You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hbase.apache.org by "Viraj Jasani (Jira)" <ji...@apache.org> on 2023/02/08 22:40:00 UTC

[jira] [Updated] (HBASE-27436) Remove protobuf 2 dependencies

     [ https://issues.apache.org/jira/browse/HBASE-27436?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Viraj Jasani updated HBASE-27436:
---------------------------------
    Affects Version/s:     (was: 2.6.0)

> Remove protobuf 2 dependencies
> ------------------------------
>
>                 Key: HBASE-27436
>                 URL: https://issues.apache.org/jira/browse/HBASE-27436
>             Project: HBase
>          Issue Type: Brainstorming
>    Affects Versions: 2.5.1, 2.4.15
>            Reporter: Andrew Kyle Purtell
>            Priority: Minor
>
> Protobuf 2 is subject to CVE-2015-5237, CVE-2021-22569, and CVE-2022-3171 and scanners checking compliance with zero tolerance CVE policies will hit on HBase because a dependency on com.google.protobuf:protobuf-java:2.5.0 is still exported by 2.x versions. 
> It is impossible to remove that dependency by upgrade to Protobuf 3 everywhere given our compatibility guidelines but nonetheless it is a problem for downstream consumers of HBase with such security policies. 
> HBase 2 uses Protobuf 3 internally for RPC, in hbase-protocol-shaded.
> We still depend on some protobuf-java v2.5 classes however because we use the Protobuf 2 compiler to compile the IDL in the backwards compatible hbase-protocol module. Perhaps we can extract and produce a scaffold from protobuf-java v2.5, just enough so the generated classes from the IDL will compile, and ship that scaffold included, so the dependency on protobuf-java 2.5 proper can be dropped. Protobuf is MIT licensed so partial appropriation of the source would be allowable. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)