[
https://issues.apache.org/jira/browse/HBASE-23061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16934886#comment-16934886
]
Sean Busbey commented on HBASE-23061:
-------------------------------------
also part of the justification for going to hbase-thirdparty gson in
HBASE-23015 is that branch-2 and master already do the same thing, so forward
porting won't be needed.
> Replace use of Jackson for JSON serde in hbase common and client modules
> ------------------------------------------------------------------------
>
> Key: HBASE-23061
> URL: https://issues.apache.org/jira/browse/HBASE-23061
> Project: HBase
> Issue Type: Bug
> Reporter: Andrew Purtell
> Priority: Blocker
> Fix For: 1.5.0
>
>
> We are using Jackson to emit JSON in at least one place in common and client.
> We don't need all of Jackson and all the associated trouble just to do that.
> Use a suitably licensed JSON library with no known vulnerability. This will
> avoid problems downstream because we are trying to avoid having them pull in
> a vulnerable Jackson via us so Jackson is a 'provided' scope transitive
> dependency of client and its in-project dependencies (like common).
> Here's where I am referring to:
> org.apache.hadoop.hbase.util.JsonMapper.<clinit>(JsonMapper.java:37)
> at org.apache.hadoop.hbase.client.Operation.toJSON(Operation.java:70)
> at org.apache.hadoop.hbase.client.Operation.toString(Operation.java:96)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
