[
https://issues.apache.org/jira/browse/HBASE-28070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17896793#comment-17896793
]
Hudson commented on HBASE-28070:
--------------------------------
Results for branch branch-2.5
[build #622 on
builds.a.o|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2.5/622/]:
(x) *{color:red}-1 overall{color}*
----
details (if available):
(x) {color:red}-1 general checks{color}
-- For more information [see general
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2.5/622/General_20Nightly_20Build_20Report/]
(/) {color:green}+1 jdk8 hadoop2 checks{color}
-- For more information [see jdk8 (hadoop2)
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2.5/622/JDK8_20Nightly_20Build_20Report_20_28Hadoop2_29/]
(x) {color:red}-1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3)
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2.5/622/JDK8_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 jdk11 hadoop3 checks{color}
-- For more information [see jdk11
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2.5/622/JDK11_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 jdk17 hadoop3 checks{color}
-- For more information [see jdk17
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2.5/622/JDK17_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 jdk17 hadoop ${HADOOP_THREE_VERSION} backward compatibility
checks{color}
-- For more information [see jdk17
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2.5/622/JDK17_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 jdk17 hadoop ${HADOOP_THREE_VERSION} backward compatibility
checks{color}
-- For more information [see jdk17
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2.5/622/JDK17_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(x) {color:red}-1 jdk17 hadoop ${HADOOP_THREE_VERSION} backward compatibility
checks{color}
-- For more information [see jdk17
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2.5/622/JDK17_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(x) {color:red}-1 source release artifact{color}
-- Something went wrong with this stage, [check relevant console
output|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2.5/622//console].
(x) {color:red}-1 client integration test{color}
-- Something went wrong with this stage, [check relevant console
output|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2.5/622//console].
> Replace javax.servlet.jsp dependency with tomcat-jasper
> --------------------------------------------------------
>
> Key: HBASE-28070
> URL: https://issues.apache.org/jira/browse/HBASE-28070
> Project: HBase
> Issue Type: Improvement
> Components: security, UI
> Reporter: Nikita Pande
> Assignee: Nihal Jain
> Priority: Major
> Labels: pull-request-available
> Fix For: 2.7.0, 3.0.0-beta-2, 2.5.11, 2.6.2
>
>
> *Problem Statement*
> HBase has to explicitly depends on org.glassfish:javax.el:jar:3.0.1-b08 as
> this dependency is needed by javax.servlet.jsp. This direct dependency was
> added due to https://issues.apache.org/jira/browse/HBASE-18831
> mvn dependency tree shows below
> {code:java}
> [INFO] | +- org.glassfish.web:javax.servlet.jsp:jar:2.3.2:compile
> [INFO] | | \- org.glassfish:javax.el:jar:3.0.1-b08:compile
> {code}
> org.glassfish:javax.el:jar:3.0.1-b08:compile has
> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250]
> We have ton of Jiras and HBase around glass fish and issues caused due to it.
> With this Jira I plan to completely remove
> org.glassfish:javax.el:jar:3.0.1-b08 from our dependency tree. Also
> org.glassfish:javax.el is EOL and needs migration to jakarta-el which is not
> trivial. See [https://mvnrepository.com/artifact/org.glassfish/javax.el]
> *Proposed Solution*
> This Jira aims to replace javax.servlet.jsp dependency with tomcat-jasper (as
> javax.servlet.jsp strictly needs glassfish) and this requires minimal change
> wrt to migrating to jakarta-el.
> Also, we use javax.servlet.jsp to generate/build JSP and same can be achieved
> via tomcat-jasper.
> CC: [~zhangduo]
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
