[ https://issues.apache.org/jira/browse/HBASE-20582?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sean Busbey reopened HBASE-20582: --------------------------------- [~elserj] this change broke us in nightly, specifically the check that we can go through the release process: {code} [INFO] --- maven-enforcer-plugin:3.0.0-M1:enforce (hadoop-profile-min-maven-min-java-banned-xerces) @ hbase-shell --- [INFO] Restricted to JDK 1.8 yet org.jruby:jruby-complete:jar:9.1.17.0:compile contains module-info.class targeted to JDK 1.9 [WARNING] Rule 4: org.apache.maven.plugins.enforcer.EnforceBytecodeVersion failed with message: HBase has unsupported dependencies. HBase requires that all dependencies be compiled with version 1.8 or earlier of the JDK to properly build from source. You appear to be using a newer dependency. You can use either "mvn -version" or "mvn enforcer:display-info" to verify what version is active. Non-release builds can temporarily build with a newer JDK version by setting the 'compileSource' property (eg. mvn -DcompileSource=1.8 clean package). Found Banned Dependency: org.jruby:jruby-complete:jar:9.1.17.0 Use 'mvn dependency:tree' to locate the source of the banned dependencies. {code} here's the full build log: https://builds.apache.org/job/HBase%20Nightly/job/master/341/artifact/output-srctarball/srctarball_install.log/*view*/ Same thing shows up in branch-2. > Bump up JRuby version because of some reported vulnerabilities > -------------------------------------------------------------- > > Key: HBASE-20582 > URL: https://issues.apache.org/jira/browse/HBASE-20582 > Project: HBase > Issue Type: Bug > Reporter: Ankit Singhal > Assignee: Josh Elser > Priority: Major > Fix For: 3.0.0, 2.1.0 > > Attachments: HBASE-20582.002.patch, HBASE-20582.patch > > > There are some vulnerabilities reported with two of the libraries used in > HBase. > {code:java} > Jruby(version:9.1.10.0): > CVE-2009-5147 > CVE-2013-4363 > CVE-2014-4975 > CVE-2014-8080 > CVE-2014-8090 > CVE-2015-3900 > CVE-2015-7551 > CVE-2015-9096 > CVE-2017-0899 > CVE-2017-0900 > CVE-2017-0901 > CVE-2017-0902 > CVE-2017-0903 > CVE-2017-10784 > CVE-2017-14064 > CVE-2017-9224 > CVE-2017-9225 > CVE-2017-9226 > CVE-2017-9227 > CVE-2017-9228 > {code} > Tool somehow able to relate the vulnerability of Ruby with JRuby(Java > implementation). (Jackson will be handled in a different issue.) > Not all of them directly affects HBase but [~elserj] suggested that it is > better to be on the updated version to avoid issues during an audit in > security sensitive organization. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)