Skip to content

Bump Apache Calcite 1.41.0 -> 1.42.0 (CVE-2026-46718)#5619

Merged
penghuo merged 6 commits into
opensearch-project:mainfrom
ahkcs:deps/bump-calcite-1.42-cve-2026-46718
Jul 14, 2026
Merged

Bump Apache Calcite 1.41.0 -> 1.42.0 (CVE-2026-46718)#5619
penghuo merged 6 commits into
opensearch-project:mainfrom
ahkcs:deps/bump-calcite-1.42-cve-2026-46718

Conversation

@ahkcs

@ahkcs ahkcs commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

Description

Apache Calcite versions 1.5.0 through 1.41.x are affected by CVE-2026-46718 (GHSA-c2rv-hwqm-wjpg, CWE-470 — Use of Externally-Controlled Input to Select Classes / unsafe reflection), fixed in 1.42.0.

This PR bumps all Calcite artifacts pinned in this repo to 1.42.0:

Artifact From To
org.apache.calcite:calcite-core 1.41.0 1.42.0
org.apache.calcite:calcite-linq4j 1.41.0 1.42.0
org.apache.calcite:calcite-babel 1.41.0 1.42.0
org.apache.calcite:calcite-testkit (test) 1.41.0 1.42.0

This transitively bumps org.apache.calcite.avatica:avatica-core 1.27.0 → 1.28.0.

Source change

In 1.42.0, RelDataTypeSystemImpl.getMaxNumericPrecision() and getMaxNumericScale() became final and now delegate to getMaxPrecision(DECIMAL) / getMaxScale(DECIMAL) (the direction was reversed from 1.41.0). OpenSearchTypeSystem overrode the now-final pair to keep the Spark-aligned DECIMAL precision/scale of 38, so those values were moved into getMaxPrecision / getMaxScale for the DECIMAL case. Behavior is identical — the base default for getMaxPrecision(DECIMAL) is 19, so the override is required to preserve 38.

Test changes

Calcite 1.42.0 changed how it renders logical plans and generated Spark SQL (query semantics unchanged). 28 PPL Calcite unit tests asserted against hard-coded golden strings and needed updating for the new rendering:

  • Explicit literal type suffixes: 'SALE%''SALE%':VARCHAR
  • Self-reference alias disambiguation: `EMP``EMP0`
  • MAP/ARRAY type spelling in generated Spark SQL: MAP< VARCHAR, VARCHAR ARRAY >MAP< STRING, ARRAY< STRING > >
  • Removal of redundant nested parentheses: (((SELECT ...)))(SELECT ...)
  • Explicit no-op casts in logical plans: $0CAST($0):INTEGER NOT NULL

No PPL queries, assertion structure, row counts, or result values were changed.

Testing

  • ./gradlew :ppl:test --rerun-tasks1978 tests, 0 failures, 0 errors (28 previously-failing golden-string tests now pass)
  • ./gradlew :core:test :opensearch:test :protocol:test — green
  • ./gradlew :core:compileJava :api:compileJava :ppl:compileJava :opensearch:compileJava — green
  • ./gradlew spotlessCheck — green

Related Issues

Addresses CVE-2026-46718 for the SQL plugin.

Check List

  • New functionality includes testing.
  • New functionality has been documented.
  • New functionality has javadoc added.
  • New functionality has a user manual doc added.
  • New PPL command checklist all confirmed.
  • API changes companion pull request created.
  • Commits are signed per the DCO using --signoff or -s.
  • Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Calcite 1.5.0 through 1.41.x are affected by CVE-2026-46718 (GHSA-c2rv-hwqm-wjpg,
CWE-470 unsafe reflection), fixed in 1.42.0. Bump calcite-core, calcite-linq4j,
calcite-babel, and calcite-testkit to 1.42.0. This transitively bumps
avatica-core 1.27.0 -> 1.28.0.

In 1.42.0, RelDataTypeSystemImpl.getMaxNumericPrecision() and
getMaxNumericScale() became final; they now delegate to
getMaxPrecision(DECIMAL)/getMaxScale(DECIMAL). OpenSearchTypeSystem overrode
the former pair to keep Spark-aligned DECIMAL precision/scale of 38, so move
those values into getMaxPrecision/getMaxScale for the DECIMAL case to preserve
identical behavior.

Update PPL Calcite unit-test golden strings to match 1.42.0's cosmetic plan and
Spark-SQL rendering changes (explicit literal type suffixes, self-reference
alias disambiguation, MAP/ARRAY type spelling, removal of redundant
parentheses, explicit no-op casts). No query semantics change.

Signed-off-by: Kai Huang <ahkcs@amazon.com>
@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 7e30a3b.

PathLineSeverityDescription
build.gradle54highNew calcite_version variable introduced, bumping org.apache.calcite artifacts from 1.41.0 to 1.42.0 across multiple subprojects. Dependency version change must be verified for artifact authenticity.
build.gradle165highNew forced dependency resolution added for com.jayway.jsonpath:json-path:2.10.0. Newly pinned transitive dependency version requires verification of artifact authenticity.
build.gradle166highNew forced dependency resolution added for org.jooq:joou-java-6:0.9.5. This artifact was not previously present in the project; the unusual classifier 'java-6' and introduction as a transitive pin warrants verification of artifact authenticity.
core/build.gradle73highDirect dependency com.jayway.jsonpath:json-path upgraded from 2.9.0 to 2.10.0. Dependency version change must be verified for artifact authenticity.

The table above displays the top 10 most important findings.

Total: 4 | Critical: 0 | High: 4 | Medium: 0 | Low: 0


Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.


⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

@ahkcs ahkcs added the infrastructure Changes to infrastructure, testing, CI/CD, pipelines, etc. label Jul 13, 2026
ahkcs added 2 commits July 13, 2026 14:15
Calcite 1.42.0 bumps two of its runtime transitive dependencies:
com.jayway.jsonpath:json-path 2.9.0 -> 2.10.0 and org.jooq:joou-java-6
0.9.4 -> 0.9.5. Modules built under the OpenSearch Gradle plugin's strict
failOnVersionConflict (plugin, doc, integ, security-it, bwc) fail to resolve
because core pinned json-path to 2.9.0 and the old joou 0.9.4 remained in the
tree.

Bump the explicit json-path pin in core to 2.10.0 and force both modules to the
Calcite-1.42.0 versions in the root configurations.all block, alongside the
existing transitive-conflict forces. Verified with the CI unit command
(build -x integTest -x yamlRestTest -x doctest): BUILD SUCCESSFUL, no conflicts.

Signed-off-by: Kai Huang <ahkcs@amazon.com>
Calcite 1.42.0 passes a nullable numeric operand to FROM_UNIXTIME as a
boxed java.lang.Double, so method resolution could not match the
primitive fromUnixTime(double) overload and codegen failed with
NoSuchMethodException. This surfaced as a 500 SQLException on bin span
queries over timestamp fields (e.g. bin @timestamp span=1h).

Box the numeric operand and accept it as Number, mirroring
SecToTimeFunction, so resolution succeeds for both primitive and boxed
inputs.

Signed-off-by: Kai Huang <ahkcs@amazon.com>
@ahkcs

ahkcs commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator Author

CI note: Code-Diff-Analyzer flags are expected for this dependency bump

The Code-Diff-Analyzer check reports 8 high / 0 critical issues. All 8 are the automated diff bot flagging the intended dependency changes in this PR and requesting maintainer verification of artifact authenticity — not code defects:

  • calcite-core 1.41.0 → 1.42.0
  • calcite-linq4j 1.41.0 → 1.42.0
  • calcite-babel 1.41.0 → 1.42.0
  • calcite-testkit 1.41.0 → 1.42.0
  • com.jayway.jsonpath:json-path 2.9.0 → 2.10.0 (Calcite 1.42.0 transitive)
  • forced json-path:2.10.0 and joou-java-6:0.9.5 under strict conflict resolution (both are legitimate transitive requirements of Calcite 1.42.0)

The bot hard-fails at severity ≥ high, so any dependency-bump PR trips it. These artifacts all resolve from Maven Central and are the published upstream Calcite 1.42.0 dependency set. This requires a maintainer acknowledgment rather than a code change.

Follow-up fix in this PR

Added a commit fixing a Calcite 1.42.0 behavioral change: FROM_UNIXTIME now receives a nullable numeric operand boxed as java.lang.Double, which no longer matched the primitive fromUnixTime(double) overload and caused codegen to fail with NoSuchMethodException (surfacing as a 500 on bin ... span=<time> over timestamp fields). The implementor now boxes the operand and accepts Number, mirroring SecToTimeFunction. Verified locally: CalciteBinCommandIT, CalcitePPLBuiltinFunctionsNullIT, and CalcitePPLDateTimeBuiltinFunctionIT all pass.

Same Calcite 1.42.0 boxing change as FROM_UNIXTIME: a nullable numeric
operand (e.g. a BIGINT field) now reaches tostring() boxed as
java.lang.Long, which matched none of the primitive double/int overloads
and failed codegen with NoSuchMethodException (500 SQLException on
tostring(<numeric field>, <format>), e.g. tostring(balance, 'hex')).

Box the numeric operand and resolve to a single Number overload,
preserving BigDecimal precision by passing DECIMAL values through
unchanged. String operands keep their existing path.

Signed-off-by: Kai Huang <ahkcs@amazon.com>
@ahkcs ahkcs force-pushed the deps/bump-calcite-1.42-cve-2026-46718 branch 2 times, most recently from 9c2030c to f5ece7a Compare July 14, 2026 00:02
Calcite 1.42.0 changes cosmetic plan rendering and some cost-based
physical-plan choices. Regenerate the CalciteExplainIT and
CalcitePPLClickBenchIT expected outputs (pushdown and no-pushdown
variants) to match. Changes are limited to expected-output resources:

- String literals now render with a type annotation ('x' -> 'x':VARCHAR).
- Null-check operand references shift with equivalent projection indices
  (IS NOT NULL($t8) -> IS NOT NULL($t11)).
- Anonymous projected columns render with their real alias.
- streamstats reset: the planner now prefers HashJoin/TopK over
  MergeJoin + Sort + Limit. The pushdown request bodies are unchanged
  and CalciteStreamstatsCommandIT result assertions still pass, so
  query semantics are preserved.

Signed-off-by: Kai Huang <ahkcs@amazon.com>
@ahkcs ahkcs force-pushed the deps/bump-calcite-1.42-cve-2026-46718 branch from f5ece7a to 6aad5a3 Compare July 14, 2026 00:36
Comment thread ppl/build.gradle Outdated
testImplementation group: 'org.hamcrest', name: 'hamcrest-library', version: "${hamcrest_version}"
testImplementation group: 'org.mockito', name: 'mockito-core', version: "${mockito_version}"
testImplementation group: 'org.apache.calcite', name: 'calcite-testkit', version: '1.41.0'
testImplementation group: 'org.apache.calcite', name: 'calcite-testkit', version: '1.42.0'

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

define the version in build.gradle in root folder. e.g.

        aws_java_sdk_version = "1.12.651"
        guava_version = "33.3.0-jre"
        resilience4j_version = "1.5.0"
        hamcrest_version = "2.1"
        mockito_version = "5.7.0"
        commons_io_version = "2.14.0"
        commons_text_version = "1.10.0"
        commons_lang3_version = "3.18.0"

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated to centralize Calcite dependency version

Signed-off-by: Kai Huang <ahkcs@amazon.com>
@ahkcs ahkcs requested a review from penghuo July 14, 2026 18:34
@penghuo penghuo merged commit 6a07689 into opensearch-project:main Jul 14, 2026
39 of 40 checks passed
@ahkcs ahkcs deleted the deps/bump-calcite-1.42-cve-2026-46718 branch July 14, 2026 20:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

infrastructure Changes to infrastructure, testing, CI/CD, pipelines, etc.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants