You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@flink.apache.org by ch...@apache.org on 2019/11/21 15:34:49 UTC

[flink] 02/02: [FLINK-14104][build] Add opt-in jackson 2.10.1 profile

This is an automated email from the ASF dual-hosted git repository.

chesnay pushed a commit to branch release-1.9
in repository https://gitbox.apache.org/repos/asf/flink.git

commit 43ac587fe865f4709efa28fff15199496c917fd3
Author: Chesnay Schepler <ch...@apache.org>
AuthorDate: Wed Nov 13 11:40:04 2019 +0100

    [FLINK-14104][build] Add opt-in jackson 2.10.1 profile
---
 docs/flinkDev/building.md                     | 10 ++++++++++
 docs/flinkDev/building.zh.md                  | 10 ++++++++++
 flink-metrics/flink-metrics-influxdb/pom.xml  | 27 +++++++++++++++++++++++++++
 flink-table/flink-table-planner-blink/pom.xml | 27 +++++++++++++++++++++++++++
 flink-table/flink-table-planner/pom.xml       | 27 +++++++++++++++++++++++++++
 pom.xml                                       | 25 +++++++++++++++++++++++++
 6 files changed, 126 insertions(+)

diff --git a/docs/flinkDev/building.md b/docs/flinkDev/building.md
index 7bdfceb..28c269d 100644
--- a/docs/flinkDev/building.md
+++ b/docs/flinkDev/building.md
@@ -170,5 +170,15 @@ The workaround is to add:
 
 in the compiler configuration of the `pom.xml` file of the module causing the error. For example, if the error appears in the `flink-yarn` module, the above code should be added under the `<configuration>` tag of `scala-maven-plugin`. See [this issue](https://issues.apache.org/jira/browse/FLINK-2003) for more information.
 
+## Jackson
+
+Multiple Flink components use [Jackson](https://github.com/FasterXML/jackson). Older versions of jackson (<`2.10.1`) are subject to a variety of security vulnerabilities.
+
+Flink 1.8.3+ offers an opt-in profile (`use-jackson-2.10.1`) for building Flink against Jackson `2.10.1`; including `jackson-annotations`, `jackson-core` and `jackson-databind`.
+
+Usage: `mvn package -Puse-jackson-2.10.1`
+
+When you build a maven application against this Flink version it is recommended to bump the `maven-shade-plugin` version to at least `3.1.1` to prevent packaging errors.
+
 {% top %}
 
diff --git a/docs/flinkDev/building.zh.md b/docs/flinkDev/building.zh.md
index c5e794a..924891f 100644
--- a/docs/flinkDev/building.zh.md
+++ b/docs/flinkDev/building.zh.md
@@ -170,5 +170,15 @@ The workaround is to add:
 
 in the compiler configuration of the `pom.xml` file of the module causing the error. For example, if the error appears in the `flink-yarn` module, the above code should be added under the `<configuration>` tag of `scala-maven-plugin`. See [this issue](https://issues.apache.org/jira/browse/FLINK-2003) for more information.
 
+## Jackson
+
+Multiple Flink components use [Jackson](https://github.com/FasterXML/jackson). Older versions of jackson (<`2.10.1`) are subject to a variety of security vulnerabilities.
+
+Flink 1.9.2+ offers an opt-in profile (`use-jackson-2.10.1`) for building Flink against Jackson `2.10.1`; including `jackson-annotations`, `jackson-core` and `jackson-databind`.
+
+Usage: `mvn package -Puse-jackson-2.10.1`
+
+When you build a maven application against this Flink version it is recommended to bump the `maven-shade-plugin` version to at least `3.1.1` to prevent packaging errors.
+
 {% top %}
 
diff --git a/flink-metrics/flink-metrics-influxdb/pom.xml b/flink-metrics/flink-metrics-influxdb/pom.xml
index 475e94b..706b0da 100644
--- a/flink-metrics/flink-metrics-influxdb/pom.xml
+++ b/flink-metrics/flink-metrics-influxdb/pom.xml
@@ -120,6 +120,33 @@ under the License.
 		</dependencies>
 	</dependencyManagement>
 
+	<profiles>
+		<profile>
+			<id>use-jackson-2.10.1</id>
+			<dependencyManagement>
+				<dependencies>
+					<dependency>
+						<groupId>com.fasterxml.jackson.core</groupId>
+						<artifactId>jackson-annotations</artifactId>
+						<version>2.10.1</version>
+					</dependency>
+
+					<dependency>
+						<groupId>com.fasterxml.jackson.core</groupId>
+						<artifactId>jackson-databind</artifactId>
+						<version>2.10.1</version>
+					</dependency>
+
+					<dependency>
+						<groupId>com.fasterxml.jackson.core</groupId>
+						<artifactId>jackson-core</artifactId>
+						<version>2.10.1</version>
+					</dependency>
+				</dependencies>
+			</dependencyManagement>
+		</profile>
+	</profiles>
+
 	<build>
 		<plugins>
 			<plugin>
diff --git a/flink-table/flink-table-planner-blink/pom.xml b/flink-table/flink-table-planner-blink/pom.xml
index 5325c64..dce99f0 100644
--- a/flink-table/flink-table-planner-blink/pom.xml
+++ b/flink-table/flink-table-planner-blink/pom.xml
@@ -267,6 +267,33 @@ under the License.
 		</dependency>
 	</dependencies>
 
+	<profiles>
+		<profile>
+			<id>use-jackson-2.10.1</id>
+			<dependencyManagement>
+				<dependencies>
+					<dependency>
+						<groupId>com.fasterxml.jackson.core</groupId>
+						<artifactId>jackson-annotations</artifactId>
+						<version>2.10.1</version>
+					</dependency>
+
+					<dependency>
+						<groupId>com.fasterxml.jackson.core</groupId>
+						<artifactId>jackson-databind</artifactId>
+						<version>2.10.1</version>
+					</dependency>
+
+					<dependency>
+						<groupId>com.fasterxml.jackson.core</groupId>
+						<artifactId>jackson-core</artifactId>
+						<version>2.10.1</version>
+					</dependency>
+				</dependencies>
+			</dependencyManagement>
+		</profile>
+	</profiles>
+
 	<build>
 		<plugins>
 			<!-- Scala Compiler -->
diff --git a/flink-table/flink-table-planner/pom.xml b/flink-table/flink-table-planner/pom.xml
index ea4e4fc..107c176 100644
--- a/flink-table/flink-table-planner/pom.xml
+++ b/flink-table/flink-table-planner/pom.xml
@@ -268,6 +268,33 @@ under the License.
 		</dependency>
 	</dependencies>
 
+	<profiles>
+		<profile>
+			<id>use-jackson-2.10.1</id>
+			<dependencyManagement>
+				<dependencies>
+					<dependency>
+						<groupId>com.fasterxml.jackson.core</groupId>
+						<artifactId>jackson-annotations</artifactId>
+						<version>2.10.1</version>
+					</dependency>
+
+					<dependency>
+						<groupId>com.fasterxml.jackson.core</groupId>
+						<artifactId>jackson-databind</artifactId>
+						<version>2.10.1</version>
+					</dependency>
+
+					<dependency>
+						<groupId>com.fasterxml.jackson.core</groupId>
+						<artifactId>jackson-core</artifactId>
+						<version>2.10.1</version>
+					</dependency>
+				</dependencies>
+			</dependencyManagement>
+		</profile>
+	</profiles>
+
 	<build>
 		<plugins>
 			<!-- Scala Compiler -->
diff --git a/pom.xml b/pom.xml
index a6acae8..b9d9dbf 100644
--- a/pom.xml
+++ b/pom.xml
@@ -749,6 +749,31 @@ under the License.
 		</profile>
 
 		<profile>
+			<id>use-jackson-2.10.1</id>
+			<dependencyManagement>
+				<dependencies>
+					<dependency>
+						<groupId>com.fasterxml.jackson.core</groupId>
+						<artifactId>jackson-annotations</artifactId>
+						<version>2.10.1</version>
+					</dependency>
+
+					<dependency>
+						<groupId>com.fasterxml.jackson.core</groupId>
+						<artifactId>jackson-databind</artifactId>
+						<version>2.10.1</version>
+					</dependency>
+
+					<dependency>
+						<groupId>com.fasterxml.jackson.core</groupId>
+						<artifactId>jackson-core</artifactId>
+						<version>2.10.1</version>
+					</dependency>
+				</dependencies>
+			</dependencyManagement>
+		</profile>
+
+		<profile>
 			<id>java9</id>
 			<activation>
 				<jdk>9</jdk>