[SPARK-52803][BUILD] Update aws-java-sdk-sts to 1.12.720 in kinesis-asl module

[eschcam]

What changes were proposed in this pull request?

Upgrading aws-java-sdk-sts from 1.11.655 to 1.12.720

Does this PR introduce any user-facing change?

No

How was this patch tested?

Using the run-tests script

Was this patch authored or co-authored using generative AI tooling?

No

[dongjoon-hyun]

Thank you, @eschcam . However, please follow HADOOP-19172 instead of 1.12.261.

• apache/hadoop#6823

[dongjoon-hyun]

The PR title and description is outdated, @eschcam .

[dongjoon-hyun]

Are you sure that you want to update aws-java-sdk-s3?

[SPARK-52803][BUILD] Update aws-java-sdk-s3 to 1.12.720

If then, this PR looks invalid because we don't use it, @eschcam . For S3, we use AWS SDK v2.

• #50731

[eschcam]

Are you sure that you want to update aws-java-sdk-s3?

[SPARK-52803][BUILD] Update aws-java-sdk-s3 to 1.12.720

If then, this PR looks invalid because we don't use it, @eschcam . For S3, we use AWS SDK v2.

* #50731

I was taking the package name from OSV Scanner. I believe it was detected as part of aws-java-sdk-sts

[dongjoon-hyun]

Then, why do you mention aws-java-sdk-s3 in the PR title? I'm wondering where it comes from?

I was taking the package name from OSV Scanner. I believe it was detected as part of aws-java-sdk-sts

[eschcam]

Then, why do you mention aws-java-sdk-s3 in the PR title? I'm wondering where it comes from?

I guess saying Update AWS Java SDK would be more accurate then?

I honestly didn't realise aws-java-sdk-s3 wasn't used in the project
That's what I get for taking package names from an OSV report 😆

[dongjoon-hyun]

$ git grep -C1 aws.java.sdk.version
connector/kinesis-asl/pom.xml-      <artifactId>aws-java-sdk-sts</artifactId>
connector/kinesis-asl/pom.xml:      <version>${aws.java.sdk.version}</version>
connector/kinesis-asl/pom.xml-    </dependency>
--
pom.xml-    <!-- Should be consistent with Kinesis client dependency -->
pom.xml:    <aws.java.sdk.version>1.11.655</aws.java.sdk.version>
pom.xml-    <aws.java.sdk.v2.version>2.29.52</aws.java.sdk.v2.version>

It's only aws-java-sdk-sts dependency in kinesis-asl module. So, it seems that this PR is completely irrelevant any CVE issue. Please remove all irrelevant information. This is a false alarm.

[dongjoon-hyun]

Oh, could you double-check that this is consistent with Kinesis client dependency? The line 160 show a requirement for kinesis-asl module.

[eschcam]

Version 1.15.3 of amazon-kinesis-client seems to use version 1.12.681 of the aws-java-sdk libs https://mvnrepository.com/artifact/com.amazonaws/amazon-kinesis-client/1.15.3

[eschcam]

The more recent versions of the client appear to use the V2 versions of the SDK https://mvnrepository.com/artifact/software.amazon.kinesis/amazon-kinesis-client/3.1.1

[dongjoon-hyun]

I double-checked the pom file. Unfortunately, it seems that we cannot change this dependency while we are using aws-kinesis-client 1.12.0.

<aws.kinesis.client.version>1.12.0</aws.kinesis.client.version>

[eschcam]

Would updating aws-kinesis-client to 1.15.3 and aws-java-sdk-sts to 1.12.681 be okay?

[dongjoon-hyun]

AFAIK, it requires a manual testing for this module. Can you verify it with the real AWS Kinesis? Unfortunately, there were a few attempts on this module but nobody verified their updates with the real AWS Kinesis. That's the reason why this module is sitting on AWS SKD v1 exceptionally.