Bump Apache Calcite 1.41.0 -> 1.42.0 (CVE-2026-46718)#5619
Conversation
Calcite 1.5.0 through 1.41.x are affected by CVE-2026-46718 (GHSA-c2rv-hwqm-wjpg, CWE-470 unsafe reflection), fixed in 1.42.0. Bump calcite-core, calcite-linq4j, calcite-babel, and calcite-testkit to 1.42.0. This transitively bumps avatica-core 1.27.0 -> 1.28.0. In 1.42.0, RelDataTypeSystemImpl.getMaxNumericPrecision() and getMaxNumericScale() became final; they now delegate to getMaxPrecision(DECIMAL)/getMaxScale(DECIMAL). OpenSearchTypeSystem overrode the former pair to keep Spark-aligned DECIMAL precision/scale of 38, so move those values into getMaxPrecision/getMaxScale for the DECIMAL case to preserve identical behavior. Update PPL Calcite unit-test golden strings to match 1.42.0's cosmetic plan and Spark-SQL rendering changes (explicit literal type suffixes, self-reference alias disambiguation, MAP/ARRAY type spelling, removal of redundant parentheses, explicit no-op casts). No query semantics change. Signed-off-by: Kai Huang <ahkcs@amazon.com>
PR Code Analyzer ❗AI-powered 'Code-Diff-Analyzer' found issues on commit 7e30a3b.
The table above displays the top 10 most important findings. Pull Requests Author(s): Please update your Pull Request according to the report above. Repository Maintainer(s): You can Thanks. |
Calcite 1.42.0 bumps two of its runtime transitive dependencies: com.jayway.jsonpath:json-path 2.9.0 -> 2.10.0 and org.jooq:joou-java-6 0.9.4 -> 0.9.5. Modules built under the OpenSearch Gradle plugin's strict failOnVersionConflict (plugin, doc, integ, security-it, bwc) fail to resolve because core pinned json-path to 2.9.0 and the old joou 0.9.4 remained in the tree. Bump the explicit json-path pin in core to 2.10.0 and force both modules to the Calcite-1.42.0 versions in the root configurations.all block, alongside the existing transitive-conflict forces. Verified with the CI unit command (build -x integTest -x yamlRestTest -x doctest): BUILD SUCCESSFUL, no conflicts. Signed-off-by: Kai Huang <ahkcs@amazon.com>
Calcite 1.42.0 passes a nullable numeric operand to FROM_UNIXTIME as a boxed java.lang.Double, so method resolution could not match the primitive fromUnixTime(double) overload and codegen failed with NoSuchMethodException. This surfaced as a 500 SQLException on bin span queries over timestamp fields (e.g. bin @timestamp span=1h). Box the numeric operand and accept it as Number, mirroring SecToTimeFunction, so resolution succeeds for both primitive and boxed inputs. Signed-off-by: Kai Huang <ahkcs@amazon.com>
CI note:
|
Same Calcite 1.42.0 boxing change as FROM_UNIXTIME: a nullable numeric operand (e.g. a BIGINT field) now reaches tostring() boxed as java.lang.Long, which matched none of the primitive double/int overloads and failed codegen with NoSuchMethodException (500 SQLException on tostring(<numeric field>, <format>), e.g. tostring(balance, 'hex')). Box the numeric operand and resolve to a single Number overload, preserving BigDecimal precision by passing DECIMAL values through unchanged. String operands keep their existing path. Signed-off-by: Kai Huang <ahkcs@amazon.com>
9c2030c to
f5ece7a
Compare
Calcite 1.42.0 changes cosmetic plan rendering and some cost-based
physical-plan choices. Regenerate the CalciteExplainIT and
CalcitePPLClickBenchIT expected outputs (pushdown and no-pushdown
variants) to match. Changes are limited to expected-output resources:
- String literals now render with a type annotation ('x' -> 'x':VARCHAR).
- Null-check operand references shift with equivalent projection indices
(IS NOT NULL($t8) -> IS NOT NULL($t11)).
- Anonymous projected columns render with their real alias.
- streamstats reset: the planner now prefers HashJoin/TopK over
MergeJoin + Sort + Limit. The pushdown request bodies are unchanged
and CalciteStreamstatsCommandIT result assertions still pass, so
query semantics are preserved.
Signed-off-by: Kai Huang <ahkcs@amazon.com>
f5ece7a to
6aad5a3
Compare
| testImplementation group: 'org.hamcrest', name: 'hamcrest-library', version: "${hamcrest_version}" | ||
| testImplementation group: 'org.mockito', name: 'mockito-core', version: "${mockito_version}" | ||
| testImplementation group: 'org.apache.calcite', name: 'calcite-testkit', version: '1.41.0' | ||
| testImplementation group: 'org.apache.calcite', name: 'calcite-testkit', version: '1.42.0' |
There was a problem hiding this comment.
define the version in build.gradle in root folder. e.g.
aws_java_sdk_version = "1.12.651"
guava_version = "33.3.0-jre"
resilience4j_version = "1.5.0"
hamcrest_version = "2.1"
mockito_version = "5.7.0"
commons_io_version = "2.14.0"
commons_text_version = "1.10.0"
commons_lang3_version = "3.18.0"
There was a problem hiding this comment.
Updated to centralize Calcite dependency version
Signed-off-by: Kai Huang <ahkcs@amazon.com>
Description
Apache Calcite versions 1.5.0 through 1.41.x are affected by CVE-2026-46718 (GHSA-c2rv-hwqm-wjpg, CWE-470 — Use of Externally-Controlled Input to Select Classes / unsafe reflection), fixed in 1.42.0.
This PR bumps all Calcite artifacts pinned in this repo to 1.42.0:
org.apache.calcite:calcite-coreorg.apache.calcite:calcite-linq4jorg.apache.calcite:calcite-babelorg.apache.calcite:calcite-testkit(test)This transitively bumps
org.apache.calcite.avatica:avatica-core1.27.0 → 1.28.0.Source change
In 1.42.0,
RelDataTypeSystemImpl.getMaxNumericPrecision()andgetMaxNumericScale()becamefinaland now delegate togetMaxPrecision(DECIMAL)/getMaxScale(DECIMAL)(the direction was reversed from 1.41.0).OpenSearchTypeSystemoverrode the now-final pair to keep the Spark-aligned DECIMAL precision/scale of 38, so those values were moved intogetMaxPrecision/getMaxScalefor theDECIMALcase. Behavior is identical — the base default forgetMaxPrecision(DECIMAL)is 19, so the override is required to preserve 38.Test changes
Calcite 1.42.0 changed how it renders logical plans and generated Spark SQL (query semantics unchanged). 28 PPL Calcite unit tests asserted against hard-coded golden strings and needed updating for the new rendering:
'SALE%'→'SALE%':VARCHAR`EMP`→`EMP0`MAP< VARCHAR, VARCHAR ARRAY >→MAP< STRING, ARRAY< STRING > >(((SELECT ...)))→(SELECT ...)$0→CAST($0):INTEGER NOT NULLNo PPL queries, assertion structure, row counts, or result values were changed.
Testing
./gradlew :ppl:test --rerun-tasks— 1978 tests, 0 failures, 0 errors (28 previously-failing golden-string tests now pass)./gradlew :core:test :opensearch:test :protocol:test— green./gradlew :core:compileJava :api:compileJava :ppl:compileJava :opensearch:compileJava— green./gradlew spotlessCheck— greenRelated Issues
Addresses CVE-2026-46718 for the SQL plugin.
Check List
--signoffor-s.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.