You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by jo...@apache.org on 2020/04/17 00:27:09 UTC
[impala] branch master updated: IMPALA-9649: Exclude shiro-core and
shiro-crypto-core jars from maven download
This is an automated email from the ASF dual-hosted git repository.
joemcdonnell pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git
The following commit(s) were added to refs/heads/master by this push:
new 327ec29 IMPALA-9649: Exclude shiro-core and shiro-crypto-core jars from maven download
327ec29 is described below
commit 327ec29c48a2f02411fe74be7f36ccfdb7d7e4e5
Author: David Knupp <dk...@cloudera.com>
AuthorDate: Mon Apr 13 14:40:47 2020 -0700
IMPALA-9649: Exclude shiro-core and shiro-crypto-core jars from maven download
These jars have known security vulnerabilities. They are included as part of
Sentry, and are not used by Impala directly.
There's a currently a plan to remove Sentry altogether, but since this will
require non-trivial effort, until that time, let's exclude these items from
the maven download.
Change-Id: I4ef8203fb31b200b7480a11e148a833f4129dafc
Reviewed-on: http://gerrit.cloudera.org:8080/15720
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
fe/pom.xml | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/fe/pom.xml b/fe/pom.xml
index 817fdad..d29c525 100644
--- a/fe/pom.xml
+++ b/fe/pom.xml
@@ -190,6 +190,16 @@ under the License.
<groupId>org.apache.sentry</groupId>
<artifactId>sentry-core-common</artifactId>
<version>${sentry.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>org.apache.shiro</groupId>
+ <artifactId>shiro-crypto-cipher</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.shiro</groupId>
+ <artifactId>shiro-core</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>