[
https://issues.apache.org/jira/browse/OOZIE-3650?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17475624#comment-17475624
]
PJ Fanning commented on OOZIE-3650:
-----------------------------------
[~asalamon74] I think patch 004 is getting there. The CI build failed -
[https://ci-hadoop.apache.org/job/PreCommit-OOZIE-Build/59/console] but maybe
I'm misreading it - it appears to be unhappy with a JPA persistence class.
{code:java}
18:28:52 -1 There are [7] new bugs found below threshold in [core] that
must be fixed, listing only the first [5] ones.
18:28:52 You can find the SpotBugs diff here (look for the red and orange
ones): core/findbugs-new.html
18:28:52 The top [5] most important SpotBugs errors are:
18:28:52 At BulkJPAExecutor.java:[line 206]: This use of
javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query;
can be vulnerable to SQL/JPQL injection
18:28:52 At BulkJPAExecutor.java:[line 176]: At BulkJPAExecutor.java:[line
175]
18:28:52 At BulkJPAExecutor.java:[line 205]: At BulkJPAExecutor.java:[line
199]
18:28:52 This use of
javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query;
can be vulnerable to SQL/JPQL injection: At BulkJPAExecutor.java:[line 206]
18:28:52 At BulkJPAExecutor.java:[line 111]: At BulkJPAExecutor.java:[line
127] {code}
> upgrade jackson - ideally to v2.13.1
> ------------------------------------
>
> Key: OOZIE-3650
> URL: https://issues.apache.org/jira/browse/OOZIE-3650
> Project: Oozie
> Issue Type: Improvement
> Reporter: PJ Fanning
> Priority: Major
> Labels: patch-available
> Attachments: OOZIE-3650-003.patch, OOZIE-3650-004.patch
>
>
> Oozie currently has a dependency on an old version of Jackson (2.6.5) -
> [https://github.com/apache/oozie/blob/master/pom.xml#L119]
> There are a number of CVEs open affecting this version.
> https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.6.5
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
