Skip to content

[DNR] Revert "feat(plugin-pinot): Upgrade Pinot version to 1.3.0 & move off…#13

Closed
tdcmeehan wants to merge 1 commit into
masterfrom
owasp-test-new-branch
Closed

[DNR] Revert "feat(plugin-pinot): Upgrade Pinot version to 1.3.0 & move off…#13
tdcmeehan wants to merge 1 commit into
masterfrom
owasp-test-new-branch

Conversation

@tdcmeehan

@tdcmeehan tdcmeehan commented Nov 4, 2025

Copy link
Copy Markdown
Owner

… of presto-pinot-driver (prestodb#25785)"

This reverts commit 267f823.

Description

Motivation and Context

Impact

Test Plan

Contributor checklist

  • Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.
  • If adding new dependencies, verified they have an OpenSSF Scorecard score of 5.0 or higher (or obtained explicit TSC approval for lower scores).

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

General Changes
* ... 
* ... 

Hive Connector Changes
* ... 
* ...

If release note is NOT required, use:

== NO RELEASE NOTE ==

@github-actions

github-actions Bot commented Nov 4, 2025
edited
Loading

Copy link
Copy Markdown

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 2 package(s) with unknown licenses.
  • ⚠️ 4 packages with OpenSSF Scorecard issues.
See the Details below.

License Issues

presto-main-base/pom.xml

PackageVersionLicenseIssue Type
org.apache.lucene:lucene-analyzers-commonNullUnknown License

presto-pinot-toolkit/pom.xml

PackageVersionLicenseIssue Type
javax.inject:javax.injectNullUnknown License

OpenSSF Scorecard

Scorecard details
PackageVersionScoreDetails
maven/com.clearspring.analytics:stream 2.9.5 ⚠️ 3.8
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow⚠️ -1no workflows found
Code-Review⚠️ 2Found 5/19 approved changesets -- score normalized to 2
Token-Permissions⚠️ -1No tokens found
Maintained⚠️ 0project is archived
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ -1no dependencies found
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Vulnerabilities🟢 100 existing vulnerabilities detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
maven/com.github.luben:zstd-jni 1.5.2-3 ⚠️ 4.5
Details
CheckScoreReason
Code-Review⚠️ 3Found 8/22 approved changesets -- score normalized to 3
Maintained🟢 84 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 8
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Vulnerabilities🟢 100 existing vulnerabilities detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Security-Policy⚠️ 0security policy file not detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
maven/commons-codec:commons-codec 1.17.1 🟢 8.2
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Code-Review⚠️ 0Found 0/24 approved changesets -- score normalized to 0
Dependency-Update-Tool🟢 10update tool detected
Security-Policy🟢 10security policy file detected
Pinned-Dependencies🟢 10all dependencies are pinned
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Vulnerabilities🟢 100 existing vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST🟢 10SAST tool is run on all commits
CI-Tests🟢 106 out of 6 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 81 contributing companies or organizations
maven/commons-io:commons-io 2.16.1 🟢 7.7
Details
CheckScoreReason
Code-Review⚠️ 1Found 3/24 approved changesets -- score normalized to 1
Dependency-Update-Tool🟢 10update tool detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Maintained🟢 1030 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies🟢 10all dependencies are pinned
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Vulnerabilities🟢 100 existing vulnerabilities detected
Packaging🟢 10packaging workflow detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Fuzzing⚠️ 0project is not fuzzed
SAST🟢 9SAST tool detected but not run on all commits
CI-Tests🟢 109 out of 9 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 62 contributing companies or organizations
maven/org.apache.commons:commons-compress 1.26.2 🟢 8.1
Details
CheckScoreReason
Dependency-Update-Tool🟢 10update tool detected
Code-Review⚠️ 0Found 1/14 approved changesets -- score normalized to 0
Packaging⚠️ -1packaging workflow not detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Maintained🟢 1030 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Pinned-Dependencies🟢 10all dependencies are pinned
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Signed-Releases⚠️ -1no releases found
License🟢 10license file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Fuzzing🟢 10project is fuzzed
Vulnerabilities🟢 100 existing vulnerabilities detected
SAST🟢 10SAST tool is run on all commits
CI-Tests🟢 1017 out of 17 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 51 contributing companies or organizations
maven/org.apache.lucene:lucene-analyzers-common 8.11.3 UnknownUnknown
maven/org.apache.lucene:lucene-queryparser 8.11.3 🟢 7.2
Details
CheckScoreReason
Code-Review⚠️ 2Found 6/23 approved changesets -- score normalized to 2
Maintained🟢 1030 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow⚠️ 0dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
License🟢 10license file detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy🟢 10security policy file detected
Vulnerabilities🟢 100 existing vulnerabilities detected
Binary-Artifacts🟢 9binaries present in source code
Fuzzing🟢 10project is fuzzed
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
SAST🟢 10SAST tool is run on all commits
maven/org.apache.pinot:presto-pinot-driver 0.11.0 UnknownUnknown
maven/org.xerial.snappy:snappy-java 1.1.10.4 🟢 5.2
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 56 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Code-Review🟢 5Found 15/27 approved changesets -- score normalized to 5
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts⚠️ 0binaries present in source code
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Vulnerabilities🟢 100 existing vulnerabilities detected
License🟢 10license file detected
Fuzzing🟢 10project is fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
maven/org.apache.lucene:lucene-analyzers-common UnknownUnknown
maven/com.clearspring.analytics:stream ⚠️ 3.8
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow⚠️ -1no workflows found
Code-Review⚠️ 2Found 5/19 approved changesets -- score normalized to 2
Token-Permissions⚠️ -1No tokens found
Maintained⚠️ 0project is archived
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ -1no dependencies found
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Vulnerabilities🟢 100 existing vulnerabilities detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
maven/com.tdunning:t-digest 3.2 🟢 5
Details
CheckScoreReason
Code-Review🟢 6Found 16/24 approved changesets -- score normalized to 6
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Maintained⚠️ 10 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 1
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Vulnerabilities🟢 100 existing vulnerabilities detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
maven/javax.inject:javax.inject ⚠️ 2.1
Details
CheckScoreReason
Code-Review⚠️ 0Found 0/30 approved changesets -- score normalized to 0
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Packaging⚠️ -1packaging workflow not detected
SAST⚠️ 0no SAST tool detected
Pinned-Dependencies⚠️ -1no dependencies found
Token-Permissions⚠️ -1No tokens found
Dangerous-Workflow⚠️ -1no workflows found
Binary-Artifacts🟢 8binaries present in source code
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
License⚠️ 0license file not detected
Fuzzing⚠️ 0project is not fuzzed
Vulnerabilities🟢 100 existing vulnerabilities detected
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
maven/org.apache.datasketches:datasketches-java 🟢 8.5
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Code-Review🟢 10all changesets reviewed
Token-Permissions⚠️ -1No tokens found
Dangerous-Workflow⚠️ -1no workflows found
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 10security policy file detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ -1no dependencies found
Fuzzing⚠️ 0project is not fuzzed
Vulnerabilities🟢 100 existing vulnerabilities detected
SAST🟢 10SAST tool is run on all commits
maven/org.apache.pinot:presto-pinot-driver UnknownUnknown
maven/org.roaringbitmap:RoaringBitmap 🟢 6.9
Details
CheckScoreReason
Code-Review🟢 5Found 14/25 approved changesets -- score normalized to 5
Maintained🟢 1025 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Vulnerabilities🟢 100 existing vulnerabilities detected
License🟢 10license file detected
Fuzzing🟢 10project is fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Packaging🟢 10packaging workflow detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Binary-Artifacts🟢 10no binaries found in the repo
SAST🟢 9SAST tool detected but not run on all commits

Scanned Files

  • pom.xml
  • presto-main-base/pom.xml
  • presto-pinot-toolkit/pom.xml
  • presto-pinot/pom.xml

@tdcmeehan tdcmeehan mentioned this pull request Nov 4, 2025
Merged
7 tasks
@tdcmeehan tdcmeehan force-pushed the owasp-test-new-branch branch from a76af92 to 5bdd3ac Compare November 5, 2025 02:07
tdcmeehan added a commit to prestodb/presto that referenced this pull request Nov 6, 2025
@tdcmeehan
fix(ci): Use merge base for OWASP plugin (#26524)
b693fac 
## Description
Don't use trunk, because if a vulnerability fix has been merged, this
requires PRs to rebase. Instead, try to find a merge base where possible
and use that as the reference point to ensure no new vulnerabilities are
being introduced by a PR.

## Motivation and Context
Recent OWASP job failures

## Impact
Less false positives from the OWASP job

## Test Plan
Old commit without newer security vulnerability fixes doesn't trigger
OWASP failure anymore: tdcmeehan#12
Previous vulnerability detection continues to work:
tdcmeehan#13

## Contributor checklist

- [ ] Please make sure your submission complies with our [contributing
guide](https://github.com/prestodb/presto/blob/master/CONTRIBUTING.md),
in particular [code
style](https://github.com/prestodb/presto/blob/master/CONTRIBUTING.md#code-style)
and [commit
standards](https://github.com/prestodb/presto/blob/master/CONTRIBUTING.md#commit-standards).
- [ ] PR description addresses the issue accurately and concisely. If
the change is non-trivial, a GitHub Issue is referenced.
- [ ] Documented new properties (with its default value), SQL syntax,
functions, or other functionality.
- [ ] If release notes are required, they follow the [release notes
guidelines](https://github.com/prestodb/presto/wiki/Release-Notes-Guidelines).
- [ ] Adequate tests were added if applicable.
- [ ] CI passed.
- [ ] If adding new dependencies, verified they have an [OpenSSF
Scorecard](https://securityscorecards.dev/#the-checks) score of 5.0 or
higher (or obtained explicit TSC approval for lower scores).

## Release Notes

```
== NO RELEASE NOTE ==
```
@tdcmeehan tdcmeehan closed this Nov 6, 2025
tdcmeehan pushed a commit that referenced this pull request Feb 8, 2026
@claude
Update critical review: 6 new issues, refresh status of all 18
6aa54c5 
New issues:
- #13: Cost model assumes local NVMe, invalid for S3/HDFS (0.3s becomes 5-30s)
- #14: Parquet BF section is 115-line dead end, should be condensed
- #15: Duplicate section numbering (two "Section 6" headers)
- prestodb#16: Superlinear join efficiency claims lack citations
- prestodb#17: CTE materialization cost missing from quantitative cost model
- prestodb#18: Reduced hash table may still exceed VRAM — fallback composition unclear

Updated existing issues: #1,#3 remaining gaps noted, #2 now worse (more
occurrences), #7 partially addressed. 12 open issues total.

https://claude.ai/code/session_01SAXk4AS8yQyQkhRVi6RQie
tdcmeehan pushed a commit that referenced this pull request Feb 8, 2026
@claude
Address Issue #13: add multi-tier storage cost model (S3/HDFS/NVMe)
58eb60e 
RPT overhead is higher on remote storage (1-4s vs 0.3s for local NVMe), but
RPT's value scales proportionally — savings also grow with slower storage.
Net speedup ratio (~3.5x with 90% selectivity) is roughly constant across
storage tiers. Add per-tier cost tables, storage-aware RPT skip threshold,
and note that GPU instances have 400-3200 Gbps S3 bandwidth (far higher
than CPU instances).

https://claude.ai/code/session_01SAXk4AS8yQyQkhRVi6RQie
tdcmeehan pushed a commit that referenced this pull request Feb 8, 2026
@claude
Update critical review: mark Issues #13 and #14 as addressed/resolved
254e77b 
Issue #13: multi-tier storage cost model added to main doc. RPT speedup ratio
is roughly constant across storage tiers (~3.5x). Remaining gap: S3 monetary
cost not modeled.

Issue #14: Section condensed from 115 to 18 lines, detailed analysis moved to
companion doc. Open Question 10 removed as moot.

10 open issues remain.

https://claude.ai/code/session_01SAXk4AS8yQyQkhRVi6RQie
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tdcmeehan