HADOOP-19791: Upgraded GCS to remediate CVE-2025-55163

[shub-est]

Description of PR

Upgraded GCS from 2.52.0 to 2.62.0 to remediate GHSA-prj3-ccx8-p6x4
Upgraded Guava and Protobuf Java to avoid conflict

How was this patch tested?

Local build

For code changes:

• Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
• If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

AI Tooling

N/A

[steveloughran]

aah, this is a PITA. Can you also do a PR for hadoop-thirdparty for its updates, so it can be done broadly and that LICENSE-binary file is consistent

[pjfanning]

If you are going to update guava and protobuf everywhere, this Pr should update the project/pom.xml to update the guava.version and hadoop.protobuf.version. 3.25.5 appears in many places in the txt files that act as build instructions. Presumably they need to be upgraded too.

[pjfanning]

And

hadoop/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-csi/pom.xml

Line 29 in 90150af

<grpc.version>1.69.0</grpc.version>

-- this is another module that uses grpc - shouldn't that have its grpc.version upgraded too to match what is being updated for the gcp module?

[shub-est]

Hi @steveloughran @pjfanning, thank you for reviewing the PR.

Is it okay to use this PR and ticket to upgrade the Protobuf Java and Guava across the entire project while also removing the CVE?

Alternatively, I can create a separate PR just upgrading Protobuf and Guava across the entire project.

Appreciate your guidance here, thanks

[steveloughran]

I'd prefer a separate one for the thirdparty module as it'll be on a separate release cycle

[shub-est]

Hi @steveloughran, will do.

I have raised PRs for the Apache Third Party module

apache/hadoop-thirdparty#48
apache/hadoop-thirdparty#49

Once merged and new release is created, I will create a PR to update the Thirdparty version along with Guava and Protobuf upgrade.

Thanks