[
https://issues.apache.org/jira/browse/HBASE-23061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16934859#comment-16934859
]
Andrew Purtell commented on HBASE-23061:
----------------------------------------
This is a blocker because in some circumstances a downstreamer will get a CNFE.
Jackson is neither needed nor desired in common and client. Fix by replacement.
We need to sort this out before releasing. Forward port the changes from
branch-1 once committed. [~busbey] [~vjasani] [~lhofhansl]
> Replace use of Jackson for JSON serde in hbase common and client modules
> ------------------------------------------------------------------------
>
> Key: HBASE-23061
> URL: https://issues.apache.org/jira/browse/HBASE-23061
> Project: HBase
> Issue Type: Bug
> Reporter: Andrew Purtell
> Priority: Blocker
> Fix For: 1.5.0
>
>
> We are using Jackson to emit JSON in at least one place in common and client.
> We don't need all of Jackson and all the associated trouble just to do that.
> Use a suitably licensed JSON library with no known vulnerability. This will
> avoid problems downstream because we are trying to avoid having them pull in
> a vulnerable Jackson via us so Jackson is a provided scope.
> Here's where I am referring to:
> org.apache.hadoop.hbase.util.JsonMapper.<clinit>(JsonMapper.java:37)
> at org.apache.hadoop.hbase.client.Operation.toJSON(Operation.java:70)
> at org.apache.hadoop.hbase.client.Operation.toString(Operation.java:96)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
