[jira] [Commented] (HBASE-22728) Upgrade jackson dependencies in branch-1

Tue, 13 Aug 2019 13:23:37 -0700 


    [ 
https://issues.apache.org/jira/browse/HBASE-22728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16906585#comment-16906585
 ] 

Viraj Jasani commented on HBASE-22728:
--------------------------------------

With current patch, this is what compile scope dependencies look like: (Every 
other module has test/provided)

 
{code:java}
[INFO] --- maven-dependency-plugin:3.0.1:tree (default-cli) @ hbase-common ---
[INFO] org.apache.hbase:hbase-common:jar:1.5.0-SNAPSHOT
[INFO] +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:provided
[INFO] |  \- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:provided
[INFO] +- 
com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.9.9:compile
[INFO] |  +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.9.9:compile
[INFO] |  \- 
com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.9.9:compile
[INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.9:compile
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.9.9:compile
[INFO] \- com.fasterxml.jackson.core:jackson-databind:jar:2.9.9.2:compile
[INFO] 
{code}
 
{code:java}
[INFO] 
[INFO] --- maven-dependency-plugin:3.0.1:tree (default-cli) @ hbase-rest ---
[INFO] org.apache.hbase:hbase-rest:jar:1.5.0-SNAPSHOT
[INFO] +- 
com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.9.9:compile
[INFO] |  +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.9.9:compile
[INFO] |  \- 
com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.9.9:compile
[INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.9:compile
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.9.9:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.9.2:compile
[INFO] \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:test
[INFO]    \- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:test
[INFO] {code}
{code:java}
[INFO] --- maven-dependency-plugin:3.0.1:tree (default-cli) @ hbase-shell ---
[INFO] org.apache.hbase:hbase-shell:jar:1.5.0-SNAPSHOT
[INFO] +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile{code}
{code:java}
[INFO] --- maven-dependency-plugin:3.0.1:tree (default-cli) @ hbase-assembly ---
[INFO] org.apache.hbase:hbase-assembly:pom:1.5.0-SNAPSHOT
[INFO] +- org.apache.hbase:hbase-rest:jar:1.5.0-SNAPSHOT:compile
[INFO] |  +- 
com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.9.9:compile
[INFO] |  |  +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.9.9:compile
[INFO] |  |  \- 
com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.9.9:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.9:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.9.9:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-databind:jar:2.9.9.2:compile
[INFO] \- org.apache.hbase:hbase-shell:jar:1.5.0-SNAPSHOT:compile
[INFO]    \- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
{code}
hbase-shell needs jackson-core-asl:1.9.13 until we upgrade JRuby as per your 
recent suggestion. However, this is not vulnerable and 
jackson-mapper-asl:1.9.13 is vulnerable.

 

Everywhere else in the code, Jackson1 is replaced by Jackson 2(I think better 
we do now). Tested HMaster start, rest start, shell with tar. Unit tests look 
good. Requesting your review on 016 patch.

 

 

> Upgrade jackson dependencies in branch-1
> ----------------------------------------
>
>                 Key: HBASE-22728
>                 URL: https://issues.apache.org/jira/browse/HBASE-22728
>             Project: HBase
>          Issue Type: Sub-task
>    Affects Versions: 1.4.10, 1.3.5
>            Reporter: Andrew Purtell
>            Assignee: Viraj Jasani
>            Priority: Major
>             Fix For: 1.5.0, 1.3.6, 1.4.11
>
>         Attachments: HBASE-22728-addendum.patch, HBASE-22728-addendum.patch, 
> HBASE-22728.branch-1.01.patch, HBASE-22728.branch-1.02.patch, 
> HBASE-22728.branch-1.04.patch, HBASE-22728.branch-1.06.patch, 
> HBASE-22728.branch-1.10.patch, HBASE-22728.branch-1.11.patch, 
> HBASE-22728.branch-1.12.patch, HBASE-22728.branch-1.14.patch, 
> HBASE-22728.branch-1.15.patch, HBASE-22728.branch-1.16.patch
>
>
> Avoid Jackson versions and dependencies with known CVEs



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to