[ https://issues.apache.org/jira/browse/HBASE-28921?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17895459#comment-17895459 ]
Hudson commented on HBASE-28921: -------------------------------- Results for branch master [build #1199 on builds.a.o|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/1199/]: (x) *{color:red}-1 overall{color}* ---- details (if available): (/) {color:green}+1 general checks{color} -- For more information [see general report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/1199/General_20Nightly_20Build_20Report/] (/) {color:green}+1 jdk17 hadoop3 checks{color} -- For more information [see jdk17 report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/1199/JDK17_20Nightly_20Build_20Report_20_28Hadoop3_29/] (/) {color:green}+1 jdk17 hadoop ${HADOOP_THREE_VERSION} backward compatibility checks{color} -- For more information [see jdk17 report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/1199/JDK17_20Nightly_20Build_20Report_20_28Hadoop3_29/] (x) {color:red}-1 jdk17 hadoop ${HADOOP_THREE_VERSION} backward compatibility checks{color} -- For more information [see jdk17 report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/1199/JDK17_20Nightly_20Build_20Report_20_28Hadoop3_29/] (/) {color:green}+1 source release artifact{color} -- See build output for details. (/) {color:green}+1 client integration test for 3.3.5 {color} (/) {color:green}+1 client integration test for 3.3.6 {color} (/) {color:green}+1 client integration test for 3.4.0 {color} > Avoid bundling hbase-webapps folder in default jars > --------------------------------------------------- > > Key: HBASE-28921 > URL: https://issues.apache.org/jira/browse/HBASE-28921 > Project: HBase > Issue Type: Improvement > Components: security, UI > Reporter: Nihal Jain > Assignee: Nihal Jain > Priority: Major > Labels: pull-request-available > Fix For: 2.7.0, 3.0.0-beta-2, 2.5.11, 2.6.2 > > > We are bundling all webapp resources in hbase-server, hbase-thrift and > transitively to hbase-shaded-mapreduce jar. This can be an issue as if any of > the js projects used by hbase are vulnerable, security scan tools like > sonatype start flagging the jars too as vulnerable since they contain > vulnerable code. > With this JIRA, we want to avoid bundling static webapp resources in our jars. > For example: Bootstrap 3.4.1 which is used by hbase, has multiple medium CVEs > reported recently. See [https://security.snyk.io/package/npm/bootstrap/3.4.1] > for details. > And since we are bundling all webapp resources in hbase-server, hbase-thrift > and transitively to hbase-shaded-mapreduce jar. And hence sonatype reports > all such jars also as vulnerable: > |3|CVE-2024-6484|2.3|bootstrap 3.4.1| > |3|CVE-2024-6484|2.3|org.apache.hbase : hbase-server : 2.6.0| > |3|CVE-2024-6484|2.3|org.apache.hbase : hbase-shaded-mapreduce : 2.6.0| > |3|CVE-2024-6484|2.3|org.apache.hbase : hbase-thrift : 2.6.0| > It is wise to remove such files from our jars to avoid any bigger hiccups in > future. -- This message was sent by Atlassian Jira (v8.20.10#820010)