You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Viraj Jasani (Jira)" <ji...@apache.org> on 2023/02/08 22:40:00 UTC
[jira] [Updated] (HBASE-27436) Remove protobuf 2 dependencies
[ https://issues.apache.org/jira/browse/HBASE-27436?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Viraj Jasani updated HBASE-27436:
---------------------------------
Affects Version/s: (was: 2.6.0)
> Remove protobuf 2 dependencies
> ------------------------------
>
> Key: HBASE-27436
> URL: https://issues.apache.org/jira/browse/HBASE-27436
> Project: HBase
> Issue Type: Brainstorming
> Affects Versions: 2.5.1, 2.4.15
> Reporter: Andrew Kyle Purtell
> Priority: Minor
>
> Protobuf 2 is subject to CVE-2015-5237, CVE-2021-22569, and CVE-2022-3171 and scanners checking compliance with zero tolerance CVE policies will hit on HBase because a dependency on com.google.protobuf:protobuf-java:2.5.0 is still exported by 2.x versions.
> It is impossible to remove that dependency by upgrade to Protobuf 3 everywhere given our compatibility guidelines but nonetheless it is a problem for downstream consumers of HBase with such security policies.
> HBase 2 uses Protobuf 3 internally for RPC, in hbase-protocol-shaded.
> We still depend on some protobuf-java v2.5 classes however because we use the Protobuf 2 compiler to compile the IDL in the backwards compatible hbase-protocol module. Perhaps we can extract and produce a scaffold from protobuf-java v2.5, just enough so the generated classes from the IDL will compile, and ship that scaffold included, so the dependency on protobuf-java 2.5 proper can be dropped. Protobuf is MIT licensed so partial appropriation of the source would be allowable.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)