1 -> 32.0.0-android No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-LOG4J-3358774	509	No Known Exploit
	Information Exposure SNYK-JAVA-ORGAPACHESPARK-2420837	509	No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-COMGOOGLEPROTOBUF-3040284	499	No Known Exploit
	Information Disclosure SNYK-JAVA-COMGOOGLEGUAVA-1015415	486	com.google.guava:guava: 14.0.1 -> 32.0.0-android Proof of Concept
	Improper Certificate Validation SNYK-JAVA-COMMONSHTTPCLIENT-30083	484	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JAVA-ORGAPACHESPARK-3097693	484	No Known Exploit
	Improper Input Validation SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-1048058	479	No Known Exploit
	Improper Input Validation SNYK-JAVA-XERCES-608891	479	No Known Exploit
	Man-in-the-Middle (MitM) SNYK-JAVA-COMMONSHTTPCLIENT-31660	429	No Known Exploit
	Information Exposure SNYK-JAVA-COMMONSCODEC-561518	399	No Known Exploit
	Information Exposure SNYK-JAVA-COMMONSNET-3153503	399	No Known Exploit
	Man-in-the-Middle (MitM) SNYK-JAVA-LOG4J-1300176	399	No Known Exploit
	Improper Input Validation SNYK-JAVA-ORGAPACHEAVRO-5926693	399	No Known Exploit
	Creation of Temporary File in Directory with Insecure Permissions SNYK-JAVA-COMGOOGLEGUAVA-5710356	379	com.google.guava:guava: 14.0.1 -> 32.0.0-android No Known Exploit

Vulnerabilities that could not be fixed

• Upgrade:
  • Could not upgrade org.apache.spark:spark-core_2.12@3.0.2-SNAPSHOT to org.apache.spark:spark-core_2.12@3.5.5; Reason could not apply upgrade, dependency is managed externally ; Location: provenance does not contain location

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Information Exposure
🦉 Denial of Service (DoS)
🦉 XML External Entity (XXE) Injection
🦉 More lessons are available in Snyk Learn

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Align Guava upgrade across build paths

Bumping guava.version to 32.0.0-android here updates only the Maven build, while the sbt build still defaults to Guava 14.0.1 (project/SparkBuild.scala:625) and the assembly packaging comments assume shipping the 14.0.1 jar for Hadoop compatibility (assembly/pom.xml:78-86). That leaves Maven artifacts built and released with Guava 32 but all sbt-driven tests and Hive dependency resolution still running against Guava 14, so the shipped classpath is untested and will contain two different Guava versions. Please keep the Guava version consistent across the build definitions or update the other call sites at the same time.

Useful? React with 👍 / 👎.