GH-40515: [Java] Bump org.apache.maven dependencies from 3.3.9 to 3.8.7

[ianmcook]

• Updates the Maven version required in /java/maven/module-info-compiler-maven-plugin to 3.8.7 which addresses vulnerabilities identified by https://deps.dev/maven/org.apache.maven%3Amaven-core/3.3.9.
• Updates .env to use Maven version 3.8.7.
• Bumps older versions of Maven to 3.8.7 in ci/docker/*.dockerfile
• Updates the release verification instructions to say that Maven 3.8.7 is required.

---

• GitHub Issue: [Java] Bump org.apache.maven dependencies from 3.3.9 to 3.8.7 #40515

[ianmcook]

@vibhatha could you take a look at this please? I'm not sure if this will work or what else we need to do.

[kou]

It seems that we have more places that refer Maven version. For example:

arrow/.env

Line 68 in bd3fab4

MAVEN=3.6.3

So this may not be a MINOR change. Could you open an issue for this?

[github-actions]

⚠️ GitHub issue #40515 has been automatically assigned in GitHub to PR creator.

[ianmcook]

Could you open an issue for this?

#40515

[lidavidm]

 > [2/2] RUN mamba install -q -y         maven=3.8.8         openjdk=11         jpype1 &&     mamba clean --all:
11.63 Could not solve for environment specs
11.63 The following package could not be installed
11.63 └─ maven 3.8.8**  does not exist (perhaps a typo or a missing channel).

I think you'll also have to pick a version of Maven in conda-forge

[lidavidm]

lidavidm@debian ~> mamba repoquery search 'maven'                                                                                                                                                                
 Name  Version Build      Channel             
───────────────────────────────────────────────
 maven 3.9.6   ha770c72_0 conda-forge/linux-64
 maven 3.9.5   ha770c72_0 conda-forge/linux-64
 maven 3.9.4   ha770c72_0 conda-forge/linux-64
 maven 3.9.3   ha770c72_0 conda-forge/linux-64
 maven 3.9.2   ha770c72_1 conda-forge/linux-64
 maven 3.9.2   ha770c72_2 conda-forge/linux-64
 maven 3.9.2   ha770c72_3 conda-forge/linux-64
 maven 3.9.1   ha770c72_0 conda-forge/linux-64
 maven 3.9.0   ha770c72_0 conda-forge/linux-64
 maven 3.8.7   ha770c72_0 conda-forge/linux-64
 maven 3.8.6   ha770c72_0 conda-forge/linux-64
 maven 3.8.5   ha770c72_0 conda-forge/linux-64
 maven 3.6.3   ha770c72_0 conda-forge/linux-64
 maven 3.6.0   0          conda-forge/linux-64
 maven 3.5.0   0          conda-forge/linux-64
 maven 3.3.9   0          conda-forge/linux-64

[ianmcook]

Should I try 3.9.6?
https://maven.apache.org/docs/history.html

[lidavidm]

I think that's fine so long as it's installable in all of our different CI environments? (e.g. does Debian or something else use a lower version?)

[ianmcook]

I'll try 3.9.6 first and drop to 3.8.7 if we see failures

[ianmcook]

Looks like 3.9.6 would require some more extensive changes so I'll first drop to 3.8.7 and see if that works.

[kou]

@github-actions crossbow submit -g java

[github-actions]

Revision: 2b736d1

Submitted crossbow builds: ursacomputing/crossbow @ actions-aa61a793e5

Task	Status
java-jars
verify-rc-source-java-linux-almalinux-8-amd64
verify-rc-source-java-linux-conda-latest-amd64
verify-rc-source-java-linux-ubuntu-20.04-amd64
verify-rc-source-java-linux-ubuntu-22.04-amd64
verify-rc-source-java-macos-amd64

[vibhatha]

@ianmcook I will take a look at this.
I also have a PR here: #40149 which is not the same but could be related.

[vibhatha]

Also I attempted this before: #39451 but we closed it at that time since it was not needed.

Shall I reopen this and work? What's the best?

cc @lidavidm @ianmcook

[ianmcook]

Thanks @vibhatha. I think what's important here is:

• We do not want to require Arrow Java developers use old, unpatched Maven versions.
• We also do not necessarily want to require all Arrow Java environments (including our CI environments) to have the newest Maven version. (@lidavidm made this comment here )

So how can we achieve that? Can we set minimum versions but allow environments to have newer versions?

In a pom.xml file, does <version>3.3.9</version> mean that we require version 3.3.9 exactly, or version 3.3.9 or higher? (I think it means "or higher" but I'm seeing conflicting information about this.)

Should we be using version ranges like <version>[3.3.9,)</version>?

[lidavidm]

It looks like the problem is that a few builds have too old a Maven. Could we have the verification script (or the build setup) download a later Maven instead of relying on the OS packaged Maven?

[ianmcook]

It looks like the problem is that a few builds have too old a Maven. Could we have the verification script (or the build setup) download a later Maven instead of relying on the OS packaged Maven?

It looks like everything is wired up to do that (at least on Linux-like environments) and we just need to set USE_CONDA=1?

• arrow/dev/release/verify-release-candidate.sh

  Line 568 in ac1708c

  maybe_setup_conda maven openjdk

• arrow/dev/release/verify-release-candidate.sh

  Line 476 in ac1708c

  if [ "${USE_CONDA}" -gt 0 ]; then

[ianmcook]

Also I attempted this before: #39451 but we closed it at that time since it was not needed.

Shall I reopen this and work? What's the best?

@vibhatha Maybe let's use this PR to try to get to 3.8.7, then maybe later you can reopen #39451 to try to get to 3.9.6?

[vibhatha]

@ianmcook can I get permission to commit to this branch?

[ianmcook]

@ianmcook can I get permission to commit to this branch?

yes, invite sent. thanks!

[vibhatha]

@ianmcook can I get permission to commit to this branch?

yes, invite sent. thanks!

Thanks @ianmcook

[vibhatha]

@github-actions crossbow submit -g java

[ianmcook]

@github-actions crossbow submit -g java

[github-actions]

Revision: 9eea160

Submitted crossbow builds: ursacomputing/crossbow @ actions-2f83250be0

Task	Status
java-jars
verify-rc-source-java-linux-almalinux-8-amd64
verify-rc-source-java-linux-conda-latest-amd64
verify-rc-source-java-linux-ubuntu-20.04-amd64
verify-rc-source-java-linux-ubuntu-22.04-amd64
verify-rc-source-java-macos-amd64

[kou]

+1 after we resolve #40514 (comment) .

[conbench-apache-arrow]

After merging your PR, Conbench analyzed the 6 benchmarking runs that have been run so far on merge-commit 5181791.

There were no benchmark performance regressions. 🎉

The full Conbench report has more details. It also includes information about 2 possible false positives for unstable benchmarks that are known to sometimes produce them.