Upgrade H2 version to 2.0.202 to fix CVE-2021-23463 (#8332)

CHANGES.md

@@ -20,6 +20,8 @@ Release Notes.
 * Add the analysis of metrics in Satellite MetricsService.
 * Fix `Can't split endpoint id into 2 parts` bug for endpoint ID. In the TCP in service mesh observability, endpoint
   name doesn't exist in TCP traffic.
+* Upgrade H2 version to 2.0.202 to fix CVE-2021-23463.
+* Extend column name override mechanism working for `ValueColumnMetadata`.
 
 #### UI
 

dist-material/release-docs/LICENSE

@@ -381,7 +381,7 @@ MPL 2.0 licenses
 The following components are provided under a MPL 2.0 license. See project link for details.
 The text of each license is also included at licenses/LICENSE-[project].txt.
 
-    H2 Database 1.4.196: http://www.h2database.com/html/main.html , MPL 2.0 or EPL 1.0
+    H2 Database 2.0.202: http://www.h2database.com/html/main.html , MPL 2.0 or EPL 1.0
 
 ========================================
 CC0-1.0 licenses

oap-server-bom/pom.xml

@@ -34,7 +34,7 @@
         <graphql-java.version>8.0</graphql-java.version>
         <okhttp.version>3.14.9</okhttp.version>
         <httpclient.version>4.5.13</httpclient.version>
-        <h2.version>1.4.196</h2.version>
+        <h2.version>2.0.202</h2.version>
         <joda-time.version>2.10.5</joda-time.version>
         <zookeeper.version>3.5.7</zookeeper.version>
         <guava.version>28.1-jre</guava.version>

oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/storage/annotation/ValueColumnMetadata.java

@@ -32,7 +32,8 @@ import org.apache.skywalking.oap.server.core.query.sql.Function;
 public enum ValueColumnMetadata {
     INSTANCE;
 
-    private Map<String, ValueColumn> mapping = new HashMap<>();
+    private final Map<String, ValueColumn> mapping = new HashMap<>();
+    private final HashMap<String, String> columnNameOverrideRule = new HashMap<>();
 
     /**
      * Register the new metadata for the given model name.
@@ -46,11 +47,16 @@ public enum ValueColumnMetadata {
         mapping.putIfAbsent(modelName, new ValueColumn(valueCName, dataType, function, defaultValue, scopeId));
     }
 
+    public void overrideColumnName(String oldName, String newName) {
+        columnNameOverrideRule.put(oldName, newName);
+    }
+
     /**
      * Fetch the value column name of the given metrics name.
      */
     public String getValueCName(String metricsName) {
-        return findColumn(metricsName).valueCName;
+        final String valueCName = findColumn(metricsName).valueCName;
+        return columnNameOverrideRule.getOrDefault(valueCName, valueCName);
     }
 
     /**
@@ -88,7 +94,7 @@ public enum ValueColumnMetadata {
 
     @Getter
     @RequiredArgsConstructor
-    public class ValueColumn {
+    public static class ValueColumn {
         private final String valueCName;
         private final Column.ValueDataType dataType;
         private final Function function;

oap-server/server-core/src/main/java/org/apache/skywalking/oap/server/core/storage/model/StorageModels.java

@@ -166,6 +166,7 @@ public class StorageModels implements IModelManager, ModelCreator, ModelManipula
     public void overrideColumnName(String columnName, String newName) {
         columnNameOverrideRule.put(columnName, newName);
         models.forEach(this::followColumnNameRules);
+        ValueColumnMetadata.INSTANCE.overrideColumnName(columnName, newName);
     }
 
     private void followColumnNameRules(Model model) {

oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2AggregationQueryDAO.java

@@ -61,8 +61,9 @@ public class H2AggregationQueryDAO implements IAggregationQueryDAO {
             });
         }
         sql.append(" group by ").append(Metrics.ENTITY_ID);
-        sql.append(")  as T order by value ")
-           .append(metrics.getOrder().equals(Order.ASC) ? "asc" : "desc")
+        sql.append(")  as T order by ")
+           .append(valueColumnName)
+           .append(metrics.getOrder().equals(Order.ASC) ? " asc" : " desc")
            .append(" limit ")
            .append(metrics.getTopN());
         List<SelectedRecord> topNEntities = new ArrayList<>();
@@ -72,7 +73,7 @@ public class H2AggregationQueryDAO implements IAggregationQueryDAO {
             while (resultSet.next()) {
                 SelectedRecord topNEntity = new SelectedRecord();
                 topNEntity.setId(resultSet.getString(Metrics.ENTITY_ID));
-                topNEntity.setValue(resultSet.getString("value"));
+                topNEntity.setValue(resultSet.getString("result"));
                 topNEntities.add(topNEntity);
             }
         } catch (SQLException e) {
@@ -85,7 +86,7 @@ public class H2AggregationQueryDAO implements IAggregationQueryDAO {
         StringBuilder sql = new StringBuilder();
         sql.append("select * from (select avg(")
                 .append(valueColumnName)
-                .append(") value,")
+                .append(") result,")
                 .append(Metrics.ENTITY_ID)
                 .append(" from ")
                 .append(metricsName)

oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2MetricsQueryDAO.java

@@ -82,8 +82,8 @@ public class H2MetricsQueryDAO extends H2SQLExecutor implements IMetricsQueryDAO
                 sql.toString(),
                 parameters.toArray(new Object[0])
             )) {
-                while (resultSet.next()) {
-                    return resultSet.getLong("value");
+                if (resultSet.next()) {
+                    return resultSet.getLong("result");
                 }
             }
         } catch (SQLException e) {
@@ -94,7 +94,7 @@ public class H2MetricsQueryDAO extends H2SQLExecutor implements IMetricsQueryDAO
 
     protected StringBuilder buildMetricsValueSql(String op, String valueColumnName, String conditionName) {
         return new StringBuilder(
-                "select " + Metrics.ENTITY_ID + " id, " + op + "(" + valueColumnName + ") value from " + conditionName + " where ");
+                "select " + Metrics.ENTITY_ID + " id, " + op + "(" + valueColumnName + ") result from " + conditionName + " where ");
     }
 
     @Override

oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2TableInstaller.java

@@ -56,6 +56,7 @@ public class H2TableInstaller extends ModelInstaller {
         super(client, moduleManager);
         this.maxSizeOfArrayColumn = maxSizeOfArrayColumn;
         this.numOfSearchableValuesPerTag = numOfSearchableValuesPerTag;
+        overrideColumnName("value", "value_");
     }
 
     @Override

test/e2e-v2/java-test-service/e2e-service-provider/src/main/java/org/apache/skywalking/e2e/User.java

@@ -22,6 +22,7 @@ import javax.persistence.Column;
 import javax.persistence.Entity;
 import javax.persistence.GeneratedValue;
 import javax.persistence.Id;
+import javax.persistence.Table;
 import lombok.AllArgsConstructor;
 import lombok.Builder;
 import lombok.Data;
@@ -29,6 +30,7 @@ import lombok.RequiredArgsConstructor;
 
 @Data
 @Entity
+@Table(name = "users")
 @Builder
 @AllArgsConstructor
 @RequiredArgsConstructor

test/e2e-v2/java-test-service/pom.xml

@@ -48,7 +48,7 @@
         <jupeter.version>5.6.0</jupeter.version>
         <jackson.version>2.9.7</jackson.version>
         <guava.version>30.1.1-jre</guava.version>
-        <h2.version>1.4.199</h2.version>
+        <h2.version>2.0.202</h2.version>
         <mysql.version>8.0.13</mysql.version>
         <lombok.version>1.18.20</lombok.version>
         <kafka-clients.version>2.4.1</kafka-clients.version>

tools/dependencies/known-oap-backend-dependencies.txt

@@ -55,7 +55,7 @@ gson-2.8.6.jar
 gson-fire-1.8.5.jar
 guava-28.1-jre.jar
 guice-4.1.0.jar
-h2-1.4.196.jar
+h2-2.0.202.jar
 httpasyncclient-4.1.3.jar
 httpclient-4.5.13.jar
 httpcore-4.4.13.jar