[
https://issues.apache.org/jira/browse/HBASE-22863?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Viraj Jasani updated HBASE-22863:
---------------------------------
Description:
Partly forwardport from branch-1 Jira: HBASE-22728
Even though master and branch-2 have moved away from Jackson1 some time back,
HBase is still pulling in vulnerable jackson-mapper-asl:1.9.13 dependency from
Hadoop:
{code:java}
[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ hbase-mapreduce
---
[INFO] org.apache.hbase:hbase-mapreduce:jar:3.0.0-SNAPSHOT
[INFO] +- org.apache.hbase:hbase-server:jar:3.0.0-SNAPSHOT:compile
[INFO] | \- org.apache.hbase:hbase-http:jar:3.0.0-SNAPSHOT:compile
[INFO] | \- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] +-
org.apache.hadoop:hadoop-mapreduce-client-jobclient:test-jar:tests:2.8.5:test
[INFO] | \- org.apache.avro:avro:jar:1.7.7:compile
[INFO] | \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
[INFO] \- org.apache.hadoop:hadoop-mapreduce-client-core:jar:2.8.5:compile
[INFO] \- org.apache.hadoop:hadoop-yarn-common:jar:2.8.5:compile
[INFO] +- org.codehaus.jackson:jackson-jaxrs:jar:1.9.13:compile
[INFO] \- org.codehaus.jackson:jackson-xc:jar:1.9.13:compile{code}
{code:java}
[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @
hbase-shaded-testing-util ---
[INFO] org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT
[INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:compile
[INFO] +- com.sun.jersey:jersey-json:jar:1.9:compile
[INFO] | +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:compile
[INFO] | \- org.codehaus.jackson:jackson-xc:jar:1.8.3:compile
[INFO] +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile{code}
{code:java}
[INFO] org.apache.hbase:hbase-shaded-testing-util-tester:jar:3.0.0-SNAPSHOT
[INFO] \- org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT:test
[INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:test
[INFO] +- com.sun.jersey:jersey-json:jar:1.9:test
[INFO] | +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:test
[INFO] | \- org.codehaus.jackson:jackson-xc:jar:1.8.3:test
[INFO] +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
{code}
jackson-mapper-asl is not being used in HBase code anymore and hence, we should
include it at test scope if required but definitely exclude it from
corresponding Hadoop dependencies.
Moreover, fasterxml.jackson mapper is used only in hbase-rest tests but we pull
it in with 'compile' scope. May be we can include it as 'test' scope only and
cleanup Jackson dependencies.
was:
Part of forwardport from branch-1 Jira:
Even though master and branch-2 have moved away from Jackson1 some time back,
HBase is still pulling in vulnerable jackson-mapper-asl:1.9.13 dependency from
Hadoop:
{code:java}
[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ hbase-mapreduce
---
[INFO] org.apache.hbase:hbase-mapreduce:jar:3.0.0-SNAPSHOT
[INFO] +- org.apache.hbase:hbase-server:jar:3.0.0-SNAPSHOT:compile
[INFO] | \- org.apache.hbase:hbase-http:jar:3.0.0-SNAPSHOT:compile
[INFO] | \- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] +-
org.apache.hadoop:hadoop-mapreduce-client-jobclient:test-jar:tests:2.8.5:test
[INFO] | \- org.apache.avro:avro:jar:1.7.7:compile
[INFO] | \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
[INFO] \- org.apache.hadoop:hadoop-mapreduce-client-core:jar:2.8.5:compile
[INFO] \- org.apache.hadoop:hadoop-yarn-common:jar:2.8.5:compile
[INFO] +- org.codehaus.jackson:jackson-jaxrs:jar:1.9.13:compile
[INFO] \- org.codehaus.jackson:jackson-xc:jar:1.9.13:compile{code}
{code:java}
[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @
hbase-shaded-testing-util ---
[INFO] org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT
[INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:compile
[INFO] +- com.sun.jersey:jersey-json:jar:1.9:compile
[INFO] | +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:compile
[INFO] | \- org.codehaus.jackson:jackson-xc:jar:1.8.3:compile
[INFO] +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile{code}
{code:java}
[INFO] org.apache.hbase:hbase-shaded-testing-util-tester:jar:3.0.0-SNAPSHOT
[INFO] \- org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT:test
[INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:test
[INFO] +- com.sun.jersey:jersey-json:jar:1.9:test
[INFO] | +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:test
[INFO] | \- org.codehaus.jackson:jackson-xc:jar:1.8.3:test
[INFO] +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
{code}
jackson-mapper-asl is not being used in HBase code anymore and hence, we should
include it at test scope if required but definitely exclude it from
corresponding Hadoop dependencies.
Moreover, fasterxml.jackson mapper is used only in hbase-rest tests but we pull
it in with 'compile' scope. May be we can include it as 'test' scope only and
cleanup Jackson dependencies.
> Avoid Jackson versions and dependencies with known CVEs
> -------------------------------------------------------
>
> Key: HBASE-22863
> URL: https://issues.apache.org/jira/browse/HBASE-22863
> Project: HBase
> Issue Type: Bug
> Components: dependencies
> Affects Versions: 3.0.0, 2.3.0
> Reporter: Viraj Jasani
> Assignee: Viraj Jasani
> Priority: Major
>
> Partly forwardport from branch-1 Jira: HBASE-22728
> Even though master and branch-2 have moved away from Jackson1 some time back,
> HBase is still pulling in vulnerable jackson-mapper-asl:1.9.13 dependency
> from Hadoop:
>
> {code:java}
> [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ hbase-mapreduce
> ---
> [INFO] org.apache.hbase:hbase-mapreduce:jar:3.0.0-SNAPSHOT
> [INFO] +- org.apache.hbase:hbase-server:jar:3.0.0-SNAPSHOT:compile
> [INFO] | \- org.apache.hbase:hbase-http:jar:3.0.0-SNAPSHOT:compile
> [INFO] | \- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
> [INFO] +-
> org.apache.hadoop:hadoop-mapreduce-client-jobclient:test-jar:tests:2.8.5:test
> [INFO] | \- org.apache.avro:avro:jar:1.7.7:compile
> [INFO] | \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
> [INFO] \- org.apache.hadoop:hadoop-mapreduce-client-core:jar:2.8.5:compile
> [INFO] \- org.apache.hadoop:hadoop-yarn-common:jar:2.8.5:compile
> [INFO] +- org.codehaus.jackson:jackson-jaxrs:jar:1.9.13:compile
> [INFO] \- org.codehaus.jackson:jackson-xc:jar:1.9.13:compile{code}
> {code:java}
> [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @
> hbase-shaded-testing-util ---
> [INFO] org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT
> [INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:compile
> [INFO] +- com.sun.jersey:jersey-json:jar:1.9:compile
> [INFO] | +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:compile
> [INFO] | \- org.codehaus.jackson:jackson-xc:jar:1.8.3:compile
> [INFO] +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
> [INFO] \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile{code}
> {code:java}
> [INFO] org.apache.hbase:hbase-shaded-testing-util-tester:jar:3.0.0-SNAPSHOT
> [INFO] \- org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT:test
> [INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:test
> [INFO] +- com.sun.jersey:jersey-json:jar:1.9:test
> [INFO] | +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:test
> [INFO] | \- org.codehaus.jackson:jackson-xc:jar:1.8.3:test
> [INFO] +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
> [INFO] \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
> {code}
> jackson-mapper-asl is not being used in HBase code anymore and hence, we
> should include it at test scope if required but definitely exclude it from
> corresponding Hadoop dependencies.
> Moreover, fasterxml.jackson mapper is used only in hbase-rest tests but we
> pull it in with 'compile' scope. May be we can include it as 'test' scope
> only and cleanup Jackson dependencies.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
