[ https://issues.apache.org/jira/browse/HBASE-22728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16907926#comment-16907926 ]
Viraj Jasani edited comment on HBASE-22728 at 8/15/19 10:49 AM: ---------------------------------------------------------------- Just a small summary so far: * Replaced all vulnerable mapper dependency(jackson-mapper-asl) with Jackson2 mapper(jackson-databind) in all modules. * Included Jackson2 at compile scope in hbase-rest. * hbase-shell requires dependency of jackson-core-asl. To tackle this, we might need to upgrade JRuby eventually. For now, it's fine to include jackson-core-asl(not vulnerable). * Since HBase branch-1 no longer needs jackson-mapper-asl(as per #1), we can live without it, but once we generate tar and extract it, we get these warnings since Hadoop requires this dependency: {code:java} 2019-08-13 16:32:34,147 WARN [main] fs.FileSystem: Cannot load filesystem: java.util.ServiceConfigurationError: org.apache.hadoop.fs.FileSystem: Provider org.apache.hadoop.hdfs.web.WebHdfsFileSystem could not be instantiated 2019-08-13 16:32:34,147 WARN [main] fs.FileSystem: java.lang.NoClassDefFoundError: org/codehaus/jackson/map/ObjectMapper{code} * Without including jackson-mapper-asl / Jackson2 dependencies as 'compile' scope in hbase-common, we are not getting corresponding jars in lib folder of extracted tarball. Need to resolve this issue since we should not include jackson-mapper-asl with 'compile' scope in hbase-common/hbase-client/dependent hbase-* of client. was (Author: vjasani): Just a small summary so far: # Replaced all vulnerable mapper dependency(jackson-mapper-asl) with Jackson2 mapper(jackson-databind) in all modules. # Included Jackson2 at compile scope in hbase-rest. # hbase-shell requires dependency of jackson-core-asl. To tackle this, we might need to upgrade JRuby eventually. For now, it's fine to include jackson-core-asl(not vulnerable). # Since HBase code no longer needs jackson-mapper-asl( #1), we can live without it, but once we generate tar and extract it, we get these warnings since Hadoop requires this dependency: {code:java} 2019-08-13 16:32:34,147 WARN [main] fs.FileSystem: Cannot load filesystem: java.util.ServiceConfigurationError: org.apache.hadoop.fs.FileSystem: Provider org.apache.hadoop.hdfs.web.WebHdfsFileSystem could not be instantiated 2019-08-13 16:32:34,147 WARN [main] fs.FileSystem: java.lang.NoClassDefFoundError: org/codehaus/jackson/map/ObjectMapper{code} # Without including jackson-mapper-asl / Jackson2 dependencies as 'compile' scope in hbase-common, we are not getting corresponding jars in lib folder of extracted tarball. Need to resolve this issue since we should not include jackson-mapper-asl with 'compile' scope in hbase-common/hbase-client/dependent hbase-* of client. > Upgrade jackson dependencies in branch-1 > ---------------------------------------- > > Key: HBASE-22728 > URL: https://issues.apache.org/jira/browse/HBASE-22728 > Project: HBase > Issue Type: Sub-task > Affects Versions: 1.4.10, 1.3.5 > Reporter: Andrew Purtell > Assignee: Viraj Jasani > Priority: Major > Fix For: 1.5.0, 1.3.6, 1.4.11 > > Attachments: HBASE-22728-addendum.patch, HBASE-22728-addendum.patch, > HBASE-22728.branch-1.01.patch, HBASE-22728.branch-1.02.patch, > HBASE-22728.branch-1.04.patch, HBASE-22728.branch-1.06.patch, > HBASE-22728.branch-1.10.patch, HBASE-22728.branch-1.11.patch, > HBASE-22728.branch-1.12.patch, HBASE-22728.branch-1.14.patch, > HBASE-22728.branch-1.15.patch, HBASE-22728.branch-1.16.patch, > HBASE-22728.branch-1.18.patch > > > Avoid Jackson versions and dependencies with known CVEs -- This message was sent by Atlassian JIRA (v7.6.14#76016)