BIGTOP-4096: Fix CVE Vulnerabilities in Hadoop Dependencies: common-compress and common-configuration2

[JiaLiangC]

Description of PR

fix commons-configuration2 CVE
HADOOP-19123. Update to commons-configuration2 2.10.1 due to CVE #6661
apache/hadoop#6661

fix commons-compress CVE
HADOOP-19114. Upgrade to commons-compress 1.26.1 due to CVEs. #6636
https://github.com/apache/hadoop/pull/6636/files

This PR is to resolve the compilation failure issue caused by the modification of a CVE.
HADOOP-18929. Exclude commons-compress module-info.class #6169
apache/hadoop#6169

This PR aims to solve the inconvenience of having to exclude dependencies every time a modification is made, such as after modifying the two CVEs above, by excluding all of them.
HADOOP-18916. Exclude all module-info classes from uber jars (#6131) #6188
apache/hadoop#6188

This is divided into two patches. The reason why the two CVEs were combined into one patch is that the code merged for the two CVEs is only separated by one line (LicenseBinary). After applying the first patch, the second patch would report a conflict. The modifications for HADOOP-18929 were reverted in HADOOP-18916, which adopted a better implementation, hence HADOOP-18916 is used.

How was this patch tested?

manual test ,smoke test

tested on rocky8
./docker-hadoop.sh -d -dcp --create 3 --image bigtop/puppet:trunk-rockylinux-8 --docker-compose-plugin --memory 8g --repo file:///bigtop-home/output --disable-gpg-check --stack hdfs,yarn,mapreduce --smoke-tests hdfs,yarn,mapreduce

For code changes:

• Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'BIGTOP-3638. Your PR title ...')?
• Make sure that newly added files do not have any licensing issues. When in doubt refer to https://www.apache.org/licenses/

[JiaLiangC]

@iwasakims @sekikn @guyuqi Could you help review this PR?

[iwasakims]

Which CVE is critical?

[iwasakims]

We should not mention CVEs of Hadoop dependencies as "Hadoop CVE".

[JiaLiangC]

@iwasakims Apologies for the confusion caused by the PR title; I will make adjustments.
cve details:

Apache Commons-Configuration2 is vulnerable to a stack overflow vulnerability (CVE-2024-29131).
1.1 Vulnerability Description

Apache Commons Configuration2 is a project in the Apache Commons library that deals with the reading, parsing, and management of configuration files.

A stack overflow vulnerability exists in Apache Commons Configuration2 when adding properties in AbstractListDelimiterHandler.flattenIterator(), which could be exploited by malicious users to obtain sensitive information stored in memory.
1.2 Vulnerability ID
CVE-2024-29131
1.3 Vulnerability Severity
Critical
II. Remediation Suggestions
2.1 Affected Versions
Apache Commons Configuration2 <= 2.10.0
2.2 Remediation Suggestion
Users of the product are advised to update to a secure version as soon as possible.
Apache Commons Configuration2 > 2.10.0
https://commons.apache.org/proper/commons-configuration/security.html

common-press cve:
https://commons.apache.org/proper/commons-compress/security.html

[JiaLiangC]

@iwasakims Could you help review this pr ?