[ https://issues.apache.org/jira/browse/HBASE-28921?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nihal Jain updated HBASE-28921: ------------------------------- Description: We are bundling all webapp resources in hbase-server, hbase-thrift and transitively to hbase-shaded-mapreduce jar. This can be an issue as if any of the js projects used by hbase are vulnerable, security scan tools like sonatype start flagging the jars too as vulnerable since they contain vulnerable code. With this JIRA, we want to avoid bundling static webapp resources in our jars. For example: Bootstrap 3.4.1 which is used by hbase, has multiple medium CVEs reported recently. See [https://security.snyk.io/package/npm/bootstrap/3.4.1] for details. And since we are bundling all webapp resources in hbase-server, hbase-thrift and transitively to hbase-shaded-mapreduce jar. And hence sonatype reports all such jars also as vulnerable: |3|CVE-2024-6484]|2.3|bootstrap 3.4.1| |3|CVE-2024-6484|2.3|org.apache.hbase : hbase-server : 2.6.0| |3|CVE-2024-6484|2.3|org.apache.hbase : hbase-shaded-mapreduce : 2.6.0| |3|CVE-2024-6484|2.3|org.apache.hbase : hbase-thrift : 2.6.0| It is wise to remove such files from our jars. was: We are bundling all webapp resources in hbase-server, hbase-thrift and transitively to hbase-shaded-mapreduce jar. This can be an issue as if any of the js projects used by hbase are vulnerble, security scan tools like sonatype start flagging the jars too as vulnerable since they contain vulnerable code. With this JIRA, we want to avoid bundling static webapp resources in our jars. For example: Bootstrap 3.4.1 which is used by hbase, has multiple medium CVEs reported recently. See [https://security.snyk.io/package/npm/bootstrap/3.4.1] for details. And since we are bundling all webapp resources in hbase-server, hbase-thrift and transitively to hbase-shaded-mapreduce jar. And hence sonatype reports all such jars also as vulnerable: |3|CVE-2024-6484]|2.3|bootstrap 3.4.1| |3|CVE-2024-6484|2.3|org.apache.hbase : hbase-server : 2.6.0| |3|CVE-2024-6484|2.3|org.apache.hbase : hbase-shaded-mapreduce : 2.6.0| |3|CVE-2024-6484|2.3|org.apache.hbase : hbase-thrift : 2.6.0| It is wise to remove such files from our jars. > Skip bundling hbase-webapps folder in jars > ------------------------------------------ > > Key: HBASE-28921 > URL: https://issues.apache.org/jira/browse/HBASE-28921 > Project: HBase > Issue Type: Improvement > Components: security, UI > Reporter: Nihal Jain > Assignee: Nihal Jain > Priority: Major > > We are bundling all webapp resources in hbase-server, hbase-thrift and > transitively to hbase-shaded-mapreduce jar. This can be an issue as if any of > the js projects used by hbase are vulnerable, security scan tools like > sonatype start flagging the jars too as vulnerable since they contain > vulnerable code. > With this JIRA, we want to avoid bundling static webapp resources in our jars. > For example: Bootstrap 3.4.1 which is used by hbase, has multiple medium CVEs > reported recently. See [https://security.snyk.io/package/npm/bootstrap/3.4.1] > for details. > And since we are bundling all webapp resources in hbase-server, hbase-thrift > and transitively to hbase-shaded-mapreduce jar. And hence sonatype reports > all such jars also as vulnerable: > |3|CVE-2024-6484]|2.3|bootstrap 3.4.1| > |3|CVE-2024-6484|2.3|org.apache.hbase : hbase-server : 2.6.0| > |3|CVE-2024-6484|2.3|org.apache.hbase : hbase-shaded-mapreduce : 2.6.0| > |3|CVE-2024-6484|2.3|org.apache.hbase : hbase-thrift : 2.6.0| > It is wise to remove such files from our jars. -- This message was sent by Atlassian Jira (v8.20.10#820010)