From 68f11c1551bbd1ae177d7250fee33b70b1f51a73 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Wed, 19 Nov 2025 14:08:53 +0100 Subject: [PATCH 01/21] remive schematool fix --- hive/Dockerfile | 4 ---- 1 file changed, 4 deletions(-) diff --git a/hive/Dockerfile b/hive/Dockerfile index 037bb0321..3e5d4eb5b 100644 --- a/hive/Dockerfile +++ b/hive/Dockerfile @@ -84,10 +84,6 @@ elif [[ "${PRODUCT_VERSION}" == 4.0.* ]]; then # We only seem to get a .tar.gz archive, so let's extract that to the correct location tar --extract --directory=/stackable -f standalone-metastore/metastore-server/target/apache-hive-standalone-metastore-server-${NEW_VERSION}-bin.tar.gz mv standalone-metastore/metastore-server/target/bom.json /stackable/apache-hive-metastore-${NEW_VERSION}-bin/apache-hive-metastore-${NEW_VERSION}.cdx.json - - # TODO: Remove once the fix https://github.com/apache/hive/pull/5419 is merged and released - # The schemaTool.sh is still pointing to the class location from Hive < 4.0.0, it seems like it was forgotten to update it - sed -i -e 's/CLASS=org.apache.hadoop.hive.metastore.tools.MetastoreSchemaTool/CLASS=org.apache.hadoop.hive.metastore.tools.schematool.MetastoreSchemaTool/' /stackable/apache-hive-metastore-${NEW_VERSION}-bin/bin/ext/schemaTool.sh ) else # Starting with 4.1.0 the build process changed again in https://github.com/apache/hive/pull/5936 (HIVE-29062) From 078db150f8ad5f30715e2806b0259b0ccedbee5c Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Wed, 19 Nov 2025 14:09:45 +0100 Subject: [PATCH 02/21] cleanup and comments --- hive/hive-metastore-opa-authorizer/Dockerfile | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/hive/hive-metastore-opa-authorizer/Dockerfile b/hive/hive-metastore-opa-authorizer/Dockerfile index 4c3f3bee2..72bf08b30 100644 --- a/hive/hive-metastore-opa-authorizer/Dockerfile +++ b/hive/hive-metastore-opa-authorizer/Dockerfile @@ -48,15 +48,13 @@ cp -r /stackable/patched-libs/maven/* /stackable/.m2/repository mvn versions:set -DnewVersion=${AUTHORIZER_VERSION} # The if part can be removed once we do no longer support Hive 3.x.x +# Hive 3.1.3 only works with the shaded jar if [[ "${HIVE_VERSION}" =~ ^3 ]]; then mvn clean package -DskipTests -Dhive.version=${HIVE_VERSION} -Dhadoop.version=${HADOOP_VERSION} -f hms-v3/pom.xml - mv hms-v3/target/com.bosch.bdps.hms3-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar /stackable/opa-authorizer-bin +# Hive 4.1.0 only works with the non shaded jar else mvn clean package -DskipTests -Dhive.version=${HIVE_VERSION} -Dhadoop.version=${HADOOP_VERSION} -f hms-v4/pom.xml - - # The hive-metastore-opa-authorizer offers a shaded jar from version 4.x.x. Using the shaded jar leads to problems with schema tool at pod startup. - # mv hms-v4/target/com.bosch.bdps.hms4-${HIVE_VERSION}-${HADOOP_VERSION}-dev.jar /stackable/opa-authorizer-bin mv hms-v4/target/hms4-${AUTHORIZER_VERSION}.jar /stackable/opa-authorizer-bin fi From a9ff8d820b52dacb6831bbe937e66b0784b9d696 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Wed, 19 Nov 2025 14:10:31 +0100 Subject: [PATCH 03/21] remove 4.0.0 patches --- .../4.0.0/0001-Include-Postgres-driver.patch | 34 -------------- .../0002-Include-logging-dependencies.patch | 26 ---------- .../4.0.0/0003-Add-CycloneDX-plugin.patch | 45 ------------------ .../4.0.0/0004-Fix-CVE-2024-36114.patch | 44 ----------------- .../4.0.0/0005-Fix-CVE-2024-1597.patch | 47 ------------------- hive/stackable/patches/4.0.0/patchable.toml | 2 - 6 files changed, 198 deletions(-) delete mode 100644 hive/stackable/patches/4.0.0/0001-Include-Postgres-driver.patch delete mode 100644 hive/stackable/patches/4.0.0/0002-Include-logging-dependencies.patch delete mode 100644 hive/stackable/patches/4.0.0/0003-Add-CycloneDX-plugin.patch delete mode 100644 hive/stackable/patches/4.0.0/0004-Fix-CVE-2024-36114.patch delete mode 100644 hive/stackable/patches/4.0.0/0005-Fix-CVE-2024-1597.patch delete mode 100644 hive/stackable/patches/4.0.0/patchable.toml diff --git a/hive/stackable/patches/4.0.0/0001-Include-Postgres-driver.patch b/hive/stackable/patches/4.0.0/0001-Include-Postgres-driver.patch deleted file mode 100644 index 50675ac24..000000000 --- a/hive/stackable/patches/4.0.0/0001-Include-Postgres-driver.patch +++ /dev/null @@ -1,34 +0,0 @@ -From c5eb86648fe96b048723372024fa7278c9e108db Mon Sep 17 00:00:00 2001 -From: Sebastian Bernauer -Date: Tue, 3 Sep 2024 11:13:24 +0200 -Subject: Include Postgres driver - ---- - standalone-metastore/metastore-server/pom.xml | 1 - - standalone-metastore/pom.xml | 1 - - 2 files changed, 2 deletions(-) - -diff --git a/standalone-metastore/metastore-server/pom.xml b/standalone-metastore/metastore-server/pom.xml -index a8f680928c..7102f1b5ca 100644 ---- a/standalone-metastore/metastore-server/pom.xml -+++ b/standalone-metastore/metastore-server/pom.xml -@@ -334,7 +334,6 @@ - - org.postgresql - postgresql -- true - - - org.eclipse.jetty -diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml -index 28ac5ceb65..e3cbd821bd 100644 ---- a/standalone-metastore/pom.xml -+++ b/standalone-metastore/pom.xml -@@ -397,7 +397,6 @@ - org.postgresql - postgresql - ${postgres.version} -- runtime - - - org.apache.httpcomponents diff --git a/hive/stackable/patches/4.0.0/0002-Include-logging-dependencies.patch b/hive/stackable/patches/4.0.0/0002-Include-logging-dependencies.patch deleted file mode 100644 index fc021b1e7..000000000 --- a/hive/stackable/patches/4.0.0/0002-Include-logging-dependencies.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 69071d4d4525a8ceb27cbefa9a093d0678a1f3dd Mon Sep 17 00:00:00 2001 -From: Lars Francke -Date: Tue, 13 Aug 2024 13:38:12 +0200 -Subject: Include logging dependencies - -This adds dependencies required for use of the XmlLayout for logging ---- - standalone-metastore/pom.xml | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml -index e3cbd821bd..205fc31ec7 100644 ---- a/standalone-metastore/pom.xml -+++ b/standalone-metastore/pom.xml -@@ -493,6 +493,11 @@ - com.fasterxml.jackson.core - jackson-databind - -+ -+ -+ com.fasterxml.jackson.dataformat -+ jackson-dataformat-xml -+ - - - diff --git a/hive/stackable/patches/4.0.0/0003-Add-CycloneDX-plugin.patch b/hive/stackable/patches/4.0.0/0003-Add-CycloneDX-plugin.patch deleted file mode 100644 index 978de7fd3..000000000 --- a/hive/stackable/patches/4.0.0/0003-Add-CycloneDX-plugin.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 23995b6c1ef70e4e119ce0493e63ff3a75ea1378 Mon Sep 17 00:00:00 2001 -From: Lukas Voetmand -Date: Fri, 6 Sep 2024 17:53:52 +0200 -Subject: Add CycloneDX plugin - ---- - standalone-metastore/pom.xml | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml -index 205fc31ec7..2982a45ca0 100644 ---- a/standalone-metastore/pom.xml -+++ b/standalone-metastore/pom.xml -@@ -41,6 +41,7 @@ - false - ${settings.localRepository} - 3.1.0 -+ 2.8.0 - ${basedir}/${standalone.metastore.path.to.root}/checkstyle - - ${project.basedir}/src/test/resources -@@ -594,6 +595,23 @@ - - - -+ -+ org.cyclonedx -+ cyclonedx-maven-plugin -+ ${maven.cyclonedx.plugin.version} -+ -+ application -+ 1.5 -+ -+ -+ -+ package -+ -+ makeBom -+ -+ -+ -+ - - - diff --git a/hive/stackable/patches/4.0.0/0004-Fix-CVE-2024-36114.patch b/hive/stackable/patches/4.0.0/0004-Fix-CVE-2024-36114.patch deleted file mode 100644 index d9d293e75..000000000 --- a/hive/stackable/patches/4.0.0/0004-Fix-CVE-2024-36114.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 4a85ad5ec7b0dbfb9f2c4524531ae0198a352b3d Mon Sep 17 00:00:00 2001 -From: Malte Sander -Date: Tue, 12 Nov 2024 11:49:57 +0100 -Subject: Fix CVE-2024-36114 - -see https://github.com/stackabletech/vulnerabilities/issues/834 - -Aircompressor is a library with ports of the Snappy, LZO, LZ4, and -Zstandard compression algorithms to Java. All decompressor -implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash -the JVM for certain input, and in some cases also leak the content of -other memory of the Java process (which could contain sensitive -information). When decompressing certain data, the decompressors try to -access memory outside the bounds of the given byte arrays or byte -buffers. Because Aircompressor uses the JDK class sun.misc.Unsafe to -speed up memory access, no additional bounds checks are performed and -this has similar security consequences as out-of-bounds access in C or -C++, namely it can lead to non-deterministic behavior or crash the JVM. -Users should update to Aircompressor 0.27 or newer where these issues -have been fixed. When decompressing data from untrusted users, this can -be exploited for a denial-of-service attack by crashing the JVM, or to -leak other sensitive information from the Java process. There are no -known workarounds for this issue. ---- - standalone-metastore/pom.xml | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml -index 2982a45ca0..cd34884e3b 100644 ---- a/standalone-metastore/pom.xml -+++ b/standalone-metastore/pom.xml -@@ -121,6 +121,12 @@ - - - -+ -+ -+ io.airlift -+ aircompressor -+ 0.27 -+ - - org.apache.orc - orc-core diff --git a/hive/stackable/patches/4.0.0/0005-Fix-CVE-2024-1597.patch b/hive/stackable/patches/4.0.0/0005-Fix-CVE-2024-1597.patch deleted file mode 100644 index 8482057a7..000000000 --- a/hive/stackable/patches/4.0.0/0005-Fix-CVE-2024-1597.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 85fab788520b73e514e52e0753d36dafdf513e5b Mon Sep 17 00:00:00 2001 -From: Nick Larsen -Date: Thu, 15 May 2025 14:14:28 +0200 -Subject: Fix CVE-2024-1597 - -See https://github.com/stackabletech/vulnerabilities/issues/681 - -pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using -PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there -is no vulnerability. A placeholder for a numeric value must be immediately -preceded by a minus. There must be a second placeholder for a string value after -the first placeholder; both must be on the same line. By constructing a matching -string payload, the attacker can inject SQL to alter the query,bypassing the -protections that parameterized queries bring against SQL Injection attacks. -Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are -affected. ---- - pom.xml | 2 +- - standalone-metastore/pom.xml | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/pom.xml b/pom.xml -index a4dfc8d1e4..699228cba3 100644 ---- a/pom.xml -+++ b/pom.xml -@@ -178,7 +178,7 @@ - 2.5.0 - 6.2.1.jre8 - 8.0.31 -- 42.5.1 -+ 42.5.6 - 21.3.0.0 - 2.3 - 1.8.5 -diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml -index cd34884e3b..da84c8928e 100644 ---- a/standalone-metastore/pom.xml -+++ b/standalone-metastore/pom.xml -@@ -72,7 +72,7 @@ - 2.5.0 - 6.2.1.jre8 - 8.0.31 -- 42.5.1 -+ 42.5.6 - 21.3.0.0 - 0.1.2 - diff --git a/hive/stackable/patches/4.0.0/patchable.toml b/hive/stackable/patches/4.0.0/patchable.toml deleted file mode 100644 index f8bd6ce3f..000000000 --- a/hive/stackable/patches/4.0.0/patchable.toml +++ /dev/null @@ -1,2 +0,0 @@ -base = "183f8cb41d3dbed961ffd27999876468ff06690c" -mirror = "https://github.com/stackabletech/hive.git" From f5530eeeb85a6b1556ca93829ad69ad8456280fa Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Thu, 20 Nov 2025 11:37:33 +0100 Subject: [PATCH 04/21] wip - 4.0.1 working with jar rename --- hive/Dockerfile | 5 ++++- hive/hive-metastore-opa-authorizer/Dockerfile | 13 ++++++++++--- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/hive/Dockerfile b/hive/Dockerfile index 3e5d4eb5b..87a528057 100644 --- a/hive/Dockerfile +++ b/hive/Dockerfile @@ -235,7 +235,10 @@ USER ${STACKABLE_USER_UID} ENV HIVE_HOME=/stackable/hive-metastore ENV HADOOP_HOME=/stackable/hadoop -ENV PATH="${PATH}":/stackable/hadoop/bin:/stackable/hive-metastore/bin +ENV PATH="${PATH}:${HADOOP_HOME}/bin:${HIVE_HOME}/bin" +#ENV CLASSPATH="${HADOOP_HOME}/lib/*:${HIVE_HOME}/lib/*:/stackable/auxlib/*:." +#ENV CLASSPATH="${HADOOP_HOME}/lib/*:${HIVE_HOME}/lib/*:." +#ENV HIVE_AUX_JARS_PATH="${HIVE_HOME}/auxlib/hms4-4.0.1-3.3.6-v1.0.0.jar" # The following 2 env-vars are required for common hadoop scripts even if the respective libraries are never used. # We set them here to a sensible default. diff --git a/hive/hive-metastore-opa-authorizer/Dockerfile b/hive/hive-metastore-opa-authorizer/Dockerfile index 72bf08b30..c3421c9e2 100644 --- a/hive/hive-metastore-opa-authorizer/Dockerfile +++ b/hive/hive-metastore-opa-authorizer/Dockerfile @@ -49,13 +49,20 @@ mvn versions:set -DnewVersion=${AUTHORIZER_VERSION} # The if part can be removed once we do no longer support Hive 3.x.x # Hive 3.1.3 only works with the shaded jar -if [[ "${HIVE_VERSION}" =~ ^3 ]]; then +if [[ "${HIVE_VERSION}" =~ "^3" ]]; then mvn clean package -DskipTests -Dhive.version=${HIVE_VERSION} -Dhadoop.version=${HADOOP_VERSION} -f hms-v3/pom.xml - mv hms-v3/target/com.bosch.bdps.hms3-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar /stackable/opa-authorizer-bin + mv hms-v3/target/com.bosch.bdps.hms3-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar /stackable/opa-authorizer-bin/hms3-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar +# Hive 4.0.1 only works with the shaded jar +elif [[ "${HIVE_VERSION}" == "4.0.1" ]]; then + mvn clean package -DskipTests -Dhive.version=${HIVE_VERSION} -Dhadoop.version=${HADOOP_VERSION} -f hms-v4/pom.xml + # The renaming from "com.bosch.bdps.hms4-..." to "zhms4-.." is required for 4.0.1 because it is a dependency mess and otherwise loaded before other hive + # libraries. Setting CLASSPATH or HIVE_AUX_JARS_PATH did not reorder the dependency loading up as well. + # This is very very bad and depends on alhpabetically ordering... + mv hms-v4/target/com.bosch.bdps.hms4-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar /stackable/opa-authorizer-bin/zhms4-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar # Hive 4.1.0 only works with the non shaded jar else mvn clean package -DskipTests -Dhive.version=${HIVE_VERSION} -Dhadoop.version=${HADOOP_VERSION} -f hms-v4/pom.xml - mv hms-v4/target/hms4-${AUTHORIZER_VERSION}.jar /stackable/opa-authorizer-bin + mv hms-v4/target/hms4-${AUTHORIZER_VERSION}.jar /stackable/opa-authorizer-bin/hms4-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar fi # We're removing these to make the intermediate layer smaller From 40cc57a0b744d4142fc0adbe9b183abf16b11ad3 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Mon, 24 Nov 2025 16:01:02 +0100 Subject: [PATCH 05/21] fix 4.0.1 by relocating jline --- hive/Dockerfile | 2 +- hive/hive-metastore-opa-authorizer/Dockerfile | 7 +--- .../v1.0.0/0001-Shade-jline-explicitly.patch | 39 +++++++++++++++++++ 3 files changed, 42 insertions(+), 6 deletions(-) create mode 100644 hive/hive-metastore-opa-authorizer/stackable/patches/v1.0.0/0001-Shade-jline-explicitly.patch diff --git a/hive/Dockerfile b/hive/Dockerfile index 87a528057..6fbdacec0 100644 --- a/hive/Dockerfile +++ b/hive/Dockerfile @@ -47,7 +47,7 @@ RUN /stackable/patchable --images-repo-root=src checkout hive ${PRODUCT_VERSION} # Use bash for regex machting, otherwise docker lint is complaining: # hive/Dockerfile:51 SC3014 warning: In POSIX sh, == in place of = is undefined. -SHELL ["/bin/bash", "-c"] +SHELL ["/bin/bash", "-o", "pipefail", "-c"] # Make expensive maven build a separate layer for better caching # Cache mounts are owned by root by default diff --git a/hive/hive-metastore-opa-authorizer/Dockerfile b/hive/hive-metastore-opa-authorizer/Dockerfile index c3421c9e2..85161e204 100644 --- a/hive/hive-metastore-opa-authorizer/Dockerfile +++ b/hive/hive-metastore-opa-authorizer/Dockerfile @@ -25,7 +25,7 @@ COPY --chown=${STACKABLE_USER_UID}:0 --from=hadoop-builder /stackable/patched-li # Use bash for regex machting, otherwise docker lint is complaining: # hive/hive-metastore-opa-authorizer/Dockerfile:26 SC3015 warning: In POSIX sh, =~ regex matching is undefined. -SHELL ["/bin/bash", "-c"] +SHELL ["/bin/bash", "-o", "pipefail", "-c"] # Make expensive maven build a separate layer for better caching # Cache mounts are owned by root by default @@ -55,10 +55,7 @@ if [[ "${HIVE_VERSION}" =~ "^3" ]]; then # Hive 4.0.1 only works with the shaded jar elif [[ "${HIVE_VERSION}" == "4.0.1" ]]; then mvn clean package -DskipTests -Dhive.version=${HIVE_VERSION} -Dhadoop.version=${HADOOP_VERSION} -f hms-v4/pom.xml - # The renaming from "com.bosch.bdps.hms4-..." to "zhms4-.." is required for 4.0.1 because it is a dependency mess and otherwise loaded before other hive - # libraries. Setting CLASSPATH or HIVE_AUX_JARS_PATH did not reorder the dependency loading up as well. - # This is very very bad and depends on alhpabetically ordering... - mv hms-v4/target/com.bosch.bdps.hms4-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar /stackable/opa-authorizer-bin/zhms4-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar + mv hms-v4/target/com.bosch.bdps.hms4-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar /stackable/opa-authorizer-bin/hms4-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar # Hive 4.1.0 only works with the non shaded jar else mvn clean package -DskipTests -Dhive.version=${HIVE_VERSION} -Dhadoop.version=${HADOOP_VERSION} -f hms-v4/pom.xml diff --git a/hive/hive-metastore-opa-authorizer/stackable/patches/v1.0.0/0001-Shade-jline-explicitly.patch b/hive/hive-metastore-opa-authorizer/stackable/patches/v1.0.0/0001-Shade-jline-explicitly.patch new file mode 100644 index 000000000..a1eee5c5c --- /dev/null +++ b/hive/hive-metastore-opa-authorizer/stackable/patches/v1.0.0/0001-Shade-jline-explicitly.patch @@ -0,0 +1,39 @@ +From 500af58b1022e65ba3b498e210d6f69fa1e3a1d4 Mon Sep 17 00:00:00 2001 +From: Malte Sander +Date: Mon, 24 Nov 2025 15:00:03 +0100 +Subject: Shade jline explicitly + +--- + hms-v4/pom.xml | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/hms-v4/pom.xml b/hms-v4/pom.xml +index 4ebeac4..e1d6fd9 100644 +--- a/hms-v4/pom.xml ++++ b/hms-v4/pom.xml +@@ -67,6 +67,25 @@ + + + ++ ++ ++ ++ org.jline ++ com.bosch.bdps.jline ++ ++ + + + From 6afc47e87f9fa81b0dff36d3cc4dc7e08aa34cc1 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Mon, 24 Nov 2025 16:39:20 +0100 Subject: [PATCH 06/21] fixes & cleanup --- hive/Dockerfile | 3 -- ...o-avoid-depedency-mess-with-hive-sch.patch | 39 +++++++++++++++++++ .../v1.0.0/0001-Shade-jline-explicitly.patch | 39 ------------------- 3 files changed, 39 insertions(+), 42 deletions(-) create mode 100644 hive/hive-metastore-opa-authorizer/stackable/patches/v1.0.0/0001-Relocate-jline-to-avoid-depedency-mess-with-hive-sch.patch delete mode 100644 hive/hive-metastore-opa-authorizer/stackable/patches/v1.0.0/0001-Shade-jline-explicitly.patch diff --git a/hive/Dockerfile b/hive/Dockerfile index 6fbdacec0..926d577e1 100644 --- a/hive/Dockerfile +++ b/hive/Dockerfile @@ -236,9 +236,6 @@ USER ${STACKABLE_USER_UID} ENV HIVE_HOME=/stackable/hive-metastore ENV HADOOP_HOME=/stackable/hadoop ENV PATH="${PATH}:${HADOOP_HOME}/bin:${HIVE_HOME}/bin" -#ENV CLASSPATH="${HADOOP_HOME}/lib/*:${HIVE_HOME}/lib/*:/stackable/auxlib/*:." -#ENV CLASSPATH="${HADOOP_HOME}/lib/*:${HIVE_HOME}/lib/*:." -#ENV HIVE_AUX_JARS_PATH="${HIVE_HOME}/auxlib/hms4-4.0.1-3.3.6-v1.0.0.jar" # The following 2 env-vars are required for common hadoop scripts even if the respective libraries are never used. # We set them here to a sensible default. diff --git a/hive/hive-metastore-opa-authorizer/stackable/patches/v1.0.0/0001-Relocate-jline-to-avoid-depedency-mess-with-hive-sch.patch b/hive/hive-metastore-opa-authorizer/stackable/patches/v1.0.0/0001-Relocate-jline-to-avoid-depedency-mess-with-hive-sch.patch new file mode 100644 index 000000000..56175493f --- /dev/null +++ b/hive/hive-metastore-opa-authorizer/stackable/patches/v1.0.0/0001-Relocate-jline-to-avoid-depedency-mess-with-hive-sch.patch @@ -0,0 +1,39 @@ +From beabf57d974d85eaa0ffbd822e32a59b0781d42b Mon Sep 17 00:00:00 2001 +From: Malte Sander +Date: Mon, 24 Nov 2025 16:37:57 +0100 +Subject: Relocate jline to avoid depedency mess with hive schematool + +--- + hms-v4/pom.xml | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/hms-v4/pom.xml b/hms-v4/pom.xml +index 4ebeac4..942fb94 100644 +--- a/hms-v4/pom.xml ++++ b/hms-v4/pom.xml +@@ -67,6 +67,25 @@ + + + ++ ++ ++ ++ org.jline ++ com.bosch.bdps.jline ++ ++ + + + diff --git a/hive/hive-metastore-opa-authorizer/stackable/patches/v1.0.0/0001-Shade-jline-explicitly.patch b/hive/hive-metastore-opa-authorizer/stackable/patches/v1.0.0/0001-Shade-jline-explicitly.patch deleted file mode 100644 index a1eee5c5c..000000000 --- a/hive/hive-metastore-opa-authorizer/stackable/patches/v1.0.0/0001-Shade-jline-explicitly.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 500af58b1022e65ba3b498e210d6f69fa1e3a1d4 Mon Sep 17 00:00:00 2001 -From: Malte Sander -Date: Mon, 24 Nov 2025 15:00:03 +0100 -Subject: Shade jline explicitly - ---- - hms-v4/pom.xml | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/hms-v4/pom.xml b/hms-v4/pom.xml -index 4ebeac4..e1d6fd9 100644 ---- a/hms-v4/pom.xml -+++ b/hms-v4/pom.xml -@@ -67,6 +67,25 @@ - - - -+ -+ -+ -+ org.jline -+ com.bosch.bdps.jline -+ -+ - - - From 1ab6431c8df4455aaa2953af87603fb757816a1f Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Mon, 24 Nov 2025 16:40:59 +0100 Subject: [PATCH 07/21] fix typo --- ...1-Relocate-jline-to-avoid-depedency-mess-with-hive-sch.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hive/hive-metastore-opa-authorizer/stackable/patches/v1.0.0/0001-Relocate-jline-to-avoid-depedency-mess-with-hive-sch.patch b/hive/hive-metastore-opa-authorizer/stackable/patches/v1.0.0/0001-Relocate-jline-to-avoid-depedency-mess-with-hive-sch.patch index 56175493f..da928e44e 100644 --- a/hive/hive-metastore-opa-authorizer/stackable/patches/v1.0.0/0001-Relocate-jline-to-avoid-depedency-mess-with-hive-sch.patch +++ b/hive/hive-metastore-opa-authorizer/stackable/patches/v1.0.0/0001-Relocate-jline-to-avoid-depedency-mess-with-hive-sch.patch @@ -1,7 +1,7 @@ From beabf57d974d85eaa0ffbd822e32a59b0781d42b Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Mon, 24 Nov 2025 16:37:57 +0100 -Subject: Relocate jline to avoid depedency mess with hive schematool +Subject: Relocate jline to avoid dependency mess with hive schematool --- hms-v4/pom.xml | 19 +++++++++++++++++++ From b511e99bcddd4b57a8d31b2f746cd1a92c713aa7 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Mon, 24 Nov 2025 19:03:42 +0100 Subject: [PATCH 08/21] fix 3.1.3 --- hive/hive-metastore-opa-authorizer/Dockerfile | 5 ++- ...001-Relocate-jline-in-shading-plugin.patch | 37 ++++++++++++++++++ ...o-avoid-depedency-mess-with-hive-sch.patch | 39 ------------------- 3 files changed, 40 insertions(+), 41 deletions(-) create mode 100644 hive/hive-metastore-opa-authorizer/stackable/patches/v1.0.0/0001-Relocate-jline-in-shading-plugin.patch delete mode 100644 hive/hive-metastore-opa-authorizer/stackable/patches/v1.0.0/0001-Relocate-jline-to-avoid-depedency-mess-with-hive-sch.patch diff --git a/hive/hive-metastore-opa-authorizer/Dockerfile b/hive/hive-metastore-opa-authorizer/Dockerfile index 85161e204..6b0c71f1e 100644 --- a/hive/hive-metastore-opa-authorizer/Dockerfile +++ b/hive/hive-metastore-opa-authorizer/Dockerfile @@ -31,6 +31,7 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"] # Cache mounts are owned by root by default # We need to explicitly give the uid to use RUN --mount=type=cache,id=maven-hive-metastore-opa-authorizer-${AUTHORIZER_VERSION},uid=${STACKABLE_USER_UID},target=/stackable/.m2/repository < +Date: Mon, 24 Nov 2025 18:05:16 +0100 +Subject: Relocate jline in shading plugin + +For Hive 4.0.1 the dependency loading is a mess. We explicitly shade jline to avoid a schematool dependency problem: + +Exception in thread "main" java.lang.NoSuchMethodError: 'void org.jline.reader.impl.completer.StringsCompleter.(org.jline.reader.Candidate[])' + at sqlline.SqlLineOpts.setOptionCompleters(SqlLineOpts.java:160) + at sqlline.Application.getCommandHandlers(Application.java:294) + at sqlline.SqlLine$Config.(SqlLine.java:1946) + at sqlline.SqlLine.setAppConfig(SqlLine.java:1875) + at sqlline.SqlLine.(SqlLine.java:229) + at org.apache.hadoop.hive.metastore.tools.schematool.MetastoreSchemaTool.execSql(MetastoreSchemaTool.java:313) + +This does not affect versions >= 4.1.x since the non shaded jar is used. +--- + hms-v4/pom.xml | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hms-v4/pom.xml b/hms-v4/pom.xml +index 4ebeac4..b2940ab 100644 +--- a/hms-v4/pom.xml ++++ b/hms-v4/pom.xml +@@ -67,6 +67,12 @@ + + + ++ ++ ++ org.jline ++ com.bosch.bdps.jline ++ ++ + + + diff --git a/hive/hive-metastore-opa-authorizer/stackable/patches/v1.0.0/0001-Relocate-jline-to-avoid-depedency-mess-with-hive-sch.patch b/hive/hive-metastore-opa-authorizer/stackable/patches/v1.0.0/0001-Relocate-jline-to-avoid-depedency-mess-with-hive-sch.patch deleted file mode 100644 index da928e44e..000000000 --- a/hive/hive-metastore-opa-authorizer/stackable/patches/v1.0.0/0001-Relocate-jline-to-avoid-depedency-mess-with-hive-sch.patch +++ /dev/null @@ -1,39 +0,0 @@ -From beabf57d974d85eaa0ffbd822e32a59b0781d42b Mon Sep 17 00:00:00 2001 -From: Malte Sander -Date: Mon, 24 Nov 2025 16:37:57 +0100 -Subject: Relocate jline to avoid dependency mess with hive schematool - ---- - hms-v4/pom.xml | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/hms-v4/pom.xml b/hms-v4/pom.xml -index 4ebeac4..942fb94 100644 ---- a/hms-v4/pom.xml -+++ b/hms-v4/pom.xml -@@ -67,6 +67,25 @@ - - - -+ -+ -+ -+ org.jline -+ com.bosch.bdps.jline -+ -+ - - - From d7d4c401b15167bdcdd469a659d4faf2e7b9129c Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Mon, 24 Nov 2025 19:16:37 +0100 Subject: [PATCH 09/21] fix mvn mount cache --- hive/hive-metastore-opa-authorizer/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hive/hive-metastore-opa-authorizer/Dockerfile b/hive/hive-metastore-opa-authorizer/Dockerfile index 6b0c71f1e..dda2ce943 100644 --- a/hive/hive-metastore-opa-authorizer/Dockerfile +++ b/hive/hive-metastore-opa-authorizer/Dockerfile @@ -30,7 +30,7 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"] # Make expensive maven build a separate layer for better caching # Cache mounts are owned by root by default # We need to explicitly give the uid to use -RUN --mount=type=cache,id=maven-hive-metastore-opa-authorizer-${AUTHORIZER_VERSION},uid=${STACKABLE_USER_UID},target=/stackable/.m2/repository < Date: Tue, 25 Nov 2025 06:39:09 +0100 Subject: [PATCH 10/21] adapted changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e04dce3c5..cc2a9be18 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ All notable changes to this project will be documented in this file. - airflow: Extend list of providers for 3.0.6 ([#1336]) - airflow: Bump celery version to 5.5.3 for Airflow 3.x ([#1343]). +- hive: fixed 4.0.1 shaded hive-metastore-opa-authorizer jar by relocating dependencies ([#1356]). ### Removed @@ -22,6 +23,7 @@ All notable changes to this project will be documented in this file. [#1337]: https://github.com/stackabletech/docker-images/pull/1337 [#1343]: https://github.com/stackabletech/docker-images/pull/1343 [#1340]: https://github.com/stackabletech/docker-images/pull/1340 +[#1356]: https://github.com/stackabletech/docker-images/pull/1356 ## [25.11.0] - 2025-11-07 From c8673ade5e782807ed9dae242e7a4cbe947e5efa Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Tue, 25 Nov 2025 10:18:00 +0100 Subject: [PATCH 11/21] readd 4.0.0 --- CHANGELOG.md | 4 -- hive/boil-config.toml | 15 ++++++ hive/hive-metastore-opa-authorizer/Dockerfile | 4 +- .../boil-config.toml | 9 ++++ .../4.0.0/0001-Include-Postgres-driver.patch | 34 ++++++++++++++ .../0002-Include-logging-dependencies.patch | 26 ++++++++++ .../4.0.0/0003-Add-CycloneDX-plugin.patch | 45 ++++++++++++++++++ .../4.0.0/0004-Fix-CVE-2024-36114.patch | 44 +++++++++++++++++ .../4.0.0/0005-Fix-CVE-2024-1597.patch | 47 +++++++++++++++++++ hive/stackable/patches/4.0.0/patchable.toml | 2 + 10 files changed, 224 insertions(+), 6 deletions(-) create mode 100644 hive/stackable/patches/4.0.0/0001-Include-Postgres-driver.patch create mode 100644 hive/stackable/patches/4.0.0/0002-Include-logging-dependencies.patch create mode 100644 hive/stackable/patches/4.0.0/0003-Add-CycloneDX-plugin.patch create mode 100644 hive/stackable/patches/4.0.0/0004-Fix-CVE-2024-36114.patch create mode 100644 hive/stackable/patches/4.0.0/0005-Fix-CVE-2024-1597.patch create mode 100644 hive/stackable/patches/4.0.0/patchable.toml diff --git a/CHANGELOG.md b/CHANGELOG.md index cc2a9be18..c0c49607b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,10 +15,6 @@ All notable changes to this project will be documented in this file. - airflow: Bump celery version to 5.5.3 for Airflow 3.x ([#1343]). - hive: fixed 4.0.1 shaded hive-metastore-opa-authorizer jar by relocating dependencies ([#1356]). -### Removed - -- hive: Remove `4.0.0` ([#1340]). - [#1336]: https://github.com/stackabletech/docker-images/pull/1336 [#1337]: https://github.com/stackabletech/docker-images/pull/1337 [#1343]: https://github.com/stackabletech/docker-images/pull/1343 diff --git a/hive/boil-config.toml b/hive/boil-config.toml index f4d4ed316..82952d4d1 100644 --- a/hive/boil-config.toml +++ b/hive/boil-config.toml @@ -13,6 +13,21 @@ aws-java-sdk-bundle-version = "1.12.367" azure-storage-version = "7.0.1" azure-keyvault-core-version = "1.0.0" +[versions."4.0.0".local-images] +# Hive 4 must be built with Java 8 (according to GitHub README) but seems to run on Java 11 +java-base = "11" +java-devel = "8" +"hadoop/hadoop" = "3.3.6" +# hive-metastore-opa-authorizer from: https://github.com/boschglobal/hive-metastore-opa-authorizer +"hive/hive-metastore-opa-authorizer" = "v1.0.0-hive-4.0.0-hadoop-3.3.6" + +[versions."4.0.0".build-arguments] +jmx-exporter-version = "1.3.0" +# Keep consistent with the dependency from Hadoop: https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-aws/3.3.6 +aws-java-sdk-bundle-version = "1.12.367" +azure-storage-version = "7.0.1" +azure-keyvault-core-version = "1.0.0" + [versions."4.0.1".local-images] # Hive 4.0 must be built with Java 8 (according to GitHub README) but seems to run on Java 11 java-base = "11" diff --git a/hive/hive-metastore-opa-authorizer/Dockerfile b/hive/hive-metastore-opa-authorizer/Dockerfile index dda2ce943..ea464536a 100644 --- a/hive/hive-metastore-opa-authorizer/Dockerfile +++ b/hive/hive-metastore-opa-authorizer/Dockerfile @@ -53,8 +53,8 @@ mvn versions:set -DnewVersion=${AUTHORIZER_VERSION} if [[ "${HIVE_VERSION}" == "3.1.3" ]]; then mvn clean package -DskipTests -Dhive.version=${HIVE_VERSION} -Dhadoop.version=${HADOOP_VERSION} -f hms-v3/pom.xml mv hms-v3/target/com.bosch.bdps.hms3-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar /stackable/opa-authorizer-bin/hms3-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar -# Hive 4.0.1 only works with the shaded jar -elif [[ "${HIVE_VERSION}" == "4.0.1" ]]; then +# Hive 4.0.* only works with the shaded jar +elif [[ "${HIVE_VERSION}" == "4.0.*" ]]; then mvn clean package -DskipTests -Dhive.version=${HIVE_VERSION} -Dhadoop.version=${HADOOP_VERSION} -f hms-v4/pom.xml mv hms-v4/target/com.bosch.bdps.hms4-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar /stackable/opa-authorizer-bin/hms4-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar # Hive 4.1.0 only works with the non shaded jar diff --git a/hive/hive-metastore-opa-authorizer/boil-config.toml b/hive/hive-metastore-opa-authorizer/boil-config.toml index f23915f57..da8507b42 100644 --- a/hive/hive-metastore-opa-authorizer/boil-config.toml +++ b/hive/hive-metastore-opa-authorizer/boil-config.toml @@ -7,6 +7,15 @@ authorizer-version = "v1.0.0" hive-version = "3.1.3" delete-caches = "true" +[versions."v1.0.0-hive-4.0.0-hadoop-3.3.6".local-images] +"java-devel" = "11" +"hadoop/hadoop" = "3.3.6" + +[versions."v1.0.0-hive-4.0.0-hadoop-3.3.6".build-arguments] +authorizer-version = "v1.0.0" +hive-version = "4.0.0" +delete-caches = "true" + [versions."v1.0.0-hive-4.0.1-hadoop-3.3.6".local-images] "java-devel" = "11" "hadoop/hadoop" = "3.3.6" diff --git a/hive/stackable/patches/4.0.0/0001-Include-Postgres-driver.patch b/hive/stackable/patches/4.0.0/0001-Include-Postgres-driver.patch new file mode 100644 index 000000000..50675ac24 --- /dev/null +++ b/hive/stackable/patches/4.0.0/0001-Include-Postgres-driver.patch @@ -0,0 +1,34 @@ +From c5eb86648fe96b048723372024fa7278c9e108db Mon Sep 17 00:00:00 2001 +From: Sebastian Bernauer +Date: Tue, 3 Sep 2024 11:13:24 +0200 +Subject: Include Postgres driver + +--- + standalone-metastore/metastore-server/pom.xml | 1 - + standalone-metastore/pom.xml | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/standalone-metastore/metastore-server/pom.xml b/standalone-metastore/metastore-server/pom.xml +index a8f680928c..7102f1b5ca 100644 +--- a/standalone-metastore/metastore-server/pom.xml ++++ b/standalone-metastore/metastore-server/pom.xml +@@ -334,7 +334,6 @@ + + org.postgresql + postgresql +- true + + + org.eclipse.jetty +diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml +index 28ac5ceb65..e3cbd821bd 100644 +--- a/standalone-metastore/pom.xml ++++ b/standalone-metastore/pom.xml +@@ -397,7 +397,6 @@ + org.postgresql + postgresql + ${postgres.version} +- runtime + + + org.apache.httpcomponents diff --git a/hive/stackable/patches/4.0.0/0002-Include-logging-dependencies.patch b/hive/stackable/patches/4.0.0/0002-Include-logging-dependencies.patch new file mode 100644 index 000000000..fc021b1e7 --- /dev/null +++ b/hive/stackable/patches/4.0.0/0002-Include-logging-dependencies.patch @@ -0,0 +1,26 @@ +From 69071d4d4525a8ceb27cbefa9a093d0678a1f3dd Mon Sep 17 00:00:00 2001 +From: Lars Francke +Date: Tue, 13 Aug 2024 13:38:12 +0200 +Subject: Include logging dependencies + +This adds dependencies required for use of the XmlLayout for logging +--- + standalone-metastore/pom.xml | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml +index e3cbd821bd..205fc31ec7 100644 +--- a/standalone-metastore/pom.xml ++++ b/standalone-metastore/pom.xml +@@ -493,6 +493,11 @@ + com.fasterxml.jackson.core + jackson-databind + ++ ++ ++ com.fasterxml.jackson.dataformat ++ jackson-dataformat-xml ++ + + + diff --git a/hive/stackable/patches/4.0.0/0003-Add-CycloneDX-plugin.patch b/hive/stackable/patches/4.0.0/0003-Add-CycloneDX-plugin.patch new file mode 100644 index 000000000..978de7fd3 --- /dev/null +++ b/hive/stackable/patches/4.0.0/0003-Add-CycloneDX-plugin.patch @@ -0,0 +1,45 @@ +From 23995b6c1ef70e4e119ce0493e63ff3a75ea1378 Mon Sep 17 00:00:00 2001 +From: Lukas Voetmand +Date: Fri, 6 Sep 2024 17:53:52 +0200 +Subject: Add CycloneDX plugin + +--- + standalone-metastore/pom.xml | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml +index 205fc31ec7..2982a45ca0 100644 +--- a/standalone-metastore/pom.xml ++++ b/standalone-metastore/pom.xml +@@ -41,6 +41,7 @@ + false + ${settings.localRepository} + 3.1.0 ++ 2.8.0 + ${basedir}/${standalone.metastore.path.to.root}/checkstyle + + ${project.basedir}/src/test/resources +@@ -594,6 +595,23 @@ + + + ++ ++ org.cyclonedx ++ cyclonedx-maven-plugin ++ ${maven.cyclonedx.plugin.version} ++ ++ application ++ 1.5 ++ ++ ++ ++ package ++ ++ makeBom ++ ++ ++ ++ + + + diff --git a/hive/stackable/patches/4.0.0/0004-Fix-CVE-2024-36114.patch b/hive/stackable/patches/4.0.0/0004-Fix-CVE-2024-36114.patch new file mode 100644 index 000000000..d9d293e75 --- /dev/null +++ b/hive/stackable/patches/4.0.0/0004-Fix-CVE-2024-36114.patch @@ -0,0 +1,44 @@ +From 4a85ad5ec7b0dbfb9f2c4524531ae0198a352b3d Mon Sep 17 00:00:00 2001 +From: Malte Sander +Date: Tue, 12 Nov 2024 11:49:57 +0100 +Subject: Fix CVE-2024-36114 + +see https://github.com/stackabletech/vulnerabilities/issues/834 + +Aircompressor is a library with ports of the Snappy, LZO, LZ4, and +Zstandard compression algorithms to Java. All decompressor +implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash +the JVM for certain input, and in some cases also leak the content of +other memory of the Java process (which could contain sensitive +information). When decompressing certain data, the decompressors try to +access memory outside the bounds of the given byte arrays or byte +buffers. Because Aircompressor uses the JDK class sun.misc.Unsafe to +speed up memory access, no additional bounds checks are performed and +this has similar security consequences as out-of-bounds access in C or +C++, namely it can lead to non-deterministic behavior or crash the JVM. +Users should update to Aircompressor 0.27 or newer where these issues +have been fixed. When decompressing data from untrusted users, this can +be exploited for a denial-of-service attack by crashing the JVM, or to +leak other sensitive information from the Java process. There are no +known workarounds for this issue. +--- + standalone-metastore/pom.xml | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml +index 2982a45ca0..cd34884e3b 100644 +--- a/standalone-metastore/pom.xml ++++ b/standalone-metastore/pom.xml +@@ -121,6 +121,12 @@ + + + ++ ++ ++ io.airlift ++ aircompressor ++ 0.27 ++ + + org.apache.orc + orc-core diff --git a/hive/stackable/patches/4.0.0/0005-Fix-CVE-2024-1597.patch b/hive/stackable/patches/4.0.0/0005-Fix-CVE-2024-1597.patch new file mode 100644 index 000000000..8482057a7 --- /dev/null +++ b/hive/stackable/patches/4.0.0/0005-Fix-CVE-2024-1597.patch @@ -0,0 +1,47 @@ +From 85fab788520b73e514e52e0753d36dafdf513e5b Mon Sep 17 00:00:00 2001 +From: Nick Larsen +Date: Thu, 15 May 2025 14:14:28 +0200 +Subject: Fix CVE-2024-1597 + +See https://github.com/stackabletech/vulnerabilities/issues/681 + +pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using +PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there +is no vulnerability. A placeholder for a numeric value must be immediately +preceded by a minus. There must be a second placeholder for a string value after +the first placeholder; both must be on the same line. By constructing a matching +string payload, the attacker can inject SQL to alter the query,bypassing the +protections that parameterized queries bring against SQL Injection attacks. +Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are +affected. +--- + pom.xml | 2 +- + standalone-metastore/pom.xml | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/pom.xml b/pom.xml +index a4dfc8d1e4..699228cba3 100644 +--- a/pom.xml ++++ b/pom.xml +@@ -178,7 +178,7 @@ + 2.5.0 + 6.2.1.jre8 + 8.0.31 +- 42.5.1 ++ 42.5.6 + 21.3.0.0 + 2.3 + 1.8.5 +diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml +index cd34884e3b..da84c8928e 100644 +--- a/standalone-metastore/pom.xml ++++ b/standalone-metastore/pom.xml +@@ -72,7 +72,7 @@ + 2.5.0 + 6.2.1.jre8 + 8.0.31 +- 42.5.1 ++ 42.5.6 + 21.3.0.0 + 0.1.2 + diff --git a/hive/stackable/patches/4.0.0/patchable.toml b/hive/stackable/patches/4.0.0/patchable.toml new file mode 100644 index 000000000..f8bd6ce3f --- /dev/null +++ b/hive/stackable/patches/4.0.0/patchable.toml @@ -0,0 +1,2 @@ +base = "183f8cb41d3dbed961ffd27999876468ff06690c" +mirror = "https://github.com/stackabletech/hive.git" From 1d4af7d99d1afd52f7bdc5f69752afa4d40b68f5 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Tue, 25 Nov 2025 11:12:01 +0100 Subject: [PATCH 12/21] readd schematool fix for 4.0.x --- hive/Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hive/Dockerfile b/hive/Dockerfile index 926d577e1..e4661a3e3 100644 --- a/hive/Dockerfile +++ b/hive/Dockerfile @@ -84,6 +84,9 @@ elif [[ "${PRODUCT_VERSION}" == 4.0.* ]]; then # We only seem to get a .tar.gz archive, so let's extract that to the correct location tar --extract --directory=/stackable -f standalone-metastore/metastore-server/target/apache-hive-standalone-metastore-server-${NEW_VERSION}-bin.tar.gz mv standalone-metastore/metastore-server/target/bom.json /stackable/apache-hive-metastore-${NEW_VERSION}-bin/apache-hive-metastore-${NEW_VERSION}.cdx.json + + # The schemaTool.sh is still pointing to the class location from Hive < 4.0.0, it seems like it was forgotten to update it + sed -i -e 's/CLASS=org.apache.hadoop.hive.metastore.tools.MetastoreSchemaTool/CLASS=org.apache.hadoop.hive.metastore.tools.schematool.MetastoreSchemaTool/' /stackable/apache-hive-metastore-${NEW_VERSION}-bin/bin/ext/schemaTool.sh ) else # Starting with 4.1.0 the build process changed again in https://github.com/apache/hive/pull/5936 (HIVE-29062) From f2b1d100a7c10b9c2a5f3c91888bababe4c4a536 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Tue, 25 Nov 2025 11:12:28 +0100 Subject: [PATCH 13/21] adapt condition for 4.0.0 --- hive/hive-metastore-opa-authorizer/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hive/hive-metastore-opa-authorizer/Dockerfile b/hive/hive-metastore-opa-authorizer/Dockerfile index ea464536a..e522afaad 100644 --- a/hive/hive-metastore-opa-authorizer/Dockerfile +++ b/hive/hive-metastore-opa-authorizer/Dockerfile @@ -54,10 +54,10 @@ if [[ "${HIVE_VERSION}" == "3.1.3" ]]; then mvn clean package -DskipTests -Dhive.version=${HIVE_VERSION} -Dhadoop.version=${HADOOP_VERSION} -f hms-v3/pom.xml mv hms-v3/target/com.bosch.bdps.hms3-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar /stackable/opa-authorizer-bin/hms3-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar # Hive 4.0.* only works with the shaded jar -elif [[ "${HIVE_VERSION}" == "4.0.*" ]]; then +elif [[ "${HIVE_VERSION}" == 4.0.* ]]; then mvn clean package -DskipTests -Dhive.version=${HIVE_VERSION} -Dhadoop.version=${HADOOP_VERSION} -f hms-v4/pom.xml mv hms-v4/target/com.bosch.bdps.hms4-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar /stackable/opa-authorizer-bin/hms4-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar -# Hive 4.1.0 only works with the non shaded jar +# Hive > 4.0.x only works with the non shaded jar else mvn clean package -DskipTests -Dhive.version=${HIVE_VERSION} -Dhadoop.version=${HADOOP_VERSION} -f hms-v4/pom.xml mv hms-v4/target/hms4-${AUTHORIZER_VERSION}.jar /stackable/opa-authorizer-bin/hms4-${HIVE_VERSION}-${HADOOP_VERSION}-${AUTHORIZER_VERSION}.jar From 93e8b501e96a216f552e385c44a7d97af2f81de8 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Tue, 25 Nov 2025 11:32:52 +0100 Subject: [PATCH 14/21] add 4.2.0 --- hive/boil-config.toml | 17 ++++++++++ .../boil-config.toml | 9 +++++ .../4.2.0/0001-Include-Postgres-driver.patch | 34 +++++++++++++++++++ .../0002-Include-logging-dependencies.patch | 25 ++++++++++++++ .../4.2.0/0003-Fix-CVE-2024-36114.patch | 26 ++++++++++++++ hive/stackable/patches/4.2.0/patchable.toml | 2 ++ 6 files changed, 113 insertions(+) create mode 100644 hive/stackable/patches/4.2.0/0001-Include-Postgres-driver.patch create mode 100644 hive/stackable/patches/4.2.0/0002-Include-logging-dependencies.patch create mode 100644 hive/stackable/patches/4.2.0/0003-Fix-CVE-2024-36114.patch create mode 100644 hive/stackable/patches/4.2.0/patchable.toml diff --git a/hive/boil-config.toml b/hive/boil-config.toml index 82952d4d1..a216f20e7 100644 --- a/hive/boil-config.toml +++ b/hive/boil-config.toml @@ -59,3 +59,20 @@ aws-java-sdk-bundle-version = "2.29.52" azure-storage-version = "7.0.1" # Keep consistent with the dependency from azure-storage: https://mvnrepository.com/artifact/com.microsoft.azure/azure-storage/7.0.1 azure-keyvault-core-version = "1.0.0" + +[versions."4.2.0".local-images] +# Hive 4.2 requires Java 21 (according to GitHub README) +java-base = "21" +java-devel = "21" +"hadoop/hadoop" = "3.4.2" +# hive-metastore-opa-authorizer from: https://github.com/boschglobal/hive-metastore-opa-authorizer +"hive/hive-metastore-opa-authorizer" = "v1.0.0-hive-4.2.0-hadoop-3.4.2" + +[versions."4.2.0".build-arguments] +jmx-exporter-version = "1.3.0" +# Keep consistent with the dependency from hadoop-aws: https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-aws/3.4.2 TODO: CHECK! +aws-java-sdk-bundle-version = "2.29.52" +# Keep consistent with the dependency from hadoop-azure: https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-azure/3.4.2 TODO: CHECK! +azure-storage-version = "7.0.1" +# Keep consistent with the dependency from azure-storage: https://mvnrepository.com/artifact/com.microsoft.azure/azure-storage/7.0.1 TODO: CHECK! +azure-keyvault-core-version = "1.0.0" diff --git a/hive/hive-metastore-opa-authorizer/boil-config.toml b/hive/hive-metastore-opa-authorizer/boil-config.toml index da8507b42..a2eb55fcd 100644 --- a/hive/hive-metastore-opa-authorizer/boil-config.toml +++ b/hive/hive-metastore-opa-authorizer/boil-config.toml @@ -33,3 +33,12 @@ delete-caches = "true" authorizer-version = "v1.0.0" hive-version = "4.1.0" delete-caches = "true" + +[versions."v1.0.0-hive-4.2.0-hadoop-3.4.2".local-images] +"java-devel" = "21" +"hadoop/hadoop" = "3.4.2" + +[versions."v1.0.0-hive-4.2.0-hadoop-3.4.2".build-arguments] +authorizer-version = "v1.0.0" +hive-version = "4.2.0" +delete-caches = "true" diff --git a/hive/stackable/patches/4.2.0/0001-Include-Postgres-driver.patch b/hive/stackable/patches/4.2.0/0001-Include-Postgres-driver.patch new file mode 100644 index 000000000..91fd4c179 --- /dev/null +++ b/hive/stackable/patches/4.2.0/0001-Include-Postgres-driver.patch @@ -0,0 +1,34 @@ +From f7913f5ee840dc277301fcb0f18e04be7849ab5c Mon Sep 17 00:00:00 2001 +From: Malte Sander +Date: Tue, 25 Nov 2025 11:29:03 +0100 +Subject: Include Postgres driver + +--- + standalone-metastore/metastore-server/pom.xml | 1 - + standalone-metastore/pom.xml | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/standalone-metastore/metastore-server/pom.xml b/standalone-metastore/metastore-server/pom.xml +index fa2418f205..0e24b3ebc9 100644 +--- a/standalone-metastore/metastore-server/pom.xml ++++ b/standalone-metastore/metastore-server/pom.xml +@@ -338,7 +338,6 @@ + + org.postgresql + postgresql +- true + + + org.eclipse.jetty +diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml +index bd6f2227b6..0bf9d09c0b 100644 +--- a/standalone-metastore/pom.xml ++++ b/standalone-metastore/pom.xml +@@ -435,7 +435,6 @@ + org.postgresql + postgresql + ${postgres.version} +- runtime + + + org.apache.httpcomponents diff --git a/hive/stackable/patches/4.2.0/0002-Include-logging-dependencies.patch b/hive/stackable/patches/4.2.0/0002-Include-logging-dependencies.patch new file mode 100644 index 000000000..0973fa336 --- /dev/null +++ b/hive/stackable/patches/4.2.0/0002-Include-logging-dependencies.patch @@ -0,0 +1,25 @@ +From 8a74bc78eb3ed664e698dd41be25107a495a018e Mon Sep 17 00:00:00 2001 +From: Malte Sander +Date: Tue, 25 Nov 2025 11:30:24 +0100 +Subject: Include logging dependencies + +--- + standalone-metastore/pom.xml | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml +index 0bf9d09c0b..40bd4fcd83 100644 +--- a/standalone-metastore/pom.xml ++++ b/standalone-metastore/pom.xml +@@ -582,6 +582,11 @@ + com.fasterxml.jackson.core + jackson-databind + ++ ++ ++ com.fasterxml.jackson.dataformat ++ jackson-dataformat-xml ++ + + + diff --git a/hive/stackable/patches/4.2.0/0003-Fix-CVE-2024-36114.patch b/hive/stackable/patches/4.2.0/0003-Fix-CVE-2024-36114.patch new file mode 100644 index 000000000..940e5a50e --- /dev/null +++ b/hive/stackable/patches/4.2.0/0003-Fix-CVE-2024-36114.patch @@ -0,0 +1,26 @@ +From 4095defdcf9e049dfa5a7c9b279760ea30615465 Mon Sep 17 00:00:00 2001 +From: Malte Sander +Date: Tue, 25 Nov 2025 11:31:34 +0100 +Subject: Fix CVE-2024-36114 + +--- + standalone-metastore/pom.xml | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml +index 40bd4fcd83..34eb45fb96 100644 +--- a/standalone-metastore/pom.xml ++++ b/standalone-metastore/pom.xml +@@ -157,6 +157,12 @@ + ${netty.version} + linux-x86_64 + ++ ++ ++ io.airlift ++ aircompressor ++ 0.27 ++ + + org.apache.orc + orc-core diff --git a/hive/stackable/patches/4.2.0/patchable.toml b/hive/stackable/patches/4.2.0/patchable.toml new file mode 100644 index 000000000..dad9b8958 --- /dev/null +++ b/hive/stackable/patches/4.2.0/patchable.toml @@ -0,0 +1,2 @@ +mirror = "https://github.com/stackabletech/hive.git" +base = "cb06ad72d609e51b6a3a38ccb120e34b4281067c" From cc386715949d8db4948cbdb8a03c990ee8cab311 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Tue, 25 Nov 2025 11:56:23 +0100 Subject: [PATCH 15/21] linter & changelog --- CHANGELOG.md | 1 + hive/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c0c49607b..4bdf74810 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ All notable changes to this project will be documented in this file. - superset: Add 6.0.0-rc2 ([#1337]). - hive: Build [hive-metastore-opa-authorizer](https://github.com/boschglobal/hive-metastore-opa-authorizer) from source and add to image ([#1340]). +- hive: Add `4.2.0` ([#1356]). ### Changed diff --git a/hive/Dockerfile b/hive/Dockerfile index e4661a3e3..736b1cd71 100644 --- a/hive/Dockerfile +++ b/hive/Dockerfile @@ -84,7 +84,7 @@ elif [[ "${PRODUCT_VERSION}" == 4.0.* ]]; then # We only seem to get a .tar.gz archive, so let's extract that to the correct location tar --extract --directory=/stackable -f standalone-metastore/metastore-server/target/apache-hive-standalone-metastore-server-${NEW_VERSION}-bin.tar.gz mv standalone-metastore/metastore-server/target/bom.json /stackable/apache-hive-metastore-${NEW_VERSION}-bin/apache-hive-metastore-${NEW_VERSION}.cdx.json - + # The schemaTool.sh is still pointing to the class location from Hive < 4.0.0, it seems like it was forgotten to update it sed -i -e 's/CLASS=org.apache.hadoop.hive.metastore.tools.MetastoreSchemaTool/CLASS=org.apache.hadoop.hive.metastore.tools.schematool.MetastoreSchemaTool/' /stackable/apache-hive-metastore-${NEW_VERSION}-bin/bin/ext/schemaTool.sh ) From 1e32fde4e0a5f2ab10ccd4e0a6d8de807a33268b Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Tue, 25 Nov 2025 14:47:18 +0100 Subject: [PATCH 16/21] add set -e to hive build --- hive/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hive/Dockerfile b/hive/Dockerfile index 736b1cd71..30b2f60da 100644 --- a/hive/Dockerfile +++ b/hive/Dockerfile @@ -53,6 +53,8 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"] # Cache mounts are owned by root by default # We need to explicitly give the uid to use RUN --mount=type=cache,id=maven-hive-${PRODUCT_VERSION},uid=${STACKABLE_USER_UID},target=/stackable/.m2/repository < Date: Tue, 25 Nov 2025 14:47:40 +0100 Subject: [PATCH 17/21] add http5 client to standalone-metastore for REST Catalog --- ...ts.core5-to-hive-standalone-metastor.patch | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 hive/stackable/patches/4.2.0/0004-Add-httpcomponents.core5-to-hive-standalone-metastor.patch diff --git a/hive/stackable/patches/4.2.0/0004-Add-httpcomponents.core5-to-hive-standalone-metastor.patch b/hive/stackable/patches/4.2.0/0004-Add-httpcomponents.core5-to-hive-standalone-metastor.patch new file mode 100644 index 000000000..859383c6d --- /dev/null +++ b/hive/stackable/patches/4.2.0/0004-Add-httpcomponents.core5-to-hive-standalone-metastor.patch @@ -0,0 +1,40 @@ +From 897f67b3bd6f200affe80423a37c7de202f13782 Mon Sep 17 00:00:00 2001 +From: Malte Sander +Date: Tue, 25 Nov 2025 14:44:35 +0100 +Subject: Add httpcomponents.core5 to hive-standalone-metastore + +Required for the REST Catalog. +--- + standalone-metastore/metastore-rest-catalog/pom.xml | 5 +++++ + standalone-metastore/pom.xml | 2 ++ + 2 files changed, 7 insertions(+) + +diff --git a/standalone-metastore/metastore-rest-catalog/pom.xml b/standalone-metastore/metastore-rest-catalog/pom.xml +index c1692e7ba2..ad6cecb535 100644 +--- a/standalone-metastore/metastore-rest-catalog/pom.xml ++++ b/standalone-metastore/metastore-rest-catalog/pom.xml +@@ -26,6 +26,11 @@ + 1.9.1 + + ++ ++ org.apache.httpcomponents.core5 ++ httpcore5 ++ ${httpcomponents5.core.version} ++ + + org.apache.hive + hive-standalone-metastore-server +diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml +index 34eb45fb96..94b883b801 100644 +--- a/standalone-metastore/pom.xml ++++ b/standalone-metastore/pom.xml +@@ -117,6 +117,8 @@ + 1.7.30 + 4.4.13 + 4.5.13 ++ ++ 5.3.1 + 4.5.8 + 11.28 + 9.4.57.v20241219 From 5166ddaba17946c0ce6db3283e84cf5b1b3fe771 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Tue, 25 Nov 2025 15:55:56 +0100 Subject: [PATCH 18/21] readd schematool todo --- hive/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hive/Dockerfile b/hive/Dockerfile index 30b2f60da..741755118 100644 --- a/hive/Dockerfile +++ b/hive/Dockerfile @@ -86,7 +86,7 @@ elif [[ "${PRODUCT_VERSION}" == 4.0.* ]]; then # We only seem to get a .tar.gz archive, so let's extract that to the correct location tar --extract --directory=/stackable -f standalone-metastore/metastore-server/target/apache-hive-standalone-metastore-server-${NEW_VERSION}-bin.tar.gz mv standalone-metastore/metastore-server/target/bom.json /stackable/apache-hive-metastore-${NEW_VERSION}-bin/apache-hive-metastore-${NEW_VERSION}.cdx.json - + # TODO: Remove once the fix https://github.com/apache/hive/pull/5419 is merged and released # The schemaTool.sh is still pointing to the class location from Hive < 4.0.0, it seems like it was forgotten to update it sed -i -e 's/CLASS=org.apache.hadoop.hive.metastore.tools.MetastoreSchemaTool/CLASS=org.apache.hadoop.hive.metastore.tools.schematool.MetastoreSchemaTool/' /stackable/apache-hive-metastore-${NEW_VERSION}-bin/bin/ext/schemaTool.sh ) From 086da0f1e57312e0b0b9fe2c92257ac7527aa3a1 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Mon, 1 Dec 2025 14:02:42 +0100 Subject: [PATCH 19/21] fix changelog --- CHANGELOG.md | 1 - 1 file changed, 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ba9584caf..c6085a0a5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,7 +19,6 @@ All notable changes to this project will be documented in this file. ### Removed -- hive: Remove `4.0.0` ([#1340]). - opensearch: Remove the `performance-analyzer` plugin from the OpenSearch image ([#1357]). [#1336]: https://github.com/stackabletech/docker-images/pull/1336 From 82031ab51fedccc89bcf0001e05377c4f8050623 Mon Sep 17 00:00:00 2001 From: Malte Sander Date: Mon, 1 Dec 2025 14:20:50 +0100 Subject: [PATCH 20/21] remove SHELL and set -e --- .hadolint.yaml | 12 ++++++++++++ hive/Dockerfile | 6 ------ hive/hive-metastore-opa-authorizer/Dockerfile | 5 ----- 3 files changed, 12 insertions(+), 11 deletions(-) diff --git a/.hadolint.yaml b/.hadolint.yaml index c7198bbde..6c9c6d1d4 100644 --- a/.hadolint.yaml +++ b/.hadolint.yaml @@ -58,6 +58,18 @@ ignored: # sets the default shell to Bash where [[ ]] is defined. - SC3010 + # In POSIX sh, == in place of = is undefined. + # https://www.shellcheck.net/wiki/SC3014 + # Reason: == is used for equality comparison in C-like languages, + # and is also supported by bash and ksh in [ .. ] and test expressions. + - SC3014 + + # In POSIX sh, =~ regex matching is undefined. + # https://www.shellcheck.net/wiki/SC3015 + # Reason: You are using =~ in a script declared to be compatible with POSIX sh or Dash, + # but =~ is not specified by POSIX and is unlikely to work outside [[ ]] in Bash and Ksh. + - SC3015 + # In POSIX sh, string replacement is undefined. # https://www.shellcheck.net/wiki/SC3060 # Reason: Ignoring because we inherit SHELL from the base image which diff --git a/hive/Dockerfile b/hive/Dockerfile index 741755118..cf114407b 100644 --- a/hive/Dockerfile +++ b/hive/Dockerfile @@ -45,16 +45,10 @@ ENV NEW_VERSION="${PRODUCT_VERSION}-stackable${RELEASE_VERSION}" # thus taking a bit (which is annoying while development) RUN /stackable/patchable --images-repo-root=src checkout hive ${PRODUCT_VERSION} > /tmp/HIVE_SOURCE_DIR -# Use bash for regex machting, otherwise docker lint is complaining: -# hive/Dockerfile:51 SC3014 warning: In POSIX sh, == in place of = is undefined. -SHELL ["/bin/bash", "-o", "pipefail", "-c"] - # Make expensive maven build a separate layer for better caching # Cache mounts are owned by root by default # We need to explicitly give the uid to use RUN --mount=type=cache,id=maven-hive-${PRODUCT_VERSION},uid=${STACKABLE_USER_UID},target=/stackable/.m2/repository < Date: Mon, 1 Dec 2025 14:32:18 +0100 Subject: [PATCH 21/21] fix SC3014 and SC3015 reason --- .hadolint.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.hadolint.yaml b/.hadolint.yaml index 6c9c6d1d4..047399557 100644 --- a/.hadolint.yaml +++ b/.hadolint.yaml @@ -60,14 +60,12 @@ ignored: # In POSIX sh, == in place of = is undefined. # https://www.shellcheck.net/wiki/SC3014 - # Reason: == is used for equality comparison in C-like languages, - # and is also supported by bash and ksh in [ .. ] and test expressions. + # Reason: Ignoring because we inherit SHELL from the base image which sets the default shell to Bash where == is defined - SC3014 # In POSIX sh, =~ regex matching is undefined. # https://www.shellcheck.net/wiki/SC3015 - # Reason: You are using =~ in a script declared to be compatible with POSIX sh or Dash, - # but =~ is not specified by POSIX and is unlikely to work outside [[ ]] in Bash and Ksh. + # Reason: Ignoring because we inherit SHELL from the base image which sets the default shell to Bash where =~ regex matching is defined - SC3015 # In POSIX sh, string replacement is undefined.