[
https://issues.apache.org/jira/browse/HBASE-27436?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Kyle Purtell updated HBASE-27436:
----------------------------------------
Description:
Protobuf 2 is subject to CVE-2015-5237, CVE-2021-22569, and CVE-2022-3171 and
scanners checking compliance with zero tolerance CVE policies will hit on HBase
because a dependency on com.google.protobuf:protobuf-java:2.5.0 is still
exported by 2.x versions.
It is impossible to remove that dependency by upgrade to Protobuf 3 everywhere
given our compatibility guidelines but nonetheless it is a problem for
downstream consumers of HBase with such security policies.
HBase 2 uses Protobuf 3 internally for RPC, in hbase-protocol-shaded.
We still depend on some protobuf-java v2.5 classes because we use the Protobuf
2 compiler to compile the IDL in the backwards compatible hbase-protocol
module. Perhaps we can extract and produce a scaffold from protobuf-java v2.5,
just enough so the generated classes from the IDL will compile, and ship that
scaffold included, so the dependency on protobuf-java 2.5 proper can be
dropped. Protobuf is MIT licensed so partial appropriation of the source would
be allowable.
was:
Protobuf 2 is subject to CVE-2015-5237, CVE-2021-22569, and CVE-2022-3171 and
scanners checking compliance with zero tolerance CVE policies will hit on HBase
because a dependency on com.google.protobuf:protobuf-java:2.5.0 is still
exported by 2.x versions.
It is impossible to remove that dependency given our compatibility guidelines
but nonetheless it is a problem for downstream consumers of HBase with such
security policies.
HBase 2 uses Protobuf 3 internally for RPC, in hbase-protocol-shaded.
We still depend on some protobuf-java v2.5 classes because we use the Protobuf
2 compiler to compile the IDL in the backwards compatible hbase-protocol
module. Perhaps we can extract and produce a scaffold from protobuf-java v2.5,
just enough so the generated classes from the IDL will compile, and ship that
scaffold included, so the dependency on protobuf-java 2.5 proper can be
dropped. Protobuf is MIT licensed so partial appropriation of the source would
be allowable.
> Remove protobuf 2 dependencies
> ------------------------------
>
> Key: HBASE-27436
> URL: https://issues.apache.org/jira/browse/HBASE-27436
> Project: HBase
> Issue Type: Bug
> Affects Versions: 2.6.0, 2.5.1, 2.4.15
> Reporter: Andrew Kyle Purtell
> Priority: Major
>
> Protobuf 2 is subject to CVE-2015-5237, CVE-2021-22569, and CVE-2022-3171 and
> scanners checking compliance with zero tolerance CVE policies will hit on
> HBase because a dependency on com.google.protobuf:protobuf-java:2.5.0 is
> still exported by 2.x versions.
> It is impossible to remove that dependency by upgrade to Protobuf 3
> everywhere given our compatibility guidelines but nonetheless it is a problem
> for downstream consumers of HBase with such security policies.
> HBase 2 uses Protobuf 3 internally for RPC, in hbase-protocol-shaded.
> We still depend on some protobuf-java v2.5 classes because we use the
> Protobuf 2 compiler to compile the IDL in the backwards compatible
> hbase-protocol module. Perhaps we can extract and produce a scaffold from
> protobuf-java v2.5, just enough so the generated classes from the IDL will
> compile, and ship that scaffold included, so the dependency on protobuf-java
> 2.5 proper can be dropped. Protobuf is MIT licensed so partial appropriation
> of the source would be allowable.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
