[
https://issues.apache.org/jira/browse/HBASE-22728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16907926#comment-16907926
]
Viraj Jasani edited comment on HBASE-22728 at 8/15/19 10:49 AM:
----------------------------------------------------------------
Just a small summary so far:
* Replaced all vulnerable mapper dependency(jackson-mapper-asl) with Jackson2
mapper(jackson-databind) in all modules.
* Included Jackson2 at compile scope in hbase-rest.
* hbase-shell requires dependency of jackson-core-asl. To tackle this, we
might need to upgrade JRuby eventually. For now, it's fine to include
jackson-core-asl(not vulnerable).
* Since HBase branch-1 no longer needs jackson-mapper-asl(as per #1), we can
live without it, but once we generate tar and extract it, we get these warnings
since Hadoop requires this dependency:
{code:java}
2019-08-13 16:32:34,147 WARN [main] fs.FileSystem: Cannot load filesystem:
java.util.ServiceConfigurationError: org.apache.hadoop.fs.FileSystem: Provider
org.apache.hadoop.hdfs.web.WebHdfsFileSystem could not be instantiated
2019-08-13 16:32:34,147 WARN [main] fs.FileSystem:
java.lang.NoClassDefFoundError: org/codehaus/jackson/map/ObjectMapper{code}
* Without including jackson-mapper-asl / Jackson2 dependencies as 'compile'
scope in hbase-common, we are not getting corresponding jars in lib folder of
extracted tarball. Need to resolve this issue since we should not include
jackson-mapper-asl with 'compile' scope in hbase-common/hbase-client/dependent
hbase-* of client.
was (Author: vjasani):
Just a small summary so far:
# Replaced all vulnerable mapper dependency(jackson-mapper-asl) with Jackson2
mapper(jackson-databind) in all modules.
# Included Jackson2 at compile scope in hbase-rest.
# hbase-shell requires dependency of jackson-core-asl. To tackle this, we
might need to upgrade JRuby eventually. For now, it's fine to include
jackson-core-asl(not vulnerable).
# Since HBase code no longer needs jackson-mapper-asl( #1), we can live
without it, but once we generate tar and extract it, we get these warnings
since Hadoop requires this dependency:
{code:java}
2019-08-13 16:32:34,147 WARN [main] fs.FileSystem: Cannot load filesystem:
java.util.ServiceConfigurationError: org.apache.hadoop.fs.FileSystem: Provider
org.apache.hadoop.hdfs.web.WebHdfsFileSystem could not be instantiated
2019-08-13 16:32:34,147 WARN [main] fs.FileSystem:
java.lang.NoClassDefFoundError: org/codehaus/jackson/map/ObjectMapper{code}
# Without including jackson-mapper-asl / Jackson2 dependencies as 'compile'
scope in hbase-common, we are not getting corresponding jars in lib folder of
extracted tarball. Need to resolve this issue since we should not include
jackson-mapper-asl with 'compile' scope in hbase-common/hbase-client/dependent
hbase-* of client.
> Upgrade jackson dependencies in branch-1
> ----------------------------------------
>
> Key: HBASE-22728
> URL: https://issues.apache.org/jira/browse/HBASE-22728
> Project: HBase
> Issue Type: Sub-task
> Affects Versions: 1.4.10, 1.3.5
> Reporter: Andrew Purtell
> Assignee: Viraj Jasani
> Priority: Major
> Fix For: 1.5.0, 1.3.6, 1.4.11
>
> Attachments: HBASE-22728-addendum.patch, HBASE-22728-addendum.patch,
> HBASE-22728.branch-1.01.patch, HBASE-22728.branch-1.02.patch,
> HBASE-22728.branch-1.04.patch, HBASE-22728.branch-1.06.patch,
> HBASE-22728.branch-1.10.patch, HBASE-22728.branch-1.11.patch,
> HBASE-22728.branch-1.12.patch, HBASE-22728.branch-1.14.patch,
> HBASE-22728.branch-1.15.patch, HBASE-22728.branch-1.16.patch,
> HBASE-22728.branch-1.18.patch
>
>
> Avoid Jackson versions and dependencies with known CVEs
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
