[ https://issues.apache.org/jira/browse/HBASE-22728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16907889#comment-16907889 ]
Viraj Jasani edited comment on HBASE-22728 at 8/15/19 8:03 AM: --------------------------------------------------------------- Oh yes, I just saw one project having hbase-common dependency. Hence, hbase-common should have provided scope for Jackson1. The only issue is without including dependencies at compile scope in hbase-common, they are not getting included as jar with assembly:single tar. Let me see what we can do here, may be some changes in hbase-assembly could help. Initially I tried including Jackson1 mapper as compile scope only in hbase-assembly(everywhere else had provided), but that didn't even include jar in lib of extracted tarball. was (Author: vjasani): Oh yes, I just saw one project having hbase-common dependency. Hence, hbase-common should have provided scope for Jackson1. The only issue is without including dependencies at compile scope in hbase-common, they are not getting included as jar with assembly:single tar. Let me see what we can do here, may be some changes in hbase-assembly could help. Initially I tried including Jackson1 mapper as compile scope only in hbase-assembly, but that didn't even have jackson*jar included in lib of extracted tarball. > Upgrade jackson dependencies in branch-1 > ---------------------------------------- > > Key: HBASE-22728 > URL: https://issues.apache.org/jira/browse/HBASE-22728 > Project: HBase > Issue Type: Sub-task > Affects Versions: 1.4.10, 1.3.5 > Reporter: Andrew Purtell > Assignee: Viraj Jasani > Priority: Major > Fix For: 1.5.0, 1.3.6, 1.4.11 > > Attachments: HBASE-22728-addendum.patch, HBASE-22728-addendum.patch, > HBASE-22728.branch-1.01.patch, HBASE-22728.branch-1.02.patch, > HBASE-22728.branch-1.04.patch, HBASE-22728.branch-1.06.patch, > HBASE-22728.branch-1.10.patch, HBASE-22728.branch-1.11.patch, > HBASE-22728.branch-1.12.patch, HBASE-22728.branch-1.14.patch, > HBASE-22728.branch-1.15.patch, HBASE-22728.branch-1.16.patch, > HBASE-22728.branch-1.18.patch > > > Avoid Jackson versions and dependencies with known CVEs -- This message was sent by Atlassian JIRA (v7.6.14#76016)