You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Tatu Saloranta (Jira)" <ji...@apache.org> on 2019/10/14 05:34:00 UTC

[jira] [Commented] (HADOOP-16485) Remove dependency on jackson

    [ https://issues.apache.org/jira/browse/HADOOP-16485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16950719#comment-16950719 ] 

Tatu Saloranta commented on HADOOP-16485:
-----------------------------------------

Just to add quick comment regarding Jackson versions: unless "Default Typing" is enabled, with call to `mapper.enableDefaultTyping(...)` (which is something most projects do not do, and is not the default), none of multiple CVEs actually applies. Full explanation of when it does apply can be found from [https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062] .

Unfortunately security tools faithfully indicate that every single version with CVEs is considered suspect (unfortunately they have no concept of conditional applicability?) and it is annoying to get reports about existing version having CVEs against it.

This will change with Jackson 2.10 – 2.10.0 having been released 2 weeks ago (Sep 26, 2019). CVEs of this class will not be applicable for 2.10 or later versions. So regardless of what ultimate plan is for json handling, it is possible to at least get rid of CVE warnings by upgrading.
I would probably recommend waiting until 2.10.1, as standard precaution: that should be released during October.

 

 

> Remove dependency on jackson
> ----------------------------
>
>                 Key: HADOOP-16485
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16485
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Wei-Chiu Chuang
>            Priority: Major
>              Labels: release-blocker
>
> Looking at git history, there were 5 commits related to updating jackson versions due to various CVEs since 2018. And it seems to get worse more recently.
> File this jira to discuss the possibility of removing jackson dependency once for all. I see that jackson is deeply integrated into Hadoop codebase, so not a trivial task. However, if Hadoop is forced to make a new set of releases because of Jackson vulnerabilities, it may start to look not so costly.
> At the very least, consider stripping jackson-databind coode, since that's where the majority of CVEs come from.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org