[jira] [Comment Edited] (HBASE-22728) Upgrade jackson dependencies in branch-1

Andrew Purtell (JIRA) Tue, 13 Aug 2019 12:54:35 -0700


    [ 
https://issues.apache.org/jira/browse/HBASE-22728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16906568#comment-16906568
 ]


Andrew Purtell edited comment on HBASE-22728 at 8/13/19 7:53 PM:
-----------------------------------------------------------------

Let's step back and consider the basic motivation:

We want to avoid putting vulnerable jackson dependencies on the classpath of 
unsuspecting user applications via transitive dependencies. 

An exception to this would be the shaded client, which of course must shade in 
those dependencies, but for this we can document a warning. 

So then we should try 'provided' or 'test' scope in client and then 'compile' 
scope anywhere else as needed, including or especially assembly, and that would 
meet the objective. 

We can say we have tried to do more, but it hasn't worked out. 

The hbase-rest changes are needed separately because we do use the object 
mapper there.


was (Author: apurtell):
Let's step back and consider the basic motivation:

We want to avoid putting vulnerable jackson dependencies on the classpath of 
unsuspecting user applications via transitive dependencies. 

An exception to this would be the shaded client, which of course must shade in 
those dependencies, but for this we can document a warning. 

So then we should try 'provided' or 'test' scope in client and then 'compile' 
scope anywhere else as needed, including or especially assembly, and that would 
meet the objective. 

We can say we have tried to do more, but it hasn't worked out. 

> Upgrade jackson dependencies in branch-1
> ----------------------------------------
>
>                 Key: HBASE-22728
>                 URL: https://issues.apache.org/jira/browse/HBASE-22728
>             Project: HBase
>          Issue Type: Sub-task
>    Affects Versions: 1.4.10, 1.3.5
>            Reporter: Andrew Purtell
>            Assignee: Viraj Jasani
>            Priority: Major
>             Fix For: 1.5.0, 1.3.6, 1.4.11
>
>         Attachments: HBASE-22728-addendum.patch, HBASE-22728-addendum.patch, 
> HBASE-22728.branch-1.01.patch, HBASE-22728.branch-1.02.patch, 
> HBASE-22728.branch-1.04.patch, HBASE-22728.branch-1.06.patch, 
> HBASE-22728.branch-1.10.patch, HBASE-22728.branch-1.11.patch, 
> HBASE-22728.branch-1.12.patch, HBASE-22728.branch-1.14.patch, 
> HBASE-22728.branch-1.15.patch, HBASE-22728.branch-1.16.patch
>
>
> Avoid Jackson versions and dependencies with known CVEs



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

[jira] [Comment Edited] (HBASE-22728) Upgrade jackson dependencies in branch-1

Reply via email to