You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Wei-Chiu Chuang (JIRA)" <ji...@apache.org> on 2019/08/02 17:09:00 UTC

[jira] [Created] (HADOOP-16485) Remove dependency on jackson

Wei-Chiu Chuang created HADOOP-16485:
----------------------------------------

             Summary: Remove dependency on jackson
                 Key: HADOOP-16485
                 URL: https://issues.apache.org/jira/browse/HADOOP-16485
             Project: Hadoop Common
          Issue Type: Improvement
            Reporter: Wei-Chiu Chuang


Looking at git history, there were 5 commits related to updating jackson versions due to various CVEs since 2018. And it seems to get worse more recently.

File this jira to discuss the possibility of removing jackson dependency once for all. I see that jackson is deeply integrated into Hadoop codebase, so not a trivial task. However, if Hadoop is forced to make a new set of releases because of Jackson vulnerabilities, it may start to look not so costly.

At the very least, consider stripping jackson-databind coode, since that's where the majority of CVEs come from.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org