[
https://issues.apache.org/jira/browse/HBASE-28921?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17891789#comment-17891789
]
Nihal Jain commented on HBASE-28921:
------------------------------------
Had to revert [#6368|https://github.com/apache/hbase/pull/6368]
I see some test failures during debugging some other code. Apparently we use
hbase-webapps folder to create an instance hbase local cluster for tests and
the folder needs to be present in classpath. I am seeing following since we
have removed hbase-webapps from hbase-server jar and hence tests in other
modules can't find it in classpath now:
Caused by: java.io.FileNotFoundException: hbase-webapps/master not found in
CLASSPATH
at
org.apache.hadoop.hbase.http.HttpServer.getWebAppsPath(HttpServer.java:1086)
at
org.apache.hadoop.hbase.http.HttpServer.getWebAppsPath(HttpServer.java:1073)
at org.apache.hadoop.hbase.http.HttpServer.<init>(HttpServer.java:589)
at
org.apache.hadoop.hbase.http.HttpServer$Builder.build(HttpServer.java:431)
at org.apache.hadoop.hbase.http.InfoServer.<init>(InfoServer.java:92)
at
org.apache.hadoop.hbase.HBaseServerBase.putUpWebUI(HBaseServerBase.java:345)
at
org.apache.hadoop.hbase.HBaseServerBase.<init>(HBaseServerBase.java:307)
at org.apache.hadoop.hbase.master.HMaster.<init>(HMaster.java:511)
at
java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at
java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
at
java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at
java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500)
at
java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:481)
at
org.apache.hadoop.hbase.util.JVMClusterUtil.createMasterThread(JVMClusterUtil.java:124)
... 40 more
Fix is to include hbase-webapps in classpath for each impacted module's test
resources. Reverting this for now to unblock any new PRs which may get impacted
due to this change. Will raise another PR to handle the above case along with
current change.
> Skip bundling hbase-webapps folder in jars
> ------------------------------------------
>
> Key: HBASE-28921
> URL: https://issues.apache.org/jira/browse/HBASE-28921
> Project: HBase
> Issue Type: Improvement
> Components: security, UI
> Reporter: Nihal Jain
> Assignee: Nihal Jain
> Priority: Major
> Labels: pull-request-available
> Fix For: 2.7.0, 3.0.0-beta-2, 2.5.11, 2.6.2
>
>
> We are bundling all webapp resources in hbase-server, hbase-thrift and
> transitively to hbase-shaded-mapreduce jar. This can be an issue as if any of
> the js projects used by hbase are vulnerable, security scan tools like
> sonatype start flagging the jars too as vulnerable since they contain
> vulnerable code.
> With this JIRA, we want to avoid bundling static webapp resources in our jars.
> For example: Bootstrap 3.4.1 which is used by hbase, has multiple medium CVEs
> reported recently. See [https://security.snyk.io/package/npm/bootstrap/3.4.1]
> for details.
> And since we are bundling all webapp resources in hbase-server, hbase-thrift
> and transitively to hbase-shaded-mapreduce jar. And hence sonatype reports
> all such jars also as vulnerable:
> |3|CVE-2024-6484|2.3|bootstrap 3.4.1|
> |3|CVE-2024-6484|2.3|org.apache.hbase : hbase-server : 2.6.0|
> |3|CVE-2024-6484|2.3|org.apache.hbase : hbase-shaded-mapreduce : 2.6.0|
> |3|CVE-2024-6484|2.3|org.apache.hbase : hbase-thrift : 2.6.0|
> It is wise to remove such files from our jars to avoid any bigger hiccups in
> future.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
