[
https://issues.apache.org/jira/browse/HBASE-28070?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nihal Jain updated HBASE-28070:
-------------------------------
Release Note:
The main driving force behind this change is the need to remove the
org.glassfish:javax.el:jar:3.0.1-b08 dependency from our project. Not only has
org.glassfish:javax.el reached EOL'ed, but has indirect vulnerabilities
(CVE-2020-15250).
Before this change, it was required by the javax.servlet.jsp dependency.
Hence, to eliminate the org.glassfish:javax.el dependency, as part of this
change we have replaced the javax.servlet.jsp dependency with tomcat-jasper,
which will now be used for JspC Ant task.
Resolution: Fixed
Status: Resolved (was: Patch Available)
Pushed to all active branches, thanks everyone for your reviews.
> Replace javax.servlet.jsp dependency with tomcat-jasper
> --------------------------------------------------------
>
> Key: HBASE-28070
> URL: https://issues.apache.org/jira/browse/HBASE-28070
> Project: HBase
> Issue Type: Improvement
> Components: security, UI
> Reporter: Nikita Pande
> Assignee: Nihal Jain
> Priority: Major
> Labels: pull-request-available
> Fix For: 2.7.0, 3.0.0-beta-2, 2.5.11, 2.6.2
>
>
> *Problem Statement*
> HBase has to explicitly depends on org.glassfish:javax.el:jar:3.0.1-b08 as
> this dependency is needed by javax.servlet.jsp. This direct dependency was
> added due to https://issues.apache.org/jira/browse/HBASE-18831
> mvn dependency tree shows below
> {code:java}
> [INFO] | +- org.glassfish.web:javax.servlet.jsp:jar:2.3.2:compile
> [INFO] | | \- org.glassfish:javax.el:jar:3.0.1-b08:compile
> {code}
> org.glassfish:javax.el:jar:3.0.1-b08:compile has
> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250]
> We have ton of Jiras and HBase around glass fish and issues caused due to it.
> With this Jira I plan to completely remove
> org.glassfish:javax.el:jar:3.0.1-b08 from our dependency tree. Also
> org.glassfish:javax.el is EOL and needs migration to jakarta-el which is not
> trivial. See [https://mvnrepository.com/artifact/org.glassfish/javax.el]
> *Proposed Solution*
> This Jira aims to replace javax.servlet.jsp dependency with tomcat-jasper (as
> javax.servlet.jsp strictly needs glassfish) and this requires minimal change
> wrt to migrating to jakarta-el.
> Also, we use javax.servlet.jsp to generate/build JSP and same can be achieved
> via tomcat-jasper.
> CC: [~zhangduo]
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
