Fix dse-stats-converter and upgrade dependencies for security

[jblang]

Overview

This PR fixes critical runtime issues in dse-stats-converter, modernizes the build system across all three projects, and upgrades dependencies to address security vulnerabilities while maintaining Java 8 compatibility.

DSE Stats Converter Fixes

Fixed NoClassDefFoundError

• Root Cause: Missing 30+ netty module jars. The netty-all-4.1.128.1.dse.jar is only a 4KB POM aggregator, not a fat jar
• Solution: Extract all individual netty modules (buffer, codec, handler, transport, etc.) including DSE's custom netty-transport-classes-epoll with Aio classes
• Key Change: All dependencies now come directly from DSE tarball - no forced versions, no Maven dependencies
• Added 22 runtime dependency patterns extracted from DSE 6.8.x tarball

Dependency Management Approach

• All jars extracted from DSE tarball - no version forcing or Maven overrides
• Uses fileTree(dir: '.dse-libs') to include jars exactly as shipped by DSE
• This ensures compatibility with DSE's tested dependency versions
• Minimal set determined through iterative runtime testing (not static analysis)

Dependency Determination Methodology

Used iterative runtime testing rather than static analysis:

1. Started with jdeps analysis showing 838 external class references
2. Progressively added dependencies as ClassNotFoundException errors occurred
3. Verified successful initialization when tool showed help message
4. Final set: 22 patterns (~50 jars) - minimal but complete, all from DSE tarball

Test Improvements

• Enabled ConvertTest for regression protection
• Test processes 3 real Statistics.db files from shared montecristo test resources
• Copies files to build/test-output/ to preserve test resources
• Provides clear error messages if dependencies are missing

Documentation Updates

• Added dependency determination methodology to BUILD.md
• Documented DSE 6.8.x version requirement (6.9+ requires Java 11)
• Listed all 22 extracted dependency patterns with explanations

Build System Improvements

Gradle Upgrade

• Upgraded all projects from Gradle 6.9.4 → 8.5
• Updated wrapper properties in all three projects

DSE Jar Management

• Moved DSE jars to .dse-libs/ (gitignored, persists between builds)
• Improved extraction to preserve directories when cleaning
• Added early build checks with helpful error messages
• All DSE dependencies extracted from tarball - no external Maven dependencies

New Build Flags

• -D: Skip dse-stats-converter build (when DSE jars unavailable)
• -O: Skip old-c-stats-converter build (when not needed)
• -d: Now removes old DSE jars before extracting new ones

Enhanced run.sh

• Added build checks: exits if montecristo not built
• Warns (but doesn't fail) if optional converters missing
• Provides clear instructions for building missing components

Security Updates

montecristo

• cassandra-all: 4.0.19 → 4.0.20
• guava: 31.1-jre → 33.4.0-jre (latest Java 8 compatible)
• netty-all: 4.1.129.Final → 4.1.132.Final
• jackson: 2.15.4 → 2.18.6 (all modules)
• lucene: 7.5.0 → 8.11.4 (latest Java 8 compatible)
• snakeyaml: Upgraded to 2.4 (Cassandra 4.0.20 supports 2.x API)

old-c-stats-converter

• guava: 18.0 → 25.1-jre (highest Cassandra 3.11.19 compatible)
• netty-all: 4.0.44.Final → 4.1.132.Final
• libthrift: 0.9.2 → 0.20.0
• httpclient: 4.2.5 → 4.5.14
• commons-lang3: 3.8.1 → 3.18.0
• jackson: 2.15.4 → 2.18.6 (all modules)
• lucene: 7.5.0 → 8.11.4
• snakeyaml: Forced to 1.33 (Cassandra 3.11.19 requires 1.x API)

dse-stats-converter

• No forced versions - all dependencies come from DSE tarball
• Uses exact versions shipped and tested by DSE
• Ensures compatibility with DSE's dependency ecosystem

Known Limitations (Cassandra 3.11.19 Compatibility)

The following dependencies in old-c-stats-converter cannot be upgraded due to API incompatibilities:

1. snakeyaml 1.33: Cassandra 3.11.19 uses CustomClassLoaderConstructor with 1.x API signature. Version 2.x has breaking changes causing NoSuchMethodError
2. guava 25.1-jre: Cassandra 3.11.x incompatible with 27.x+ due to API changes (NoSuchFieldError: DIGIT)
3. lz4 1.3.0: Cannot upgrade due to package name changes (net.jpountz.lz4.* vs org.lz4.*)

These are inherent limitations of Cassandra 3.11.x and cannot be resolved without upgrading Cassandra itself.

Testing

• All tests pass with Java 8
• Added test resource file (la-1-big-Statistics.db) for old-c-stats-converter
• ConvertTest now provides regression protection for missing dependencies
• Verified successful Statistics.db conversion with all required jars

Breaking Changes

None - all changes are backward compatible. Existing build workflows continue to work.

Migration Notes

• DSE jars now stored in .dse-libs/ instead of libs/ (automatically handled by build.sh)
• Use -D flag to skip dse-stats-converter if DSE jars unavailable
• Lucene 8.x uses different index format than 7.x - delete existing indexes if upgrading
• dse-stats-converter now uses only DSE tarball jars - no external Maven dependencies needed

[michaelsembwever]

looks good. tests pass.

i would fix the path in the stats file, and ideally provide different product+version stat files to test against…