apurtell edited a comment on pull request #4193: URL: https://github.com/apache/hbase/pull/4193#issuecomment-1064358413
> I'm reminded that we never wired this up to our nightlies. @ndimiduk Not sure I would advise this. One of the warnings is Improper Restriction of XML External Entity Reference in jackson-mapper-asl org.codehaus.jackson:jackson-mapper-asl (Maven) ยท hbase-shaded/hbase-shaded-testing-util-tester/pom.xml "A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar to https://github.com/advisories/GHSA-hmq6-frv3-4727 also affects codehaus jackson-mapper-asl libraries but in different classes." There is no fix for this until we are only up on Hadoop 3 and Hadoop fully excises Codehaus Jackson from their dependencies. It's required transitively for old Jersey/Jetty underpinning the servlet stack in Hadoop 2 so is quite important and not easily dislodged. If we did wire it up, there would always be one unresolvable high severity warning produced for every build. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
