[jira] [Commented] (HADOOP-18676) Include jettison as direct dependency of hadoop-common

Fri, 24 Mar 2023 05:52:32 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-18676?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17704591#comment-17704591
 ] 

Andras Katona commented on HADOOP-18676:
----------------------------------------

It's been there since jettison came into picture in hadoop-common through 
jersey-json: 
https://github.com/apache/hadoop/commit/19523b6a2b7a948fe09810a5c1424154c1f434b0,
 the pom shows {{0.24.0-SNAPSHOT}} in it (obviously the jettison vulnerability 
wasn't discovered yet), dependency management of jettison was added here: 
https://github.com/apache/hadoop/commit/7c8b654ba5ea7bf98e9a529ef1befee88366c1d7
 <-- this is where the direct dependency should have been added wherever 
jettison came only as transitive, the pom version is 3.0.0-SNAPSHOT here.

> Include jettison as direct dependency of hadoop-common
> ------------------------------------------------------
>
>                 Key: HADOOP-18676
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18676
>             Project: Hadoop Common
>          Issue Type: Task
>          Components: common
>            Reporter: Andras Katona
>            Priority: Major
>              Labels: pull-request-available
>
> When hadoop common is pulled in outside of hadoop project, the wrong version 
> of jettison is coming as the dependency management of hadoop-project doesn't 
> apply this case.
> So it's not enough just to upgrade the version in dependency management. When 
> jettison is coming only as transitive, whoever is pulling in that hadoop 
> library, will still get the wrong jettison.
> example:
> hadoop-common
> {noformat}
> org.example:untitled:jar:1.0-SNAPSHOT
> \- org.apache.hadoop:hadoop-common:jar:3.4.0-SNAPSHOT:compile
> ...
>    +- com.github.pjfanning:jersey-json:jar:1.20:compile
>    |  +- org.codehaus.jettison:jettison:jar:1.1:compile
> ...
> {noformat}
> When the module is a library (so it will be used outside of the actual 
> project), the correct dependency must be declared as direct dependency (and 
> optionally excluding from the dependency where it came from originally).
> jettison should be added as direct dependency



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to