fix(security): Upgrade pinot to version 1.40 to address CVE-2025-12383

[imsayari404]

Description

Pinot 1.4.0 refactored the gRPC interface classes, renaming and relocating them.
Specific Issues faced :
GrpcQueryClient → ServerGrpcQueryClient
GrpcRequestBuilder → ServerGrpcRequestBuilder
Classes moved but stayed in the same package: org.apache.pinot.common.utils.grpc

The DataTableBuilder.setColumn() method signature changed in Pinot 1.4.0.

Affected : https://mvnrepository.com/artifact/org.glassfish.jersey.core/jersey-client/2.45 (CVE-2025-12383)

Motivation and Context

Impact

Test Plan

Tested in internal branch with this commit cherry-picked:

presto> select * from pinot.default.airlineStats limit 2;
 ActualElapsedTime | AirTime | AirlineID | ArrDel15 | ArrDelay | ArrDelayMinutes | ArrTime | ArrTimeBlk | ArrivalDelayGroups | CRSArrTime | CRSDepTime | CRSElapsedTime | CancellationCode | Cancelled | C>
-------------------+---------+-----------+----------+----------+-----------------+---------+------------+--------------------+------------+------------+----------------+------------------+-----------+-->
               384 |     359 |     19805 |        0 |       13 |              13 |    1238 | 1200-1259  |                  0 |       1225 |        900 |            385 | null             |         0 | A>
               269 |     251 |     19805 |        0 |      -36 |               0 |    1549 | 1600-1659  |                 -2 |       1625 |        825 |            300 | null             |         0 | A>
(2 rows)

Query 20251126_112104_00003_s39ez, FINISHED, 1 node
Splits: 17 total, 17 done (100.00%)
[Latency: client-side: 0:02, server-side: 0:02] [0 rows, 880B] [0 rows/s, 504B/s]

presto> select * from pinot.default.baseballStats limit 2;
 AtBatting | G_old | baseOnBalls | caughtStealing | doules | groundedIntoDoublePlays | hits | hitsByPitch | homeRuns | intentionalWalks | league | numberOfGames | numberOfGamesAsBatter | playerID  | pla>
-----------+-------+-------------+----------------+--------+-------------------------+------+-------------+----------+------------------+--------+---------------+-----------------------+-----------+---->
         0 |    11 |           0 |              0 |      0 |                       0 |    0 |           0 |        0 |                0 | NL     |            11 |                    11 | aardsda01 | Dav>
         2 |    45 |           0 |              0 |      0 |                       0 |    0 |           0 |        0 |                0 | NL     |            45 |                    43 | aardsda01 | Dav>
(2 rows)

Query 20251126_112112_00004_s39ez, FINISHED, 1 node
Splits: 17 total, 17 done (100.00%)
[Latency: client-side: 0:01, server-side: 0:01] [0 rows, 218B] [0 rows/s, 357B/s]

presto> 

Contributor checklist

• Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.
• If adding new dependencies, verified they have an OpenSSF Scorecard score of 5.0 or higher (or obtained explicit TSC approval for lower scores).

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes
* Upgrade jersey-client to version 2.47 to address 'CVE-2025-12383<https://github.com/advisories/GHSA-7p63-w6x9-6gr7>'_.

[NivinCS]

@imsayari404 , Is there any specific reason why we aren’t considering upgrading to the latest available version of jersey-client from the Maven repository?

[imsayari404]

Thank you for your review,
before my change :

presto-pinot-toolkit:jar:0.296-SNAPSHOT
\- org.apache.pinot:pinot-common:jar:1.3.0:compile
   \- org.glassfish.jersey.core:jersey-server:jar:2.45:compile
      \- org.glassfish.jersey.core:jersey-client:jar:2.45:compile

after my change :

presto-pinot-toolkit:jar:0.296-SNAPSHOT
\- org.glassfish.jersey.core:jersey-client:jar:2.47:compile

The presto-pinot-toolkit module specifically pulls in jersey-client 2.45 through the pinot-common dependency.
Pinot 1.3.0 uses Jersey 2.x series. I made the change because I thought staying within the 2.x line will maintain better compatibility with the Pinot dependency.
That said, I'm open to upgrading to 4.x

[NivinCS]

I think it would be better to upgrade to the latest version, as long as there are no compatibility issues

[NivinCS]

Why are we excluding jersey-client in this context?

[imsayari404]

The pinot-common:1.3.0 dependency transitively brings in jersey-client:2.45, which contains the security vulnerability (CVE-2025-12383).
By excluding the transitive dependency and declaring jersey-client:2.47 explicitly in our POM, we ensure that the secure version is used instead of the vulnerable one.

[NivinCS]

Thanks for the clarification. If this vulnerability is coming transitively from pinot-common:1.3.0, should we consider upgrading pinot-common to 1.4.0? This vulnerability is not listed for version 1.4.0 in the Maven repository. If upgrading pinot-common resolves the issue, then we may not need to upgrade jersey-client explicitly

[NivinCS]

Why are we adding org.glassfish.jersey.core:jersey-client to ignoredUnusedDeclaredDependency?

[imsayari404]

While presto-pinot-toolkit doesn't directly reference jersey-client classes in its own code, it's consumed transitively through pinot-common. Since we're explicitly managing this dependency version, the plugin will need to ignore this "unused" warning.

[NivinCS]

The above comment applies here as well.

[imjalpreet]

Thank you, @imsayari404.

We should avoid upgrading transitive dependencies when possible. In this case, the Pinot 1.4.0 release already updates the Jersey dependencies to 2.47 (https://github.com/apache/pinot/blob/3a56c9db545e3b403863d8319055ea9be8eae771/pom.xml#L150), so we should try to upgrade Pinot from 1.3.0 to 1.4.0 and assess the amount of work required.

[imsayari404]

I've pushed some changes related to the upgrade work, but I'm currently facing an issue while testing the Pinot connector locally on Presto OSS master.
The error I'm seeing is:
Query 20251126_113333_00001_sf5bd failed: java.io.UncheckedIOException: java.io.IOException: org.eclipse.jetty.client.HttpResponseException: HTTP protocol violation: Authentication challenge without WWW-Authenticate header

I'm looking into this at the moment and will update once I identify the root cause.

This pr will resolve this issue : feat(plugin-pinot): Add TLS support #26151 (not yet merged)
I tried cherry-picking this pr and I'm no longer getting auth error.

presto> select * from pinot.default.airlineStats limit 2;
 ActualElapsedTime | AirTime | AirlineID | ArrDel15 | ArrDelay | ArrDelayMinutes | ArrTime | ArrTimeBlk | ArrivalDelayGroups | CRSArrTime | CRSDepTime | CRSElapsedTime | CancellationCode | Cancelled | C>
-------------------+---------+-----------+----------+----------+-----------------+---------+------------+--------------------+------------+------------+----------------+------------------+-----------+-->
               384 |     359 |     19805 |        0 |       13 |              13 |    1238 | 1200-1259  |                  0 |       1225 |        900 |            385 | null             |         0 | A>
               269 |     251 |     19805 |        0 |      -36 |               0 |    1549 | 1600-1659  |                 -2 |       1625 |        825 |            300 | null             |         0 | A>
(2 rows)

Query 20251127_031048_00002_5484a, FINISHED, 1 node
Splits: 17 total, 17 done (100.00%)
[Latency: client-side: 0:04, server-side: 0:04] [0 rows, 880B] [0 rows/s, 242B/s]

presto> select * from pinot.default.baseballStats limit 2;
 AtBatting | G_old | baseOnBalls | caughtStealing | doules | groundedIntoDoublePlays | hits | hitsByPitch | homeRuns | intentionalWalks | league | numberOfGames | numberOfGamesAsBatter | playerID  | pla>
-----------+-------+-------------+----------------+--------+-------------------------+------+-------------+----------+------------------+--------+---------------+-----------------------+-----------+---->
         0 |    11 |           0 |              0 |      0 |                       0 |    0 |           0 |        0 |                0 | NL     |            11 |                    11 | aardsda01 | Dav>
         2 |    45 |           0 |              0 |      0 |                       0 |    0 |           0 |        0 |                0 | NL     |            45 |                    43 | aardsda01 | Dav>
(2 rows)

Query 20251127_031113_00003_5484a, FINISHED, 1 node
Splits: 17 total, 17 done (100.00%)
[Latency: client-side: 0:01, server-side: 0:01] [0 rows, 218B] [0 rows/s, 172B/s]

presto> 

@imjalpreet @NivinCS

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Upgrades Pinot from 1.3.0 to 1.4.0 to address a Jersey client CVE and adjusts the Pinot connector’s gRPC client, request builder usage, and tests to match the new Pinot 1.4.0 APIs and DataTable semantics.

Class diagram for updated Pinot gRPC client and request builder usage

classDiagram
    class PinotStreamingQueryClient {
        - Map~String, ServerGrpcQueryClient~ grpcQueryClientMap
        - GrpcConfig config
        + PinotStreamingQueryClient(GrpcConfig config)
        + Iterator~Server_ServerResponse~ submit(String host, int port, ServerGrpcRequestBuilder requestBuilder)
        - ServerGrpcQueryClient getOrCreateGrpcQueryClient(String host, int port)
    }

    class GrpcConfig {
    }

    class ServerGrpcQueryClient {
        + ServerGrpcQueryClient(String host, int port, GrpcConfig config)
        + Iterator~Server_ServerResponse~ submit(Object request)
    }

    class ServerGrpcRequestBuilder {
        + Object build()
    }

    class PinotProxyGrpcRequestBuilder {
    }

    PinotStreamingQueryClient --> GrpcConfig : has
    PinotStreamingQueryClient --> ServerGrpcQueryClient : caches
    PinotStreamingQueryClient --> ServerGrpcRequestBuilder : uses

    PinotProxyGrpcRequestBuilder --|> ServerGrpcRequestBuilder : extends
    ServerGrpcRequestBuilder ..> ServerGrpcQueryClient : builds_requests_for

Loading

File-Level Changes

Change	Details	Files
Update Pinot dependency to 1.4.0 to pull in Jersey client with CVE fix.	Bump dep.pinot.version from 1.3.0 to 1.4.0 in the root Maven pom property so all Pinot artifacts resolve to 1.4.0.	pom.xml
Adapt Pinot gRPC streaming client to Pinot 1.4.0 API renames.	Change the gRPC client map in PinotStreamingQueryClient to use ServerGrpcQueryClient instead of GrpcQueryClient. Update submit signature and implementation in PinotStreamingQueryClient to accept ServerGrpcRequestBuilder and construct ServerGrpcQueryClient instances. Update PinotProxyGrpcRequestBuilder to extend ServerGrpcRequestBuilder instead of the old GrpcRequestBuilder.	presto-pinot-toolkit/src/main/java/com/facebook/presto/pinot/PinotStreamingQueryClient.java presto-pinot-toolkit/src/main/java/com/facebook/presto/pinot/query/PinotProxyGrpcRequestBuilder.java
Adjust tests to new Pinot 1.4.0 DataTable and gRPC request semantics.	Remove OBJECT type handling in TestPinotSegmentPageSource to match the updated DataTableBuilder.setColumn signature and supported types. Wrap byte[] values in ByteArray when setting BYTES columns in DataTableBuilder for test data. Update tests to use ServerGrpcRequestBuilder instead of GrpcRequestBuilder and adjust metadata count/assertions to reflect the additional metadata entry in Pinot 1.4.0. Update the TestingPinotStreamingQueryClient test double to accept ServerGrpcRequestBuilder in its submit method.	presto-pinot-toolkit/src/test/java/com/facebook/presto/pinot/TestPinotSegmentPageSource.java

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• The testPinotGrpcRequest assertion on grpcRequest.getMetadataCount() being exactly 6 is likely to be brittle with future Pinot changes; consider asserting the presence and values of the specific metadata keys you care about instead of the total count.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `testPinotGrpcRequest` assertion on `grpcRequest.getMetadataCount()` being exactly 6 is likely to be brittle with future Pinot changes; consider asserting the presence and values of the specific metadata keys you care about instead of the total count.

## Individual Comments

### Comment 1
<location> `presto-pinot-toolkit/src/test/java/com/facebook/presto/pinot/TestPinotSegmentPageSource.java:436` </location>
<code_context>
         Assert.assertEquals(grpcRequest.getSegmentsCount(), 1);
         Assert.assertEquals(grpcRequest.getSegments(0), "segment1");
-        Assert.assertEquals(grpcRequest.getMetadataCount(), 5);
+        Assert.assertEquals(grpcRequest.getMetadataCount(), 6);
         Assert.assertEquals(grpcRequest.getMetadataOrThrow(CommonConstants.Query.Request.MetadataKeys.REQUEST_ID), "121");
         Assert.assertEquals(grpcRequest.getMetadataOrThrow(CommonConstants.Query.Request.MetadataKeys.BROKER_ID), "presto-coordinator-grpc");
</code_context>

<issue_to_address>
**suggestion (testing):** Consider asserting the new metadata key/value instead of only the metadata count

Increasing the expected metadata count confirms that an extra entry exists, but not that the new Pinot 1.4.0 metadata is present or correct. To make the test more robust, also assert the specific key and value for the new entry (e.g., `assertEquals(grpcRequest.getMetadataOrThrow(<NEW_KEY>), <expectedValue>)`) so the test fails if the wrong metadata is set or the new entry is removed.

Suggested implementation:

```java
        Assert.assertEquals(grpcRequest.getSegmentsCount(), 1);
        Assert.assertEquals(grpcRequest.getSegments(0), "segment1");
        Assert.assertEquals(grpcRequest.getMetadataCount(), 6);
        // New Pinot 1.4.0 metadata: verify the ENABLE_STREAMING flag is present and correct
        Assert.assertEquals(grpcRequest.getMetadataOrThrow(CommonConstants.Query.Request.MetadataKeys.ENABLE_STREAMING), "true");
        Assert.assertEquals(grpcRequest.getMetadataOrThrow(CommonConstants.Query.Request.MetadataKeys.REQUEST_ID), "121");
        Assert.assertEquals(grpcRequest.getMetadataOrThrow(CommonConstants.Query.Request.MetadataKeys.BROKER_ID), "presto-coordinator-grpc");
        Assert.assertEquals(grpcRequest.getMetadataOrThrow(CommonConstants.Query.Request.MetadataKeys.ENABLE_TRACE), "false");

```

If the actual metadata key name introduced by Pinot 1.4.0 differs from `ENABLE_STREAMING` (e.g., it uses a different constant or resides under a different enum/class), adjust `CommonConstants.Query.Request.MetadataKeys.ENABLE_STREAMING` to the correct constant. Also ensure that the `ServerGrpcRequestBuilder#setEnableStreaming(true)` call is indeed what triggers this metadata entry; if the new metadata comes from a different setting, point the assertion to the appropriate key and expected value.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}