[
https://issues.apache.org/jira/browse/HBASE-22863?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Viraj Jasani updated HBASE-22863:
---------------------------------
Description:
Partly forwardport from branch-1 Jira: HBASE-22728
Even though master and branch-2 have moved away from Jackson1 some time back,
HBase is still pulling in some vulnerable jackson dependencies (e.g.
jackson-mapper-asl:1.9.13) from Hadoop:
{code:java}
[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ hbase-mapreduce
---
[INFO] org.apache.hbase:hbase-mapreduce:jar:3.0.0-SNAPSHOT
[INFO] +- org.apache.hbase:hbase-server:jar:3.0.0-SNAPSHOT:compile
[INFO] | \- org.apache.hbase:hbase-http:jar:3.0.0-SNAPSHOT:compile
[INFO] | \- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] +-
org.apache.hadoop:hadoop-mapreduce-client-jobclient:test-jar:tests:2.8.5:test
[INFO] | \- org.apache.avro:avro:jar:1.7.7:compile
[INFO] | \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
[INFO] \- org.apache.hadoop:hadoop-mapreduce-client-core:jar:2.8.5:compile
[INFO] \- org.apache.hadoop:hadoop-yarn-common:jar:2.8.5:compile
[INFO] +- org.codehaus.jackson:jackson-jaxrs:jar:1.9.13:compile
[INFO] \- org.codehaus.jackson:jackson-xc:jar:1.9.13:compile{code}
{code:java}
[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @
hbase-shaded-testing-util ---
[INFO] org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT
[INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:compile
[INFO] +- com.sun.jersey:jersey-json:jar:1.9:compile
[INFO] | +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:compile
[INFO] | \- org.codehaus.jackson:jackson-xc:jar:1.8.3:compile
[INFO] +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile{code}
{code:java}
[INFO] org.apache.hbase:hbase-shaded-testing-util-tester:jar:3.0.0-SNAPSHOT
[INFO] \- org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT:test
[INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:test
[INFO] +- com.sun.jersey:jersey-json:jar:1.9:test
[INFO] | +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:test
[INFO] | \- org.codehaus.jackson:jackson-xc:jar:1.8.3:test
[INFO] +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
{code}
Jackson1 is not being used in HBase code anymore and hence, we should include
it only at test scope if required by Hadoop but definitely exclude it from
corresponding Hadoop dependencies.
was:
Partly forwardport from branch-1 Jira: HBASE-22728
Even though master and branch-2 have moved away from Jackson1 some time back,
HBase is still pulling in some vulnerable jackson dependencies (e.g.
jackson-mapper-asl:1.9.13) from Hadoop:
{code:java}
[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ hbase-mapreduce
---
[INFO] org.apache.hbase:hbase-mapreduce:jar:3.0.0-SNAPSHOT
[INFO] +- org.apache.hbase:hbase-server:jar:3.0.0-SNAPSHOT:compile
[INFO] | \- org.apache.hbase:hbase-http:jar:3.0.0-SNAPSHOT:compile
[INFO] | \- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] +-
org.apache.hadoop:hadoop-mapreduce-client-jobclient:test-jar:tests:2.8.5:test
[INFO] | \- org.apache.avro:avro:jar:1.7.7:compile
[INFO] | \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
[INFO] \- org.apache.hadoop:hadoop-mapreduce-client-core:jar:2.8.5:compile
[INFO] \- org.apache.hadoop:hadoop-yarn-common:jar:2.8.5:compile
[INFO] +- org.codehaus.jackson:jackson-jaxrs:jar:1.9.13:compile
[INFO] \- org.codehaus.jackson:jackson-xc:jar:1.9.13:compile{code}
{code:java}
[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @
hbase-shaded-testing-util ---
[INFO] org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT
[INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:compile
[INFO] +- com.sun.jersey:jersey-json:jar:1.9:compile
[INFO] | +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:compile
[INFO] | \- org.codehaus.jackson:jackson-xc:jar:1.8.3:compile
[INFO] +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile{code}
{code:java}
[INFO] org.apache.hbase:hbase-shaded-testing-util-tester:jar:3.0.0-SNAPSHOT
[INFO] \- org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT:test
[INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:test
[INFO] +- com.sun.jersey:jersey-json:jar:1.9:test
[INFO] | +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:test
[INFO] | \- org.codehaus.jackson:jackson-xc:jar:1.8.3:test
[INFO] +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
{code}
jackson-mapper-asl is not being used in HBase code anymore and hence, we should
include it at test scope if required but definitely exclude it from
corresponding Hadoop dependencies.
> Avoid Jackson versions and dependencies with known CVEs
> -------------------------------------------------------
>
> Key: HBASE-22863
> URL: https://issues.apache.org/jira/browse/HBASE-22863
> Project: HBase
> Issue Type: Bug
> Components: dependencies
> Affects Versions: 3.0.0, 2.3.0
> Reporter: Viraj Jasani
> Assignee: Viraj Jasani
> Priority: Major
> Fix For: 3.0.0, 2.3.0
>
> Attachments: HBASE-22863.master.000.patch
>
>
> Partly forwardport from branch-1 Jira: HBASE-22728
> Even though master and branch-2 have moved away from Jackson1 some time back,
> HBase is still pulling in some vulnerable jackson dependencies (e.g.
> jackson-mapper-asl:1.9.13) from Hadoop:
>
> {code:java}
> [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ hbase-mapreduce
> ---
> [INFO] org.apache.hbase:hbase-mapreduce:jar:3.0.0-SNAPSHOT
> [INFO] +- org.apache.hbase:hbase-server:jar:3.0.0-SNAPSHOT:compile
> [INFO] | \- org.apache.hbase:hbase-http:jar:3.0.0-SNAPSHOT:compile
> [INFO] | \- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
> [INFO] +-
> org.apache.hadoop:hadoop-mapreduce-client-jobclient:test-jar:tests:2.8.5:test
> [INFO] | \- org.apache.avro:avro:jar:1.7.7:compile
> [INFO] | \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
> [INFO] \- org.apache.hadoop:hadoop-mapreduce-client-core:jar:2.8.5:compile
> [INFO] \- org.apache.hadoop:hadoop-yarn-common:jar:2.8.5:compile
> [INFO] +- org.codehaus.jackson:jackson-jaxrs:jar:1.9.13:compile
> [INFO] \- org.codehaus.jackson:jackson-xc:jar:1.9.13:compile{code}
> {code:java}
> [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @
> hbase-shaded-testing-util ---
> [INFO] org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT
> [INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:compile
> [INFO] +- com.sun.jersey:jersey-json:jar:1.9:compile
> [INFO] | +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:compile
> [INFO] | \- org.codehaus.jackson:jackson-xc:jar:1.8.3:compile
> [INFO] +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
> [INFO] \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile{code}
> {code:java}
> [INFO] org.apache.hbase:hbase-shaded-testing-util-tester:jar:3.0.0-SNAPSHOT
> [INFO] \- org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT:test
> [INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:test
> [INFO] +- com.sun.jersey:jersey-json:jar:1.9:test
> [INFO] | +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:test
> [INFO] | \- org.codehaus.jackson:jackson-xc:jar:1.8.3:test
> [INFO] +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
> [INFO] \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
> {code}
> Jackson1 is not being used in HBase code anymore and hence, we should include
> it only at test scope if required by Hadoop but definitely exclude it from
> corresponding Hadoop dependencies.
>
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
