[
https://issues.apache.org/jira/browse/PHOENIX-7482?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Kyle Purtell updated PHOENIX-7482:
-----------------------------------------
Description: org.iq80.snappy is subject to CVE-2024-36124 just like Xerial
Snappy. This was flagged by a dependency scanner. This was an occasion to
revisit Snappy algorithm providers. Xerial Snappy is much more widely used, is
a transitive Phoenix dependency already, provides the same functionality,
virtually the same API, is and is a dependency of Hadoop and HBase and others.
Why also depend and use, only in two places, iq80 snappy? (was:
org.iq80.snappy is subject to CVE-2024-36124 just like Xerial Snappy. This was
flagged by a dependency scanner. This was an occasion to revisit Snappy
algorithm providers. Xerial Snappy is much more widely used, is a Phoenix
dependency already, provides the same functionality, virtually the same API, is
and is a dependency of Hadoop and HBase and others. Why also depend and use,
only in two places, iq80 snappy? )
> Replace uses of org.iq80.snappy:snappy with org.xerial.snappy:snappy-java
> -------------------------------------------------------------------------
>
> Key: PHOENIX-7482
> URL: https://issues.apache.org/jira/browse/PHOENIX-7482
> Project: Phoenix
> Issue Type: Improvement
> Components: core
> Reporter: Andrew Kyle Purtell
> Assignee: Andrew Kyle Purtell
> Priority: Minor
>
> org.iq80.snappy is subject to CVE-2024-36124 just like Xerial Snappy. This
> was flagged by a dependency scanner. This was an occasion to revisit Snappy
> algorithm providers. Xerial Snappy is much more widely used, is a transitive
> Phoenix dependency already, provides the same functionality, virtually the
> same API, is and is a dependency of Hadoop and HBase and others. Why also
> depend and use, only in two places, iq80 snappy?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
