You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Adam Roberts (Jira)" <ji...@apache.org> on 2021/03/01 13:33:00 UTC
[jira] [Created] (HADOOP-17555) Image scan shows something in
Hadoop using jackson-databind 2.4.0...what?
Adam Roberts created HADOOP-17555:
-------------------------------------
Summary: Image scan shows something in Hadoop using jackson-databind 2.4.0...what?
Key: HADOOP-17555
URL: https://issues.apache.org/jira/browse/HADOOP-17555
Project: Hadoop Common
Issue Type: Bug
Reporter: Adam Roberts
Hi everyone, I've done a Twistlock container-level scan of a Flink/Hadoop image (so, it's the Hadoop shaded uber jar specifically, for Hadoop 3.3.1 snapshot and Flink 1.11.3).
The most interesting result is as follows I think it is used in Hadoop and not Flink because my container scan without the Hadoop jar does not show this result.
_{{ "version": "2.4.0",_
_"name": "com.fasterxml.jackson.core_jackson-databind",_
_"path": "/opt/flink/lib/flink-shaded-hadoop-3-uber-3.3.1-SNAPSHOT-10.0.jar"}}_
That's a very old version and likely very susceptible to CVEs I would imagine, does anybody know what might be using it and if we can upgrade the version?
[https://github.com/apache/hadoop/search?l=Maven+POM&q=2.4.0] shows 113 results and searching with [https://github.com/apache/hadoop/search?q=com.fasterxml.jackson.core_jackson-databind] isn't helpful either unfortunately (in fact less so).
So I am wondering what could be using it..any input would be awesome, thank you! I will do my own digging as well to keep looking but if anyone knows off-hand that would be fantastic
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org