[
https://issues.apache.org/jira/browse/HADOOP-17820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17390206#comment-17390206
]
Siyao Meng commented on HADOOP-17820:
-------------------------------------
After some digging, jdom 1 and 2 are still required as transitive dependencies:
{code:title=mvn dependency}
[INFO] +- com.aliyun.oss:aliyun-sdk-oss:jar:3.4.1:compile
[INFO] | +- org.jdom:jdom:jar:1.1:compile
{code}
{code:title=mvn dependency}
[INFO] +- org.apache.maven.plugins:maven-shade-plugin:jar:3.2.1:provided
...
[INFO] | +- org.jdom:jdom2:jar:2.0.6:provided
{code}
> Remove dependency on jdom
> -------------------------
>
> Key: HADOOP-17820
> URL: https://issues.apache.org/jira/browse/HADOOP-17820
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: Siyao Meng
> Assignee: Siyao Meng
> Priority: Major
>
> It doesn't seem that jdom is referenced anywhere in the code base now, yet it
> exists in the distribution.
> {code}
> $ find . -name "*jdom*.jar"
> ./hadoop-3.4.0-SNAPSHOT/share/hadoop/tools/lib/jdom-1.1.jar
> {code}
> There is recently
> [CVE-2021-33813|https://github.com/advisories/GHSA-2363-cqg2-863c] issued for
> jdom. Let's remove the binary from the dist if not useful.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
