Fixing high severity CVEs in pinot-adls/pinot-orc/pinot-parquet

[xiangfu0]

1. Upgrade net.minidev:json-smart to version 2.5.0 to fix CVE-2023-1370
2. Upgrade org.wildfly.openssl:wildfly-openssl to version 1.1.3.Final to fix CVE-2020-25644
3. Upgrade org.wildfly.openssl:wildfly-openssl-java to version 1.1.3.Final to fix CVE-2020-25644
4. Explicitly put com.google.protobuf:protobuf-java version 3.25.2 to pinot-orc pom file
5. Explicitly put com.google.protobuf:protobuf-java version 3.25.2 to pinot-parquet pom file

[gortiz]

We should set this in the dependency management section of the root pom. That way it will be enforced for any transitive dependency

[xiangfu0]

It is defined in root pom. However the shading packages another version, so need to explicitly set it here.

[gortiz]

I don't understand why that is happening, but lets merge it as it is suggested here.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 61.57%. Comparing base (59551e4) to head (ea52904).
Report is 67 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff              @@
##             master   #12571      +/-   ##
============================================
- Coverage     61.75%   61.57%   -0.18%     
  Complexity      207      207              
============================================
  Files          2436     2451      +15     
  Lines        133233   133732     +499     
  Branches      20636    20704      +68     
============================================
+ Hits          82274    82347      +73     
- Misses        44911    45280     +369     
- Partials       6048     6105      +57     

Flag	Coverage Δ
custom-integration1	<0.01% <ø> (-0.01%)	⬇️
integration	<0.01% <ø> (-0.01%)	⬇️
integration1	<0.01% <ø> (-0.01%)	⬇️
integration2	0.00% <ø> (ø)
java-11	27.64% <ø> (-34.07%)	⬇️
java-21	61.57% <ø> (-0.06%)	⬇️
skip-bytebuffers-false	61.56% <ø> (-0.19%)	⬇️
skip-bytebuffers-true	61.55% <ø> (+33.82%)	⬆️
temurin	61.57% <ø> (-0.18%)	⬇️
unittests	61.57% <ø> (-0.18%)	⬇️
unittests1	46.75% <ø> (-0.14%)	⬇️
unittests2	27.63% <ø> (-0.10%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[gviedma]

@xiangfu0 We have noticed that by overriding the version within this module, this creates a discrepancy in versions relative to any shaded jars (1.0.7.Final in the shaded jar vs 1.1.3.Final here), breaking our internal build. This discrepancy is not ideal as it would be preferable to manage the dependencies centrally from the root pom's dependency management section as suggested by @gortiz This also opens up the door to folks that need to override dependency versions in their builds for compliance reasons.
Given the above, would it be possible to move the version settings to dependencyManagement in the root pom?

[xiangfu0]

#12597