[
https://issues.apache.org/jira/browse/HBASE-22863?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Viraj Jasani updated HBASE-22863:
---------------------------------
Release Note:
1. Stopped exposing vulnerable Jackson1 dependencies so that downstreamers
would not pull it in from HBase.
2. However, since Hadoop requires some Jackson1 dependencies, put vulnerable
Jackson mapper at test scope in some HBase modules and hence, HBase tarball
created by hbase-assembly contains Jackson1 mapper jar in lib. Still, downsteam
applications can't pull in Jackson1 from HBase.
> Avoid Jackson versions and dependencies with known CVEs
> -------------------------------------------------------
>
> Key: HBASE-22863
> URL: https://issues.apache.org/jira/browse/HBASE-22863
> Project: HBase
> Issue Type: Bug
> Components: dependencies
> Affects Versions: 3.0.0, 2.3.0
> Reporter: Viraj Jasani
> Assignee: Viraj Jasani
> Priority: Major
> Fix For: 3.0.0, 2.3.0, 2.2.1, 2.1.6
>
> Attachments: HBASE-22863.branch-2.000.patch,
> HBASE-22863.master.000.patch, HBASE-22863.master.001.patch
>
>
> Partly forwardport from branch-1 Jira: HBASE-22728
> Even though master and branch-2 have moved away from Jackson1 some time back,
> HBase is still pulling in some vulnerable jackson dependencies (e.g.
> jackson-mapper-asl:1.9.13) from Hadoop:
>
> {code:java}
> [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ hbase-mapreduce
> ---
> [INFO] org.apache.hbase:hbase-mapreduce:jar:3.0.0-SNAPSHOT
> [INFO] +- org.apache.hbase:hbase-server:jar:3.0.0-SNAPSHOT:compile
> [INFO] | \- org.apache.hbase:hbase-http:jar:3.0.0-SNAPSHOT:compile
> [INFO] | \- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
> [INFO] +-
> org.apache.hadoop:hadoop-mapreduce-client-jobclient:test-jar:tests:2.8.5:test
> [INFO] | \- org.apache.avro:avro:jar:1.7.7:compile
> [INFO] | \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
> [INFO] \- org.apache.hadoop:hadoop-mapreduce-client-core:jar:2.8.5:compile
> [INFO] \- org.apache.hadoop:hadoop-yarn-common:jar:2.8.5:compile
> [INFO] +- org.codehaus.jackson:jackson-jaxrs:jar:1.9.13:compile
> [INFO] \- org.codehaus.jackson:jackson-xc:jar:1.9.13:compile{code}
> {code:java}
> [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @
> hbase-shaded-testing-util ---
> [INFO] org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT
> [INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:compile
> [INFO] +- com.sun.jersey:jersey-json:jar:1.9:compile
> [INFO] | +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:compile
> [INFO] | \- org.codehaus.jackson:jackson-xc:jar:1.8.3:compile
> [INFO] +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
> [INFO] \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile{code}
> {code:java}
> [INFO] org.apache.hbase:hbase-shaded-testing-util-tester:jar:3.0.0-SNAPSHOT
> [INFO] \- org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT:test
> [INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:test
> [INFO] +- com.sun.jersey:jersey-json:jar:1.9:test
> [INFO] | +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:test
> [INFO] | \- org.codehaus.jackson:jackson-xc:jar:1.8.3:test
> [INFO] +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
> [INFO] \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
> {code}
> Jackson1 is not being used in HBase code anymore and hence, we should include
> it only at test scope if required by Hadoop but definitely exclude it from
> corresponding Hadoop dependencies.
>
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
