You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Andrew Purtell (Jira)" <ji...@apache.org> on 2019/09/21 01:45:00 UTC
[jira] [Updated] (HBASE-23061) Replace use of Jackson for JSON
serde in hbase common and client modules
[ https://issues.apache.org/jira/browse/HBASE-23061?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Purtell updated HBASE-23061:
-----------------------------------
Description:
We are using Jackson to emit JSON in at least one place in common and client. We don't need all of Jackson and all the associated trouble just to do that. Use a suitably licensed JSON library with no known vulnerability. This will avoid problems downstream because we are trying to avoid having them pull in a vulnerable Jackson via us so Jackson is a 'provided' scope transitive dependency of client and its in-project dependencies (like common).
Here's where I am referring to:
org.apache.hadoop.hbase.util.JsonMapper.<clinit>(JsonMapper.java:37)
at org.apache.hadoop.hbase.client.Operation.toJSON(Operation.java:70)
at org.apache.hadoop.hbase.client.Operation.toString(Operation.java:96)
was:
We are using Jackson to emit JSON in at least one place in common and client. We don't need all of Jackson and all the associated trouble just to do that. Use a suitably licensed JSON library with no known vulnerability. This will avoid problems downstream because we are trying to avoid having them pull in a vulnerable Jackson via us so Jackson is a provided scope.
Here's where I am referring to:
org.apache.hadoop.hbase.util.JsonMapper.<clinit>(JsonMapper.java:37)
at org.apache.hadoop.hbase.client.Operation.toJSON(Operation.java:70)
at org.apache.hadoop.hbase.client.Operation.toString(Operation.java:96)
> Replace use of Jackson for JSON serde in hbase common and client modules
> ------------------------------------------------------------------------
>
> Key: HBASE-23061
> URL: https://issues.apache.org/jira/browse/HBASE-23061
> Project: HBase
> Issue Type: Bug
> Reporter: Andrew Purtell
> Priority: Blocker
> Fix For: 1.5.0
>
>
> We are using Jackson to emit JSON in at least one place in common and client. We don't need all of Jackson and all the associated trouble just to do that. Use a suitably licensed JSON library with no known vulnerability. This will avoid problems downstream because we are trying to avoid having them pull in a vulnerable Jackson via us so Jackson is a 'provided' scope transitive dependency of client and its in-project dependencies (like common).
> Here's where I am referring to:
> org.apache.hadoop.hbase.util.JsonMapper.<clinit>(JsonMapper.java:37)
> at org.apache.hadoop.hbase.client.Operation.toJSON(Operation.java:70)
> at org.apache.hadoop.hbase.client.Operation.toString(Operation.java:96)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)