shahrs87 commented on PR #1591: URL: https://github.com/apache/phoenix/pull/1591#issuecomment-1513595438
> is this the correct version to use? Latest version of Glassfish's javax.el looks like 3.0-b12 I can update it to 3.0-b12. > and there's a note in mvnrepository that it's been deprecated in favor of jakarta.el. I am not inclined to change to jakarta.el because hbase-server will try to download `org.glassfish:javax.el:jar:3.0.1-b06-SNAPSHOT`. To avoid that, I would have to exclude `org.glassfish:javax.el:jar` from multiple module's pom. > In addition the glassfish el jars seem to have CVEs attached. The [linked CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250) affects junit version from version 4.7 and before 4.13.1. Looking at the mvn dependency tree for junit:junit, we are including junit version 4.13.1 which is free from this vulnerability. ``` mvn dependency:tree -Dincludes=junit:junit [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ phoenix-hbase-compat-2.5.0 --- [INFO] org.apache.phoenix:phoenix-hbase-compat-2.5.0:jar:5.2.0-SNAPSHOT [INFO] \- junit:junit:jar:4.13.1:test [INFO] [INFO] -----------< org.apache.phoenix:phoenix-hbase-compat-2.4.1 >------------ [INFO] Building Phoenix Hbase 2.4.1 compatibility 5.2.0-SNAPSHOT [3/11] [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ phoenix-hbase-compat-2.4.1 --- [INFO] org.apache.phoenix:phoenix-hbase-compat-2.4.1:jar:5.2.0-SNAPSHOT [INFO] \- junit:junit:jar:4.13.1:test [INFO] [INFO] -----------< org.apache.phoenix:phoenix-hbase-compat-2.4.0 >------------ [INFO] Building Phoenix Hbase 2.4.0 compatibility 5.2.0-SNAPSHOT [4/11] [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ phoenix-hbase-compat-2.4.0 --- [INFO] org.apache.phoenix:phoenix-hbase-compat-2.4.0:jar:5.2.0-SNAPSHOT [INFO] \- junit:junit:jar:4.13.1:test [INFO] [INFO] ------------------< org.apache.phoenix:phoenix-core >------------------- [INFO] Building Phoenix Core 5.2.0-SNAPSHOT [5/11] [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ phoenix-core --- [INFO] org.apache.phoenix:phoenix-core:jar:5.2.0-SNAPSHOT [INFO] \- junit:junit:jar:4.13.1:test [INFO] [INFO] ------------------< org.apache.phoenix:phoenix-pherf >------------------ [INFO] Building Phoenix - Pherf 5.2.0-SNAPSHOT [6/11] [INFO] --------------------------------[ jar ]--------------------------------- [WARNING] The POM for junit:junit-dep:jar:4.9.1-SNAPSHOT is missing, no dependency information available [INFO] [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ phoenix-pherf --- [INFO] org.apache.phoenix:phoenix-pherf:jar:5.2.0-SNAPSHOT [INFO] \- junit:junit:jar:4.13.1:test ``` @gjacoby126 Let me know if you still have concerns. Thank you. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
