[
https://issues.apache.org/jira/browse/HBASE-28943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17895183#comment-17895183
]
Nihal Jain commented on HBASE-28943:
------------------------------------
Pushed to branch-2.6, will merge to branch-2.5 tonight!
> Remove all jackson 1.x dependencies for hadoop-3 profile, since all jackson
> 1.x versions have vulnerabilities
> -------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-28943
> URL: https://issues.apache.org/jira/browse/HBASE-28943
> Project: HBase
> Issue Type: Task
> Components: hadoop3, security
> Affects Versions: 2.6.1, 2.5.10
> Reporter: Nihal Jain
> Assignee: Nihal Jain
> Priority: Major
> Labels: pull-request-available
> Fix For: 2.6.2
>
>
> Building hbase with hadoop-3 profile on branch-2, still requires jackson 1.x
> jars, which has vulnerabilities. Ideally these should not be needed as with
> HADOOP-13332 hadoop has already "Remove jackson 1.9.13 and switch all jackson
> code to 2.x code line" for branch-3.
> Also in HBASE-27148, where we worked on "Move minimum hadoop 3 support
> version to 3.2.3" we had did a similar cleanup for branch-3 but somehow we
> missed to port the relevant changes to the branch-2 backport of same jira.
> This task is to take care of this so that we donot need jackson 1.x to
> build/run hbase with hadoop-3 profile on branch-2.x.
>
> We have following in our dependency tree:
> {code:java}
> [INFO] ----------< org.apache.hbase:hbase-shaded-client-byo-hadoop
> >-----------
> [INFO] Building Apache HBase - Shaded - Client 2.7.0-SNAPSHOT
> [33/53]
> [INFO] from hbase-shaded/hbase-shaded-client-byo-hadoop/pom.xml
> [INFO] --------------------------------[ jar
> ]---------------------------------
> [INFO]
> [INFO] +- org.codehaus.jackson:jackson-jaxrs:jar:1.9.13:provided
> [INFO] +- org.codehaus.jackson:jackson-xc:jar:1.9.13:provided
> .
> .
> [INFO] --------------< org.apache.hbase:hbase-shaded-mapreduce
> >---------------
> [INFO] Building Apache HBase - Shaded - MapReduce 2.7.0-SNAPSHOT
> [34/53]
> [INFO] from hbase-shaded/hbase-shaded-mapreduce/pom.xml
> [INFO] --------------------------------[ jar
> ]---------------------------------
> [INFO]
> [INFO] +- org.codehaus.jackson:jackson-jaxrs:jar:1.9.13:provided
> [INFO] +- org.codehaus.jackson:jackson-xc:jar:1.9.13:provided
> .
> .
> [INFO] -------------< org.apache.hbase:hbase-shaded-testing-util
> >-------------
> [INFO] Building Apache HBase - Shaded - Testing Util 2.7.0-SNAPSHOT
> [46/53]
> [INFO] from hbase-shaded/hbase-shaded-testing-util/pom.xml
> [INFO] --------------------------------[ jar
> ]---------------------------------
> [INFO]
> [INFO] +- org.codehaus.jackson:jackson-jaxrs:jar:1.9.13:compile
> [INFO] | +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
> [INFO] | \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
> [INFO] | +- org.codehaus.jackson:jackson-jaxrs:jar:1.9.13:test
> .
> .
> [INFO] ---------< org.apache.hbase:hbase-shaded-testing-util-tester
> >----------
> [INFO] Building Apache HBase - Shaded - Testing Util Tester 2.7.0-SNAPSHOT
> [47/53]
> [INFO] from hbase-shaded/hbase-shaded-testing-util-tester/pom.xml
> [INFO] --------------------------------[ jar
> ]---------------------------------
> [INFO]
> [INFO] +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:test
> [INFO] | \- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:test {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
