[ https://issues.apache.org/jira/browse/HBASE-28921?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17892146#comment-17892146 ]
Nihal Jain commented on HBASE-28921: ------------------------------------ Posted attempt#2 for this change > Avoid bundling hbase-webapps folder in default jars > --------------------------------------------------- > > Key: HBASE-28921 > URL: https://issues.apache.org/jira/browse/HBASE-28921 > Project: HBase > Issue Type: Improvement > Components: security, UI > Reporter: Nihal Jain > Assignee: Nihal Jain > Priority: Major > Labels: pull-request-available > Fix For: 2.7.0, 3.0.0-beta-2, 2.5.11, 2.6.2 > > > We are bundling all webapp resources in hbase-server, hbase-thrift and > transitively to hbase-shaded-mapreduce jar. This can be an issue as if any of > the js projects used by hbase are vulnerable, security scan tools like > sonatype start flagging the jars too as vulnerable since they contain > vulnerable code. > With this JIRA, we want to avoid bundling static webapp resources in our jars. > For example: Bootstrap 3.4.1 which is used by hbase, has multiple medium CVEs > reported recently. See [https://security.snyk.io/package/npm/bootstrap/3.4.1] > for details. > And since we are bundling all webapp resources in hbase-server, hbase-thrift > and transitively to hbase-shaded-mapreduce jar. And hence sonatype reports > all such jars also as vulnerable: > |3|CVE-2024-6484|2.3|bootstrap 3.4.1| > |3|CVE-2024-6484|2.3|org.apache.hbase : hbase-server : 2.6.0| > |3|CVE-2024-6484|2.3|org.apache.hbase : hbase-shaded-mapreduce : 2.6.0| > |3|CVE-2024-6484|2.3|org.apache.hbase : hbase-thrift : 2.6.0| > It is wise to remove such files from our jars to avoid any bigger hiccups in > future. -- This message was sent by Atlassian Jira (v8.20.10#820010)