You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@phoenix.apache.org by "James Taylor (JIRA)" <ji...@apache.org> on 2017/02/09 17:25:41 UTC

[jira] [Commented] (PHOENIX-3659) Remove transitive OWASP esapi dependency

    [ https://issues.apache.org/jira/browse/PHOENIX-3659?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15859849#comment-15859849 ] 

James Taylor commented on PHOENIX-3659:
---------------------------------------

Good catch, [~elserj]! Let's just bump our pom version to be at or above 1.1.6 and 1.2.3. I don't think that'll be an issue.

> Remove transitive OWASP esapi dependency
> ----------------------------------------
>
>                 Key: PHOENIX-3659
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-3659
>             Project: Phoenix
>          Issue Type: Task
>            Reporter: Josh Elser
>            Priority: Blocker
>
> HBase accidentally let OWASP's ESAPI artifact slip into a few release which is not allowed (as there are GPL deps).
> This was resolved in 1.1.6 and 1.2.3. A trivial fix would be to upgrade the 1.1 and 1.2 branches to these versions, but I don't know if there are other implications to doing that..
> I'm not sure if there are runtime concerns if we just omit those dependencies. Would have to look at the suite of reverts that came in via HBASE-16317 to see if any of them would actually affect us in phoenix-landia.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)