[jira] [Created] (HBASE-22863) Avoid Jackson versions and dependencies with known CVEs

Thu, 15 Aug 2019 11:10:21 -0700 

Viraj Jasani created HBASE-22863:
------------------------------------

             Summary: Avoid Jackson versions and dependencies with known CVEs
                 Key: HBASE-22863
                 URL: https://issues.apache.org/jira/browse/HBASE-22863
             Project: HBase
          Issue Type: Bug
          Components: dependencies
    Affects Versions: 3.0.0, 2.3.0
            Reporter: Viraj Jasani
            Assignee: Viraj Jasani


Even though master and branch-2 have moved away from Jackson1 some time back, 
HBase is still pulling in vulnerable jackson-mapper-asl:1.9.13 dependency from 
Hadoop:

 
{code:java}
[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ hbase-mapreduce 
---
[INFO] org.apache.hbase:hbase-mapreduce:jar:3.0.0-SNAPSHOT
[INFO] +- org.apache.hbase:hbase-server:jar:3.0.0-SNAPSHOT:compile
[INFO] |  \- org.apache.hbase:hbase-http:jar:3.0.0-SNAPSHOT:compile
[INFO] |     \- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] +- 
org.apache.hadoop:hadoop-mapreduce-client-jobclient:test-jar:tests:2.8.5:test
[INFO] |  \- org.apache.avro:avro:jar:1.7.7:compile
[INFO] |     \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
[INFO] \- org.apache.hadoop:hadoop-mapreduce-client-core:jar:2.8.5:compile
[INFO]    \- org.apache.hadoop:hadoop-yarn-common:jar:2.8.5:compile
[INFO]       +- org.codehaus.jackson:jackson-jaxrs:jar:1.9.13:compile
[INFO]       \- org.codehaus.jackson:jackson-xc:jar:1.9.13:compile{code}
{code:java}
[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ 
hbase-shaded-testing-util ---
[INFO] org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT
[INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:compile
[INFO]    +- com.sun.jersey:jersey-json:jar:1.9:compile
[INFO]    |  +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:compile
[INFO]    |  \- org.codehaus.jackson:jackson-xc:jar:1.8.3:compile
[INFO]    +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO]    \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile{code}
{code:java}
[INFO] org.apache.hbase:hbase-shaded-testing-util-tester:jar:3.0.0-SNAPSHOT
[INFO] \- org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT:test
[INFO]    \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:test
[INFO]       +- com.sun.jersey:jersey-json:jar:1.9:test
[INFO]       |  +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:test
[INFO]       |  \- org.codehaus.jackson:jackson-xc:jar:1.8.3:test
[INFO]       +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO]       \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
{code}
jackson-mapper-asl is not being used in HBase code anymore and hence, we should 
include it at test scope if required but definitely exclude it from 
corresponding Hadoop dependencies.

Moreover, fasterxml.jackson mapper is used only in hbase-rest tests but we pull 
it in with 'compile' scope. May be we can include it as 'test' scope only and 
cleanup Jackson dependencies.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to