[
https://issues.apache.org/jira/browse/HBASE-27436?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Kyle Purtell updated HBASE-27436:
----------------------------------------
Issue Type: Brainstorming (was: Bug)
> Remove protobuf 2 dependencies
> ------------------------------
>
> Key: HBASE-27436
> URL: https://issues.apache.org/jira/browse/HBASE-27436
> Project: HBase
> Issue Type: Brainstorming
> Affects Versions: 2.6.0, 2.5.1, 2.4.15
> Reporter: Andrew Kyle Purtell
> Priority: Minor
>
> Protobuf 2 is subject to CVE-2015-5237, CVE-2021-22569, and CVE-2022-3171 and
> scanners checking compliance with zero tolerance CVE policies will hit on
> HBase because a dependency on com.google.protobuf:protobuf-java:2.5.0 is
> still exported by 2.x versions.
> It is impossible to remove that dependency by upgrade to Protobuf 3
> everywhere given our compatibility guidelines but nonetheless it is a problem
> for downstream consumers of HBase with such security policies.
> HBase 2 uses Protobuf 3 internally for RPC, in hbase-protocol-shaded.
> We still depend on some protobuf-java v2.5 classes however because we use the
> Protobuf 2 compiler to compile the IDL in the backwards compatible
> hbase-protocol module. Perhaps we can extract and produce a scaffold from
> protobuf-java v2.5, just enough so the generated classes from the IDL will
> compile, and ship that scaffold included, so the dependency on protobuf-java
> 2.5 proper can be dropped. Protobuf is MIT licensed so partial appropriation
> of the source would be allowable.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
