Hey everyone, we've done a container scan of Hadoop 3.2.2 we are using to build a shaded version of a Flink uber jar with, and noticed several apparent problems that are primarily related to com.faster.xml.jackson.core_jackson-databind.
Specifically the report claims version 2.4.0 of the library is used (am not sure about this part personally so I may be mistaken) and the fix suggestion I see is to move up to either 18.104.22.168, 22.214.171.124, 126.96.36.199 as appropriate.
I believe 2.10.3 is actually what's currently in use based on https://github.com/apache/hadoop/blob/4cf35315838a6e65f87ed64aaa8f1d31594c7fcd/hadoop-project/pom.xml#L75
Hopefully not a far-reaching change as I know changing dependencies can sometimes have a big knock-on effect, anyway - figured I'd report it incase someone plans to work on it.
Again do note that this is using a scan of an image built for Flink 1.11.3, but using Hadoop so it has a bunch of the same classes in, and I do believe that in Flink itself, the version of Jackson pulled in does not have the same problems, thus my thinking it is related to the Hadoop dependencies.