[
https://issues.apache.org/jira/browse/HBASE-24802?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sean Busbey updated HBASE-24802:
--------------------------------
Release Note:
<!-- markdown -->
The HBase Thirdparty project now produces an artifact that is a drop in
replacement for the defunct HTrace project's library. This artifact is binary
and source compatible with the artifact produced by the HTrace incubating 4.2.0
release with the exception of APIs that expressly referred to the relocated
version of Jackson it included.
To use this library you should remove the `htrace-core4` jar file from your
runtime classpath and add the `hbase-noop-htrace` jar in its place.
For use in maven, add an exclusion to any dependencies that have a transitive
dependency on HTrace:
```
<exclusions>
<exclusion>
<groupId>org.apache.htrace</groupId>
<artifactId>htrace-core4</artifactId>
</exclusion>
</exclusions>
```
Once the HTrace library has been excluded you should add a dependency on the
replacement implementation at an appropriate scope. e.g. for the first release
that includes this artifact at the default (compile) scope:
```
<dependency>
<groupId>org.apache.hbase.thirdparty</groupId>
<artifactId>hbase-noop-htrace</artifactId>
<version>3.5.0</version>
</dependency>
```
For a detailed compatibility report between the libraries please see the
attachments on jira for HBASE-24802.
was:
<!-- markdown -->
The HBase Thirdparty project now produces an artifact that is a drop in
replacement for the defunct HTrace project's library. This library is
To use this library you should remove the `htrace-core4` jar file from your
runtime classpath and add the `hbase-noop-htrace` jar in its place.
For use in maven, add an exclusion to any dependencies that have a transitive
dependency on HTrace:
```
<exclusions>
<exclusion>
<groupId>org.apache.htrace</groupId>
<artifactId>htrace-core4</artifactId>
</exclusion>
</exclusions>
```
Once the HTrace library has been excluded you should add a dependency on the
replacement implementation at an appropriate scope. e.g. for the first release
that includes this artifact at the default (compile) scope:
```
<dependency>
<groupId>org.apache.hbase.thirdparty</groupId>
<artifactId>hbase-noop-htrace</artifactId>
<version>3.5.0</version>
</dependency>
```
> make a drop-in compatible impl of htrace APIs that does not do anything
> -----------------------------------------------------------------------
>
> Key: HBASE-24802
> URL: https://issues.apache.org/jira/browse/HBASE-24802
> Project: HBase
> Issue Type: Bug
> Components: Client, dependencies, thirdparty
> Affects Versions: 1.4.0, 2.2.0, 2.3.0, 1.6.0
> Reporter: Rodney Aaron Stainback
> Assignee: Sean Busbey
> Priority: Critical
> Fix For: thirdparty-3.5.0
>
> Attachments: compat_report.html
>
>
> htrace-core4 is a retired project and even on the latest version they Shade
> Jackson databind version 2.4.0 which has the following CVEs:
> |cve|severity|cvss|
> |CVE-2017-15095|critical|9.8|
> |CVE-2018-1000873|medium|6.5|
> |CVE-2018-14718|critical|9.8|
> |CVE-2018-5968|high|8.1|
> |CVE-2018-7489|critical|9.8|
> |CVE-2019-14540|critical|9.8|
> |CVE-2019-14893|critical|9.8|
> |CVE-2019-16335|critical|9.8|
> |CVE-2019-16942|critical|9.8|
> |CVE-2019-16943|critical|9.8|
> |CVE-2019-17267|critical|9.8|
> |CVE-2019-17531|critical|9.8|
> |CVE-2019-20330|critical|9.8|
> |CVE-2020-10672|high|8.8|
> |CVE-2020-10673|high|8.8|
> |CVE-2020-10968|high|8.8|
> |CVE-2020-10969|high|8.8|
> |CVE-2020-11111|high|8.8|
> |CVE-2020-11112|high|8.8|
> |CVE-2020-11113|high|8.8|
> |CVE-2020-11619|critical|9.8|
> |CVE-2020-11620|critical|9.8|
> |CVE-2020-14060|high|8.1|
> |CVE-2020-14061|high|8.1|
> |CVE-2020-14062|high|8.1|
> |CVE-2020-14195|high|8.1|
> |CVE-2020-8840|critical|9.8|
> |CVE-2020-9546|critical|9.8|
> |CVE-2020-9547|critical|9.8|
> |CVE-2020-9548|critical|9.8|
>
> Our security team is trying to block us from using hbase because of this
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
