[fix][sec] Update Hbase version to 2.6.3-hadoop3 and exclude Avro from hbase-client to remediate CVEs

[guptas6est]

Fixes #xyz

Main Issue: #xyz

PIP: #xyz

Motivation

This PR updates the Pulsar IO HBase module to remove vulnerable transitive dependencies introduced by Apache Avro. Older Avro versions brought into the project were affected by security issues related to schema parsing and unsafe deserialization.

Vulnerabilities addressed include:

• CVE-2024-47561 – Schema parsing RCE risk

• CVE-2023-39410 – Uncontrolled memory use during deserialization

Excluding Avro from the HBase client and updating the HBase version ensures a safer and cleaner dependency tree.

Modifications

This PR introduces two changes:

• hbase.version raised from 2.6.0-hadoop3 → 2.6.3-hadoop3

• Excluded avro from hbase-client

Verifying this change

• Make sure that the change passes the CI checks.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

(or)

This change is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(example:)

• Added integration tests for end-to-end deployment with large payloads (10MB)
• Extended integration test for recovery after broker failure

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

• Dependencies (add or upgrade a dependency)
• The public API
• The schema
• The default values of configurations
• The threading model
• The binary protocol
• The REST endpoints
• The admin CLI options
• The metrics
• Anything that affects deployment

Documentation

• doc
• doc-required
• doc-not-needed
• doc-complete

Matching PR in forked repository

PR in forked repository: Nordix#12

[guptas6est]

/pulsarbot rerun-failure-checks

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.27%. Comparing base (7c343d0) to head (2cb96ed).

Additional details and impacted files

@@             Coverage Diff              @@
##             master   #24953      +/-   ##
============================================
+ Coverage     74.00%   74.27%   +0.26%     
+ Complexity    33911    33520     -391     
============================================
  Files          1886     1913      +27     
  Lines        149057   149510     +453     
  Branches      17326    17373      +47     
============================================
+ Hits         110312   111046     +734     
+ Misses        29934    29603     -331     
- Partials       8811     8861      +50     

Flag	Coverage Δ
inttests	26.14% <ø> (-0.16%)	⬇️
systests	22.77% <ø> (?)
unittests	73.79% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 178 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.