[jira] [Commented] (HBASE-22863) Avoid Jackson versions and dependencies with known CVEs

HBase QA (JIRA) Fri, 16 Aug 2019 09:52:18 -0700


    [ 
https://issues.apache.org/jira/browse/HBASE-22863?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16909211#comment-16909211
 ]


HBase QA commented on HBASE-22863:
----------------------------------

| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue}  0m 
38s{color} | {color:blue} Docker mode activated. {color} |
|| || || || {color:brown} Prechecks {color} ||
| {color:green}+1{color} | {color:green} @author {color} | {color:green}  0m  
0s{color} | {color:green} The patch does not contain any @author tags. {color} |
| {color:orange}-0{color} | {color:orange} test4tests {color} | {color:orange}  
0m  0s{color} | {color:orange} The patch doesn't appear to include any new or 
modified tests. Please justify why no new tests are needed for this patch. Also 
please list what manual steps were performed to verify this patch. {color} |
|| || || || {color:brown} master Compile Tests {color} ||
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue}  0m 
26s{color} | {color:blue} Maven dependency ordering for branch {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green}  5m 
33s{color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green}  6m 
42s{color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} shadedjars {color} | {color:green}  4m 
47s{color} | {color:green} branch has no errors when building our shaded 
downstream artifacts. {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green}  4m 
24s{color} | {color:green} master passed {color} |
|| || || || {color:brown} Patch Compile Tests {color} ||
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue}  0m 
14s{color} | {color:blue} Maven dependency ordering for patch {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green}  5m 
24s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green}  6m 
38s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green}  6m 
38s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} whitespace {color} | {color:green}  0m 
 0s{color} | {color:green} The patch has no whitespace issues. {color} |
| {color:green}+1{color} | {color:green} xml {color} | {color:green}  0m 
22s{color} | {color:green} The patch has no ill-formed XML file. {color} |
| {color:green}+1{color} | {color:green} shadedjars {color} | {color:green}  4m 
42s{color} | {color:green} patch has no errors when building our shaded 
downstream artifacts. {color} |
| {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 
16m 40s{color} | {color:green} Patch does not cause any errors with Hadoop 
2.8.5 2.9.2 or 3.1.2. {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green}  4m 
22s{color} | {color:green} the patch passed {color} |
|| || || || {color:brown} Other Tests {color} ||
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  2m 
57s{color} | {color:green} hbase-common in the patch passed. {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  0m 
32s{color} | {color:green} hbase-hadoop2-compat in the patch passed. {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  0m 
47s{color} | {color:green} hbase-zookeeper in the patch passed. {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  1m  
2s{color} | {color:green} hbase-http in the patch passed. {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  3m 
32s{color} | {color:green} hbase-procedure in the patch passed. {color} |
| {color:red}-1{color} | {color:red} unit {color} | {color:red}141m  2s{color} 
| {color:red} hbase-server in the patch failed. {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green} 18m  
5s{color} | {color:green} hbase-mapreduce in the patch passed. {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  0m 
48s{color} | {color:green} hbase-testing-util in the patch passed. {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  2m 
54s{color} | {color:green} hbase-thrift in the patch passed. {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  7m  
8s{color} | {color:green} hbase-shell in the patch passed. {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  3m  
9s{color} | {color:green} hbase-endpoint in the patch passed. {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green} 13m 
44s{color} | {color:green} hbase-backup in the patch passed. {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  1m  
0s{color} | {color:green} hbase-it in the patch passed. {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  4m 
16s{color} | {color:green} hbase-rest in the patch passed. {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  2m  
1s{color} | {color:green} hbase-examples in the patch passed. {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  0m 
30s{color} | {color:green} hbase-external-blockcache in the patch passed. 
{color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  0m 
35s{color} | {color:green} hbase-shaded-testing-util in the patch passed. 
{color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green}  5m 
58s{color} | {color:green} The patch does not generate ASF License warnings. 
{color} |
| {color:black}{color} | {color:black} {color} | {color:black}278m 21s{color} | 
{color:black} {color} |
\\
\\
|| Reason || Tests ||
| Failed junit tests | 
hadoop.hbase.master.assignment.TestOpenRegionProcedureHang |
\\
\\
|| Subsystem || Report/Notes ||
| Docker | Client=19.03.1 Server=19.03.1 base: 
https://builds.apache.org/job/PreCommit-HBASE-Build/787/artifact/patchprocess/Dockerfile
 |
| JIRA Issue | HBASE-22863 |
| JIRA Patch URL | 
https://issues.apache.org/jira/secure/attachment/12977785/HBASE-22863.master.000.patch
 |
| Optional Tests |  dupname  asflicense  javac  javadoc  unit  shadedjars  
hadoopcheck  xml  compile  |
| uname | Linux 746d6fd6044a 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 
17:16:02 UTC 2018 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | dev-support/hbase-personality.sh |
| git revision | master / 3eb602c7f7 |
| maven | version: Apache Maven 3.5.4 
(1edded0938998edf8bf061f1ceb3cfdeccf443fe; 2018-06-17T18:33:14Z) |
| Default Java | 1.8.0_181 |
| unit | 
https://builds.apache.org/job/PreCommit-HBASE-Build/787/artifact/patchprocess/patch-unit-hbase-server.txt
 |
|  Test Results | 
https://builds.apache.org/job/PreCommit-HBASE-Build/787/testReport/ |
| Max. process+thread count | 5427 (vs. ulimit of 10000) |
| modules | C: hbase-common hbase-hadoop2-compat hbase-zookeeper hbase-http 
hbase-procedure hbase-server hbase-mapreduce hbase-testing-util hbase-thrift 
hbase-shell hbase-endpoint hbase-backup hbase-it hbase-rest hbase-examples 
hbase-external-blockcache hbase-shaded/hbase-shaded-testing-util U: . |
| Console output | 
https://builds.apache.org/job/PreCommit-HBASE-Build/787/console |
| Powered by | Apache Yetus 0.9.0 http://yetus.apache.org |


This message was automatically generated.



> Avoid Jackson versions and dependencies with known CVEs
> -------------------------------------------------------
>
>                 Key: HBASE-22863
>                 URL: https://issues.apache.org/jira/browse/HBASE-22863
>             Project: HBase
>          Issue Type: Bug
>          Components: dependencies
>    Affects Versions: 3.0.0, 2.3.0
>            Reporter: Viraj Jasani
>            Assignee: Viraj Jasani
>            Priority: Major
>             Fix For: 3.0.0, 2.3.0
>
>         Attachments: HBASE-22863.master.000.patch
>
>
> Partly forwardport from branch-1 Jira: HBASE-22728
> Even though master and branch-2 have moved away from Jackson1 some time back, 
> HBase is still pulling in some vulnerable jackson dependencies (e.g. 
> jackson-mapper-asl:1.9.13) from Hadoop:
>  
> {code:java}
> [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ hbase-mapreduce 
> ---
> [INFO] org.apache.hbase:hbase-mapreduce:jar:3.0.0-SNAPSHOT
> [INFO] +- org.apache.hbase:hbase-server:jar:3.0.0-SNAPSHOT:compile
> [INFO] |  \- org.apache.hbase:hbase-http:jar:3.0.0-SNAPSHOT:compile
> [INFO] |     \- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
> [INFO] +- 
> org.apache.hadoop:hadoop-mapreduce-client-jobclient:test-jar:tests:2.8.5:test
> [INFO] |  \- org.apache.avro:avro:jar:1.7.7:compile
> [INFO] |     \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
> [INFO] \- org.apache.hadoop:hadoop-mapreduce-client-core:jar:2.8.5:compile
> [INFO]    \- org.apache.hadoop:hadoop-yarn-common:jar:2.8.5:compile
> [INFO]       +- org.codehaus.jackson:jackson-jaxrs:jar:1.9.13:compile
> [INFO]       \- org.codehaus.jackson:jackson-xc:jar:1.9.13:compile{code}
> {code:java}
> [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ 
> hbase-shaded-testing-util ---
> [INFO] org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT
> [INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:compile
> [INFO]    +- com.sun.jersey:jersey-json:jar:1.9:compile
> [INFO]    |  +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:compile
> [INFO]    |  \- org.codehaus.jackson:jackson-xc:jar:1.8.3:compile
> [INFO]    +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
> [INFO]    \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile{code}
> {code:java}
> [INFO] org.apache.hbase:hbase-shaded-testing-util-tester:jar:3.0.0-SNAPSHOT
> [INFO] \- org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT:test
> [INFO]    \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:test
> [INFO]       +- com.sun.jersey:jersey-json:jar:1.9:test
> [INFO]       |  +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:test
> [INFO]       |  \- org.codehaus.jackson:jackson-xc:jar:1.8.3:test
> [INFO]       +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
> [INFO]       \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
> {code}
> jackson-mapper-asl is not being used in HBase code anymore and hence, we 
> should include it at test scope if required but definitely exclude it from 
> corresponding Hadoop dependencies.
>  



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

[jira] [Commented] (HBASE-22863) Avoid Jackson versions and dependencies with known CVEs

Reply via email to