[
https://issues.apache.org/jira/browse/HBASE-27436?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Kyle Purtell updated HBASE-27436:
----------------------------------------
Affects Version/s: 2.4.15
2.5.1
2.6.0
> Remove protobuf 2 dependencies
> ------------------------------
>
> Key: HBASE-27436
> URL: https://issues.apache.org/jira/browse/HBASE-27436
> Project: HBase
> Issue Type: Bug
> Affects Versions: 2.6.0, 2.5.1, 2.4.15
> Reporter: Andrew Kyle Purtell
> Priority: Major
>
> Protobuf 2 is subject to CVE-2015-5237, CVE-2021-22569, CVE-2022-3171 and
> scanners checking compliance with zero tolerance CVE policies will hit on
> HBase because a dependency on com.google.protobuf:protobuf-java:2.5.0 is
> still exported by 2.x versions.
> It is impossible to remove that dependency given our compatibility guidelines
> but nonetheless it is a problem for downstream consumers of HBase with such
> security policies.
> HBase 2 uses Protobuf 3 internally for RPC, in hbase-protocol-shaded.
> We still depend on some protobuf-java v2.5 classes because we use the
> Protobuf 2 compiler to compile the IDL in the backwards compatible
> hbase-protocol module. Perhaps we can extract and produce a scaffold from
> protobuf-java v2.5, just enough so the generated classes from the IDL will
> compile, and ship that scaffold included, so the dependency on protobuf-java
> 2.5 proper can be dropped. Protobuf is MIT licensed so partial appropriation
> of the source would be allowable.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
