[HBASE-22728] Upgrade jackson dependencies in branch-1 - ASF JIRA

XML

Word

Printable

JSON

Hadoop Flags:

Reviewed
Release Note:

Hide
1. Stopped using Jackson1(org.codehaus.jackson*) in HBase code base.
2. Upgraded to Jackson2(com.fasterxml.jackson*) instead.
3. Stopped exposing vulnerable Jackson1 dependencies (org.codehaus.jackson:jackson-mapper-asl:1.9.13) so that downstreamers would not pull it in from HBase.
4. However, since Hadoop requires this dependency, put vulnerable jackson at compile scope in hbase-assembly module so that HBase tarball contains this mapper jar in lib. Still, downsteam applications can't pull in Jackson1 from HBase.
5. Upgraded maven assembly plugin to 3.1.1.

Show
1. Stopped using Jackson1(org.codehaus.jackson*) in HBase code base. 2. Upgraded to Jackson2(com.fasterxml.jackson*) instead. 3. Stopped exposing vulnerable Jackson1 dependencies (org.codehaus.jackson:jackson-mapper-asl:1.9.13) so that downstreamers would not pull it in from HBase. 4. However, since Hadoop requires this dependency, put vulnerable jackson at compile scope in hbase-assembly module so that HBase tarball contains this mapper jar in lib. Still, downsteam applications can't pull in Jackson1 from HBase. 5. Upgraded maven assembly plugin to 3.1.1.

Avoid Jackson versions and dependencies with known CVEs

breaks

HBASE-23015 Replace Jackson with relocated gson everywhere but hbase-rest

is duplicated by

HBASE-22797 [backport] HBASE-22778 upgrade jackson-databind to 2.9.9.2

relates to

HBASE-23174 Upgrade jackson and jackson-databind to 2.9.10 (branch-1)