[
https://issues.apache.org/jira/browse/NIFI-4300?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16883263#comment-16883263
]
Nathan Gough commented on NIFI-4300:
------------------------------------
* commons-httpclient:commons-httpclient in nifi-ranger-nar 4.2.5 -> 4.5.3 |
Would require manual exclusion through hadoop-common * and hadoop-auth.
* commons-httpclient:commons-httpclient in nifi-hdfs-processors 3.1 -> 4.5.3 |
3.x EOL. Would require hadoop upgrade or manually * exclusive. However, manual
exclusive is super risky given the version difference.
* commons-httpclient:commons-httpclient in nifi-hdfs-processors 3.1 -> 4.5.3 |
3.x EOL Would require hadoop upgrade or manually * exclusive. However, manual
exclusive is super risky given the version difference.
** Appears to be 4.5.2 (provided), also 4.5.5
* commons-httpclient:commons-httpclient in nifi-hive-processors 3.0.1 -> 4.5.3
| 3.x EOL Would require hadoop upgrade or manually * exclusive. However, manual
exclusion is super risky given the version difference.
* commons-httpclient:commons-httpclient in nifi-hive-processors 3.0.1 -> 4.5.3
| 3.x EOL Would require hadoop upgrade or manually * exclusive. However, manual
exclusion is super risky given the version difference.
** Now 4.4 in nifi-hive-processors, 4.2.5 in nifi-hive_1_1-processors and
4.5.2 in nifi-hive3
*commons-httpclient:commons-httpclient:3.1 is widely used (and very old, Aug
2007). Has been replaced by org.apache.httpcomponents » httpclient. The
following is all uses of commons-httpclient:*
{noformat}
[INFO] ---------------< org.apache.nifi:nifi-spark-receiver >----------------
[INFO] Building nifi-spark-receiver 1.10.0-SNAPSHOT [411/435]
[INFO] -------------------------------[ jar ]--------------------------------
[INFO]
[INFO] — maven-dependency-plugin:2.10:tree (default-cli) @ nifi-spark-receiver
—
[INFO] org.apache.nifi:nifi-spark-receiver:jar:1.10.0-SNAPSHOT
[INFO] - org.apache.spark:spark-streaming_2.10:jar:1.6.0:provided
[INFO] - org.apache.spark:spark-core_2.10:jar:1.6.0:provided
[INFO] - net.java.dev.jets3t:jets3t:jar:0.7.1:provided
[INFO] - commons-httpclient:commons-httpclient:jar:3.1:provided
[INFO] -------------< org.apache.nifi:nifi-parquet-processors >--------------
[INFO] Building nifi-parquet-processors 1.10.0-SNAPSHOT [368/435]
[INFO] -------------------------------[ jar ]--------------------------------
[INFO]
[INFO] — maven-dependency-plugin:2.10:tree (default-cli) @
nifi-parquet-processors —
[INFO] org.apache.nifi:nifi-parquet-processors:jar:1.10.0-SNAPSHOT
[INFO] - org.apache.hadoop:hadoop-client:jar:2.7.3:provided
[INFO] - org.apache.hadoop:hadoop-common:jar:2.7.3:provided
[INFO] - commons-httpclient:commons-httpclient:jar:3.1:provided
[INFO] ---------------< org.apache.nifi:nifi-hive-processors >---------------
[INFO] Building nifi-hive-processors 1.10.0-SNAPSHOT [279/435]
[INFO] -------------------------------[ jar ]--------------------------------
[INFO]
[INFO] — maven-dependency-plugin:2.10:tree (default-cli) @
nifi-hive-processors —
[INFO] org.apache.nifi:nifi-hive-processors:jar:1.10.0-SNAPSHOT
[INFO] - org.apache.hive.hcatalog:hive-hcatalog-streaming:jar:1.2.1:compile
[INFO] - org.apache.hive:hive-exec:jar:1.2.1:compile
[INFO] - commons-httpclient:commons-httpclient:jar:3.0.1:compile
[INFO]
[INFO] ------------------< org.apache.nifi:nifi-hive-nar >-------------------
[INFO] Building nifi-hive-nar 1.10.0-SNAPSHOT [280/435]
[INFO] -------------------------------[ nar ]--------------------------------
[INFO]
[INFO] — maven-dependency-plugin:2.10:tree (default-cli) @ nifi-hive-nar —
[INFO] org.apache.nifi:nifi-hive-nar:nar:1.10.0-SNAPSHOT
[INFO] - org.apache.nifi:nifi-hive-processors:jar:1.10.0-SNAPSHOT:compile
[INFO] - org.apache.hive.hcatalog:hive-hcatalog-streaming:jar:1.2.1:compile
[INFO] - org.apache.hive:hive-exec:jar:1.2.1:compile
[INFO] - commons-httpclient:commons-httpclient:jar:3.0.1:compile
[INFO]
[INFO] -------------< org.apache.nifi:nifi-hive_1_1-processors >-------------
[INFO] Building nifi-hive_1_1-processors 1.10.0-SNAPSHOT [281/435]
[INFO] -------------------------------[ jar ]--------------------------------
[INFO]
[INFO] — maven-dependency-plugin:2.10:tree (default-cli) @
nifi-hive_1_1-processors —
[INFO] org.apache.nifi:nifi-hive_1_1-processors:jar:1.10.0-SNAPSHOT
[INFO] - org.apache.hive.hcatalog:hive-hcatalog-streaming:jar:1.1.1:compile
[INFO] - org.apache.hive:hive-exec:jar:1.1.1:compile
[INFO] - commons-httpclient:commons-httpclient:jar:3.0.1:compile
[INFO]
[INFO] ----------------< org.apache.nifi:nifi-hive_1_1-nar >-----------------
[INFO] Building nifi-hive_1_1-nar 1.10.0-SNAPSHOT [282/435]
[INFO] -------------------------------[ nar ]--------------------------------
[INFO]
[INFO] — maven-dependency-plugin:2.10:tree (default-cli) @ nifi-hive_1_1-nar —
[INFO] org.apache.nifi:nifi-hive_1_1-nar:nar:1.10.0-SNAPSHOT
[INFO] - org.apache.nifi:nifi-hive_1_1-processors:jar:1.10.0-SNAPSHOT:compile
[INFO] - org.apache.hive.hcatalog:hive-hcatalog-streaming:jar:1.1.1:compile
[INFO] - org.apache.hive:hive-exec:jar:1.1.1:compile
[INFO] - commons-httpclient:commons-httpclient:jar:3.0.1:compile
[INFO]
[INFO] -------------< org.apache.nifi:nifi-hadoop-record-utils >-------------
[INFO] Building nifi-hadoop-record-utils 1.10.0-SNAPSHOT [283/435]
[INFO] -------------------------------[ jar ]--------------------------------
[INFO]
[INFO] — maven-dependency-plugin:2.10:tree (default-cli) @
nifi-hadoop-record-utils —
[INFO] org.apache.nifi:nifi-hadoop-record-utils:jar:1.10.0-SNAPSHOT
[INFO] - org.apache.hadoop:hadoop-common:jar:2.7.3:provided
[INFO] - commons-httpclient:commons-httpclient:jar:3.1:provided
[INFO] ---------< org.apache.nifi:nifi-hbase_1_1_2-client-service >----------
[INFO] Building nifi-hbase_1_1_2-client-service 1.10.0-SNAPSHOT [125/435]
[INFO] -------------------------------[ jar ]--------------------------------
[INFO]
[INFO] — maven-dependency-plugin:2.10:tree (default-cli) @
nifi-hbase_1_1_2-client-service —
[INFO] org.apache.nifi:nifi-hbase_1_1_2-client-service:jar:1.10.0-SNAPSHOT
[INFO] - org.apache.hbase:hbase-client:jar:1.1.13:compile
[INFO] - org.apache.hadoop:hadoop-common:jar:2.7.3:compile
[INFO] - commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO]
[INFO] -------< org.apache.nifi:nifi-hbase_1_1_2-client-service-nar >--------
[INFO] Building nifi-hbase_1_1_2-client-service-nar 1.10.0-SNAPSHOT [126/435]
[INFO] -------------------------------[ nar ]--------------------------------
[INFO]
[INFO] — maven-dependency-plugin:2.10:tree (default-cli) @
nifi-hbase_1_1_2-client-service-nar —
[INFO] org.apache.nifi:nifi-hbase_1_1_2-client-service-nar:nar:1.10.0-SNAPSHOT
[INFO] -
org.apache.nifi:nifi-hbase_1_1_2-client-service:jar:1.10.0-SNAPSHOT:compile
[INFO] - org.apache.hbase:hbase-client:jar:1.1.13:compile
[INFO] - org.apache.hadoop:hadoop-common:jar:2.7.3:compile
[INFO] - commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO]
[INFO] --------< org.apache.nifi:nifi-hbase_2-client-service-bundle >--------
[INFO] Building nifi-hbase_2-client-service-bundle 1.10.0-SNAPSHOT [127/435]
[INFO] -------------------------------[ pom ]--------------------------------
[INFO]
[INFO] — maven-dependency-plugin:2.10:tree (default-cli) @
nifi-hbase_2-client-service-bundle —
[INFO]
[INFO] -----------< org.apache.nifi:nifi-hbase_2-client-service >------------
[INFO] Building nifi-hbase_2-client-service 1.10.0-SNAPSHOT [128/435]
[INFO] -------------------------------[ jar ]--------------------------------
[INFO]
[INFO] — maven-dependency-plugin:2.10:tree (default-cli) @
nifi-hbase_2-client-service —
[INFO] org.apache.nifi:nifi-hbase_2-client-service:jar:1.10.0-SNAPSHOT
[INFO] - org.apache.hbase:hbase-client:jar:2.1.1:compile
[INFO] - org.apache.hadoop:hadoop-common:jar:2.7.7:compile
[INFO] - commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO]
[INFO] ---------< org.apache.nifi:nifi-hbase_2-client-service-nar >----------
[INFO] Building nifi-hbase_2-client-service-nar 1.10.0-SNAPSHOT [129/435]
[INFO] -------------------------------[ nar ]--------------------------------
[INFO]
[INFO] — maven-dependency-plugin:2.10:tree (default-cli) @
nifi-hbase_2-client-service-nar —
[INFO] org.apache.nifi:nifi-hbase_2-client-service-nar:nar:1.10.0-SNAPSHOT
[INFO] -
org.apache.nifi:nifi-hbase_2-client-service:jar:1.10.0-SNAPSHOT:compile
[INFO] - org.apache.hbase:hbase-client:jar:2.1.1:compile
[INFO] - org.apache.hadoop:hadoop-common:jar:2.7.7:compile
[INFO] - commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] ---------------< org.apache.nifi:nifi-kite-processors >---------------
[INFO] Building nifi-kite-processors 1.10.0-SNAPSHOT [159/435]
[INFO] -------------------------------[ jar ]--------------------------------
[INFO]
[INFO] — maven-dependency-plugin:2.10:tree (default-cli) @
nifi-kite-processors —
[INFO] org.apache.nifi:nifi-kite-processors:jar:1.10.0-SNAPSHOT
[INFO] - org.kitesdk:kite-hadoop-test-dependencies:pom:1.1.0:test
[INFO] - org.apache.hadoop:hadoop-common:test-jar:tests:2.6.0:test
[INFO] - commons-httpclient:commons-httpclient:jar:3.1:provided
[INFO] --------------< org.apache.nifi:nifi-flume-processors >---------------
[INFO] Building nifi-flume-processors 1.10.0-SNAPSHOT [199/435]
[INFO] -------------------------------[ jar ]--------------------------------
[INFO]
[INFO] — maven-dependency-plugin:2.10:tree (default-cli) @
nifi-flume-processors —
[INFO] org.apache.nifi:nifi-flume-processors:jar:1.10.0-SNAPSHOT
[INFO] - org.apache.hadoop:hadoop-common:jar:2.7.3:provided
[INFO] - commons-httpclient:commons-httpclient:jar:3.1:provided
{noformat}
> Further review dependency upgrades
> ----------------------------------
>
> Key: NIFI-4300
> URL: https://issues.apache.org/jira/browse/NIFI-4300
> Project: Apache NiFi
> Issue Type: Sub-task
> Components: Extensions
> Affects Versions: 1.3.0
> Reporter: Andy LoPresto
> Priority: Major
> Labels: dependencies, security
>
> For further review:
> * {{org.apache.poi:poi}} in {{nifi-media-nar}} 3.12-beta1 -> 3.15 | Would
> require upgrading to a new version of tika-core/tika-parses * which have catx
> json dependencies.
> * {{commons-fileupload:commons-fileupload}} in {{nifi-gcp-nar}} 1.3.1 ->
> 1.3.2 | Would require upgrading google-cloud but no production * release
> since}} 0.8.0. Could manually exclude commons-fileupload and directly depend
> on the newer version.
> * {{commons-fileupload:commons-fileupload}} in {{nifi-gcp-nar}} 1.3.1 ->
> 1.3.2 | Would require upgrading google-cloud but no production * release
> since}} 0.8.0. Could manually exclude commons-fileupload and directly depend
> on the newer version.
> * {{commons-collections:commons-collections}} in
> {{nifi-hbase_1_1_2-client-service}} 3.2.1 -> 3.2.2 | Check with
> Burgess/Bende. Would * require manual exclusive across multiple dependencies
> and directly dependency on}} 3.2.2.
> * {{commons-httpclient:commons-httpclient}} in {{nifi-hdfs-processors}} 3.1
> -> 4.5.3 | 3.x EOL. Would require hadoop upgrade or manually * exclusive.
> However, manual exclusive is super risky given the version difference.
> * {{commons-httpclient:commons-httpclient}} in {{nifi-hdfs-processors}} 3.1
> -> 4.5.3 | 3.x EOL Would require hadoop upgrade or manually * exclusive.
> However, manual exclusive is super risky given the version difference.
> * {{com.fasterxml.jackson.core:jackson-core}} in {{nifi-gcp-nar}} 2.1.3 ->
> 2.8.6 | Possible manual exclusion, but multiple dependencies * requiring the
> depender (google-auth-library-oauth2-http).
> * {{commons-httpclient:commons-httpclient}} in {{nifi-hive-processors}} 3.0.1
> -> 4.5.3 | 3.x EOL Would require hadoop upgrade or manually * exclusive.
> However, manual exclusion is super risky given the version difference.
> * {{commons-httpclient:commons-httpclient}} in {{nifi-hive-processors}} 3.0.1
> -> 4.5.3 | 3.x EOL Would require hadoop upgrade or manually * exclusive.
> However, manual exclusion is super risky given the version difference.
> * {{com.fasterxml.jackson.core:jackson-core}} in
> {{nifi-elasticsearch-5-processors}} 2.8.1 -> 2.8.6 | Can upgrade to}} 2.8.6
> of * org.elasticsearch.client:transport}} in {{(and update
> nifi-expression-language to}} 2.8.6). Confirm with Bende.
> * {{commons-httpclient:commons-httpclient}} in {{nifi-ranger-nar}} 4.2.5 ->
> 4.5.3 | Would require manual exclusion through hadoop-common * and
> hadoop-auth.
> * {{com.fasterxml.jackson.core:jackson-core}} in {{nifi-spark-receiver}}
> 2.6.5 -> 2.8.6 | Could update direct dependency on * jackson-databind but
> would conflict with spark-core_2.10.
> * {{commons-collections:commons-collections}} in
> {{nifi-hbase_1_1_2-client-service}} 3.2.1 -> 3.2.2 | Would require manual
> exclusion.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
