[
https://issues.apache.org/jira/browse/PHOENIX-6929?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17713709#comment-17713709
]
ASF GitHub Bot commented on PHOENIX-6929:
-----------------------------------------
shahrs87 commented on PR #1591:
URL: https://github.com/apache/phoenix/pull/1591#issuecomment-1513595438
> is this the correct version to use? Latest version of Glassfish's javax.el
looks like 3.0-b12
I can update it to 3.0-b12.
> and there's a note in mvnrepository that it's been deprecated in favor of
jakarta.el.
I am not inclined to change to jakarta.el because hbase-server will try to
download `org.glassfish:javax.el:jar:3.0.1-b06-SNAPSHOT`. To avoid that, I
would have to exclude `org.glassfish:javax.el:jar` from multiple module's pom.
> In addition the glassfish el jars seem to have CVEs attached.
The [linked
CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250) affects
junit version from version 4.7 and before 4.13.1. Looking at the mvn dependency
tree for junit:junit, we are including junit version 4.13.1 which is free from
this vulnerability.
```
mvn dependency:tree -Dincludes=junit:junit
[INFO] -
> Build failing on master branch.
> -------------------------------
>
> Key: PHOENIX-6929
> URL: https://issues.apache.org/jira/browse/PHOENIX-6929
> Project: Phoenix
> Issue Type: Bug
> Components: core
> Affects Versions: 5.2.0
> Reporter: Rushabh Shah
> Priority: Critical
> Fix For: 5.2.0
>
>
> Ran the following command:
> mvn clean install -DskipTests -Dhbase.profile=2.5
> This failed with the following error.
> {noformat}
> [INFO]
> ------------------------------------------------------------------------
> [INFO] BUILD FAILURE
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Total time: 4.429 s
> [INFO] Finished at: 2023-04-18T09:09:37-07:00
> [INFO]
> ------------------------------------------------------------------------
> [ERROR] Failed to execute goal on project phoenix-hbase-compat-2.5.0: Could
> not resolve dependencies for project
> org.apache.phoenix:phoenix-hbase-compat-2.5.0:jar:5.2.0-SNAPSHOT: Failed to
> collect dependencies at org.apache.hbase:hbase-server:jar:2.5.0 ->
> org.glassfish.web:javax.servlet.jsp:jar:2.3.2 ->
> org.glassfish:javax.el:jar:3.0.1-b06-SNAPSHOT: Failed to read artifact
> descriptor for org.glassfish:javax.el:jar:3.0.1-b06-SNAPSHOT: Could not
> transfer artifact org.glassfish:javax.el:pom:3.0.1-b06-SNAPSHOT from/to
> jvnet-nexus-snapshots
> (https://maven.java.net/content/repositories/snapshots): transfer failed for
> https://maven.java.net/content/repositories/snapshots/org/glassfish/javax.el/3.0.1-b06-SNAPSHOT/javax.el-3.0.1-b06-SNAPSHOT.pom:
> PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target -> [Help 1]
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
