Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-16485

Remove dependency on jackson

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • None
    • None

    Description

      Looking at git history, there were 5 commits related to updating jackson versions due to various CVEs since 2018. And it seems to get worse more recently.

      File this jira to discuss the possibility of removing jackson dependency once for all. I see that jackson is deeply integrated into Hadoop codebase, so not a trivial task. However, if Hadoop is forced to make a new set of releases because of Jackson vulnerabilities, it may start to look not so costly.

      At the very least, consider stripping jackson-databind coode, since that's where the majority of CVEs come from.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              weichiu Wei-Chiu Chuang
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

              Dates

                Created:
                Updated:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 5h 10m
                  5h 10m