[fix][security] Fix secure problem CVE-2017-1000487

[gaoran10]

Motivation

The secure problem CVE-2017-1000487 is caused by the dependency org.codehaus.plexu:plexus-utils:2.0.6. Refer to this.

CVE-2017-1000487
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

The dependency tree is this.

io.prestosqlpresto-main:332
  -- io.airlift.resolver:resolver:1.5
      -- org.apache.maven:maven-core:3.0.4
           -- org.codehaus.plexus:plexus-utils:2.0.6

I try to exclude org.codehaus.plexus:plexus-utils:2.0.6 and import org.codehaus.plexus:plexus-utils:3.0.16, the Pulsar SQL still work.

Modifications

Exclude the dependency org.codehaus.plexus:plexus-utils:2.0.6, and import org.codehaus.plexus:plexus-utils:3.0.16.

Verifying this change

• Make sure that the change passes the CI checks.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

(or)

This change is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(example:)

• Added integration tests for end-to-end deployment with large payloads (10MB)
• Extended integration test for recovery after broker failure

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

• Dependencies (add or upgrade a dependency)
• The public API
• The schema
• The default values of configurations
• The threading model
• The binary protocol
• The REST endpoints
• The admin CLI options
• The metrics
• Anything that affects deployment

Documentation

• doc
• doc-required
• doc-not-needed
• doc-complete

Matching PR in forked repository

PR in forked repository: gaoran10#21

[github-actions]

@gaoran10 Please add the following content to your PR description and select a checkbox:

- [ ] `doc` <!-- Your PR contains doc changes -->
- [ ] `doc-required` <!-- Your PR changes impact docs and you will update later -->
- [ ] `doc-not-needed` <!-- Your PR changes do not impact docs -->
- [ ] `doc-complete` <!-- Docs have been already added -->

[gaoran10]

After checking the result of "OWASP Dependency Check ", I found more CVE problems that need to be fixed.

Error:  Failed to execute goal org.owasp:dependency-check-maven:7.4.4:aggregate (default) on project pulsar: 
Error:  
Error:  One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': 
Error:  
Error:  clickhouse-jdbc-0.3.2.jar: CVE-2021-43304([8](https://github.com/apache/pulsar/actions/runs/4169916645/jobs/7218371260#step:8:9).8), CVE-2021-43305(8.8), CVE-2021-42387(8.1), CVE-2021-42388(8.1)
Error:  kafka-clients-2.7.2.jar: CVE-2023-251[9](https://github.com/apache/pulsar/actions/runs/4169916645/jobs/7218371260#step:8:10)4(8.8)
Error:  postgresql-42.4.1.jar: CVE-2022-31197(8.0)
Error:  stax2-api-4.2.1.jar: CVE-2022-40152(7.5)
Error:  testng-7.3.0.jar: CVE-2022-4065(7.8)