Details
Description
Hey everyone, we've done a container scan of Hadoop 3.2.2 we are using to build a shaded version of a Flink uber jar with, and noticed several apparent problems that are primarily related to com.faster.xml.jackson.core_jackson-databind.
Specifically the report claims version 2.4.0 of the library is used (am not sure about this part personally so I may be mistaken) and the fix suggestion I see is to move up to either 2.10.5.1, 2.9.10.8, 2.6.7.4 as appropriate.
I believe 2.10.3 is actually what's currently in use based on https://github.com/apache/hadoop/blob/4cf35315838a6e65f87ed64aaa8f1d31594c7fcd/hadoop-project/pom.xml#L75
Hopefully not a far-reaching change as I know changing dependencies can sometimes have a big knock-on effect, anyway - figured I'd report it incase someone plans to work on it.
Again do note that this is using a scan of an image built for Flink 1.11.3, but using Hadoop so it has a bunch of the same classes in, and I do believe that in Flink itself, the version of Jackson pulled in does not have the same problems, thus my thinking it is related to the Hadoop dependencies.
Thanks!
Attachments
Issue Links
- is related to
-
HADOOP-18033 Upgrade fasterxml Jackson to 2.13.0
- Resolved
- relates to
-
HADOOP-16905 Update jackson-databind to 2.10.3 to relieve us from the endless CVE patches
- Resolved
- links to