You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Viraj Jasani (JIRA)" <ji...@apache.org> on 2019/08/15 18:10:00 UTC
[jira] [Created] (HBASE-22863) Avoid Jackson versions and
dependencies with known CVEs
Viraj Jasani created HBASE-22863:
------------------------------------
Summary: Avoid Jackson versions and dependencies with known CVEs
Key: HBASE-22863
URL: https://issues.apache.org/jira/browse/HBASE-22863
Project: HBase
Issue Type: Bug
Components: dependencies
Affects Versions: 3.0.0, 2.3.0
Reporter: Viraj Jasani
Assignee: Viraj Jasani
Even though master and branch-2 have moved away from Jackson1 some time back, HBase is still pulling in vulnerable jackson-mapper-asl:1.9.13 dependency from Hadoop:
{code:java}
[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ hbase-mapreduce ---
[INFO] org.apache.hbase:hbase-mapreduce:jar:3.0.0-SNAPSHOT
[INFO] +- org.apache.hbase:hbase-server:jar:3.0.0-SNAPSHOT:compile
[INFO] | \- org.apache.hbase:hbase-http:jar:3.0.0-SNAPSHOT:compile
[INFO] | \- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] +- org.apache.hadoop:hadoop-mapreduce-client-jobclient:test-jar:tests:2.8.5:test
[INFO] | \- org.apache.avro:avro:jar:1.7.7:compile
[INFO] | \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
[INFO] \- org.apache.hadoop:hadoop-mapreduce-client-core:jar:2.8.5:compile
[INFO] \- org.apache.hadoop:hadoop-yarn-common:jar:2.8.5:compile
[INFO] +- org.codehaus.jackson:jackson-jaxrs:jar:1.9.13:compile
[INFO] \- org.codehaus.jackson:jackson-xc:jar:1.9.13:compile{code}
{code:java}
[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ hbase-shaded-testing-util ---
[INFO] org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT
[INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:compile
[INFO] +- com.sun.jersey:jersey-json:jar:1.9:compile
[INFO] | +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:compile
[INFO] | \- org.codehaus.jackson:jackson-xc:jar:1.8.3:compile
[INFO] +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile{code}
{code:java}
[INFO] org.apache.hbase:hbase-shaded-testing-util-tester:jar:3.0.0-SNAPSHOT
[INFO] \- org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT:test
[INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:test
[INFO] +- com.sun.jersey:jersey-json:jar:1.9:test
[INFO] | +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:test
[INFO] | \- org.codehaus.jackson:jackson-xc:jar:1.8.3:test
[INFO] +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
{code}
jackson-mapper-asl is not being used in HBase code anymore and hence, we should include it at test scope if required but definitely exclude it from corresponding Hadoop dependencies.
Moreover, fasterxml.jackson mapper is used only in hbase-rest tests but we pull it in with 'compile' scope. May be we can include it as 'test' scope only and cleanup Jackson dependencies.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)