[jira] [Commented] (TEZ-4169) Remove unused transitive compile time jackson dependencies

Fri, 05 Jun 2020 04:49:26 -0700 


    [ 
https://issues.apache.org/jira/browse/TEZ-4169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17126707#comment-17126707
 ] 

László Bodor commented on TEZ-4169:
-----------------------------------

fixed test issues in  [^TEZ-4169.08.patch] 

validity checks for latest patch

1. as a compile time dep, jackson is only present in 1 place, and with the 
CVE-free, proper version
{code}
mvn dependency:tree | grep jackson | grep compile

[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.9.10:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.10.4:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.10:compile
{code}

2. tez-protobuf-history-plugin jar contains the needed jackson shaded

{code}
jar tvf tez-protobuf-history-plugin-0.10.1-SNAPSHOT.jar | grep jackson

     0 Fri Jun 05 13:38:58 CEST 2020 META-INF/maven/com.fasterxml.jackson.core/
     0 Fri Jun 05 13:38:58 CEST 2020 
META-INF/maven/com.fasterxml.jackson.core/jackson-core/
   148 Fri Jun 05 13:38:58 CEST 2020 
META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.properties
  4063 Fri Jun 05 13:38:58 CEST 2020 
META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.xml
    39 Fri Jun 05 13:38:58 CEST 2020 
META-INF/services/com.fasterxml.jackson.core.JsonFactory
     0 Fri Jun 05 13:38:58 CEST 2020 org/apache/tez/com/fasterxml/jackson/
     0 Fri Jun 05 13:38:58 CEST 2020 org/apache/tez/com/fasterxml/jackson/core/
  9685 Fri Jun 05 13:38:58 CEST 2020 
org/apache/tez/com/fasterxml/jackson/core/Base64Variant.class
...
{code}

> Remove unused transitive compile time jackson dependencies
> ----------------------------------------------------------
>
>                 Key: TEZ-4169
>                 URL: https://issues.apache.org/jira/browse/TEZ-4169
>             Project: Apache Tez
>          Issue Type: Bug
>            Reporter: László Bodor
>            Assignee: László Bodor
>            Priority: Major
>         Attachments: TEZ-4169.01.patch, TEZ-4169.02.patch, TEZ-4169.03.patch, 
> TEZ-4169.04.patch, TEZ-4169.05.patch, TEZ-4169.06.patch, TEZ-4169.07.patch, 
> TEZ-4169.07.patch, TEZ-4169.08.patch
>
>
> Tez has many occurrences of jackson dependencies in its dep tree, however 
> none of them is direct:
> {code}
>  lbodor@HW12459  ~/apache/tez   master  mvn dependency:tree | grep 
> jackson | wc -l
>      204
> {code}
> This is misleading, because tez protobuf history plugin does depend on 
> jackson mapper, so it should have jackson as a direct dependency.
> Similarly to other dependencies, transitive deps can also trigger security 
> scan alerts, complaining about outdated jackson dependencies. It would be 
> cleaner to:
> 1. completely remove unused transitive jackson depdendencies and re-add them 
> in test scope where it's needed for clarity's sake
> 2. include jackson as direct dependency where it's used (this could move 
> focus to that place when there is a need for an upgrade)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to