You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@tez.apache.org by "László Bodor (Jira)" <ji...@apache.org> on 2021/04/12 07:08:00 UTC
[jira] [Updated] (TEZ-4303) Exclude compile-time httpclient
dependency from Tez
[ https://issues.apache.org/jira/browse/TEZ-4303?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
László Bodor updated TEZ-4303:
------------------------------
Description:
Tez doesn't depend on org.apache.httpcomponents.httpclient directly. In order to avoid security warnings related to this component (e.g. CVE-2020-13956), we might exclude it.
With exclusions, only test scoped dependency should remain in the tez dependency tree, like:
{code}
[INFO] +- org.apache.hadoop:hadoop-common:test-jar:tests:3.1.3:test
[INFO] | +- org.apache.httpcomponents:httpclient:jar:4.5.2:test
[INFO] | | \- org.apache.httpcomponents:httpcore:jar:4.4.4:test
{code}
> Exclude compile-time httpclient dependency from Tez
> ---------------------------------------------------
>
> Key: TEZ-4303
> URL: https://issues.apache.org/jira/browse/TEZ-4303
> Project: Apache Tez
> Issue Type: Bug
> Reporter: László Bodor
> Assignee: László Bodor
> Priority: Major
>
> Tez doesn't depend on org.apache.httpcomponents.httpclient directly. In order to avoid security warnings related to this component (e.g. CVE-2020-13956), we might exclude it.
> With exclusions, only test scoped dependency should remain in the tez dependency tree, like:
> {code}
> [INFO] +- org.apache.hadoop:hadoop-common:test-jar:tests:3.1.3:test
> [INFO] | +- org.apache.httpcomponents:httpclient:jar:4.5.2:test
> [INFO] | | \- org.apache.httpcomponents:httpcore:jar:4.4.4:test
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)