Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-16485

Remove dependency on jackson

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • None
    • None

    Description

      Looking at git history, there were 5 commits related to updating jackson versions due to various CVEs since 2018. And it seems to get worse more recently.

      File this jira to discuss the possibility of removing jackson dependency once for all. I see that jackson is deeply integrated into Hadoop codebase, so not a trivial task. However, if Hadoop is forced to make a new set of releases because of Jackson vulnerabilities, it may start to look not so costly.

      At the very least, consider stripping jackson-databind coode, since that's where the majority of CVEs come from.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-16487 Update jackson-databind to 2.9.9.2

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-16198 Upgrade Jackson-databind version to 2.9.8

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-16451 Update jackson-databind to 2.9.9.1

          • Major - Major loss of function.
          • Resolved

          Task - A task that needs to be done. HADOOP-15482 Upgrade jackson-databind to version 2.9.5

          • Major - Major loss of function.
          • Resolved

          Task - A task that needs to be done. HADOOP-16365 Upgrade jackson-databind to 2.9.9

          • Major - Major loss of function.
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-16891 Upgrade jackson-databind to 2.9.10.3

          • Blocker - Blocks development and/or testing work, production could not run
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-16533 Update jackson-databind to 2.9.9.3

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-16883 update jackon-databind version

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              weichiu Wei-Chiu Chuang
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

              Dates

                Created:
                Updated:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 5h 10m
                  5h 10m