You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Viraj Jasani (Jira)" <ji...@apache.org> on 2019/08/21 14:50:00 UTC

[jira] [Comment Edited] (HBASE-22863) Avoid Jackson versions and dependencies with known CVEs

    [ https://issues.apache.org/jira/browse/HBASE-22863?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16912362#comment-16912362 ] 

Viraj Jasani edited comment on HBASE-22863 at 8/21/19 2:49 PM:
---------------------------------------------------------------

The only issue I observed was that while applying master patch to branch-2, <exclusion> in parent pom.xml got jumbled up and went to some other dependency, e.g. instead of <hadoop-mapreduce-client-core>, exclusions went to <hadoop-mapreduce-client-jobclient>.

Hence, had to generate the patch for branch-2, but I believe mostly branch-2.1, 2.2 should be fine. Anyways, I will reverify once.

Thanks


was (Author: vjasani):
The only issue was I observed was that while applying master patch to branch-2, <exclusion> in parent pom.xml got jumbled up and went to some other dependency, e.g. instead of <hadoop-mapreduce-client-core>, exclusions went to <hadoop-mapreduce-client-jobclient>.

Hence, had to generate the patch for branch-2, but I believe mostly branch-2.1, 2.2 should be fine. Anyways, I will reverify once.

Thanks

> Avoid Jackson versions and dependencies with known CVEs
> -------------------------------------------------------
>
>                 Key: HBASE-22863
>                 URL: https://issues.apache.org/jira/browse/HBASE-22863
>             Project: HBase
>          Issue Type: Bug
>          Components: dependencies
>    Affects Versions: 3.0.0, 2.3.0
>            Reporter: Viraj Jasani
>            Assignee: Viraj Jasani
>            Priority: Major
>             Fix For: 3.0.0, 2.3.0
>
>         Attachments: HBASE-22863.branch-2.000.patch, HBASE-22863.master.000.patch, HBASE-22863.master.001.patch
>
>
> Partly forwardport from branch-1 Jira: HBASE-22728
> Even though master and branch-2 have moved away from Jackson1 some time back, HBase is still pulling in some vulnerable jackson dependencies (e.g. jackson-mapper-asl:1.9.13) from Hadoop:
>  
> {code:java}
> [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ hbase-mapreduce ---
> [INFO] org.apache.hbase:hbase-mapreduce:jar:3.0.0-SNAPSHOT
> [INFO] +- org.apache.hbase:hbase-server:jar:3.0.0-SNAPSHOT:compile
> [INFO] |  \- org.apache.hbase:hbase-http:jar:3.0.0-SNAPSHOT:compile
> [INFO] |     \- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
> [INFO] +- org.apache.hadoop:hadoop-mapreduce-client-jobclient:test-jar:tests:2.8.5:test
> [INFO] |  \- org.apache.avro:avro:jar:1.7.7:compile
> [INFO] |     \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
> [INFO] \- org.apache.hadoop:hadoop-mapreduce-client-core:jar:2.8.5:compile
> [INFO]    \- org.apache.hadoop:hadoop-yarn-common:jar:2.8.5:compile
> [INFO]       +- org.codehaus.jackson:jackson-jaxrs:jar:1.9.13:compile
> [INFO]       \- org.codehaus.jackson:jackson-xc:jar:1.9.13:compile{code}
> {code:java}
> [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ hbase-shaded-testing-util ---
> [INFO] org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT
> [INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:compile
> [INFO]    +- com.sun.jersey:jersey-json:jar:1.9:compile
> [INFO]    |  +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:compile
> [INFO]    |  \- org.codehaus.jackson:jackson-xc:jar:1.8.3:compile
> [INFO]    +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
> [INFO]    \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile{code}
> {code:java}
> [INFO] org.apache.hbase:hbase-shaded-testing-util-tester:jar:3.0.0-SNAPSHOT
> [INFO] \- org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT:test
> [INFO]    \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:test
> [INFO]       +- com.sun.jersey:jersey-json:jar:1.9:test
> [INFO]       |  +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:test
> [INFO]       |  \- org.codehaus.jackson:jackson-xc:jar:1.8.3:test
> [INFO]       +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
> [INFO]       \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
> {code}
> Jackson1 is not being used in HBase code anymore and hence, we should include it only at test scope if required by Hadoop but definitely exclude it from corresponding Hadoop dependencies.
>  



--
This message was sent by Atlassian Jira
(v8.3.2#803003)