[HBASE-22863] Avoid Jackson versions and dependencies with known CVEs - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.0.0-alpha-1, 2.3.0
Fix Version/s: 3.0.0-alpha-1, 2.3.0, 2.2.1, 2.1.6
Component/s: dependencies
Labels:
None

Hadoop Flags:

Reviewed
Release Note:

Hide
1. Stopped exposing vulnerable Jackson1 dependencies so that downstreamers would not pull it in from HBase.
2. However, since Hadoop requires some Jackson1 dependencies, put vulnerable Jackson mapper at test scope in some HBase modules and hence, HBase tarball created by hbase-assembly contains Jackson1 mapper jar in lib. Still, downsteam applications can't pull in Jackson1 from HBase.

Show
1. Stopped exposing vulnerable Jackson1 dependencies so that downstreamers would not pull it in from HBase. 2. However, since Hadoop requires some Jackson1 dependencies, put vulnerable Jackson mapper at test scope in some HBase modules and hence, HBase tarball created by hbase-assembly contains Jackson1 mapper jar in lib. Still, downsteam applications can't pull in Jackson1 from HBase.

Description

Partly forwardport from branch-1 Jira: ~~HBASE-22728~~

Even though master and branch-2 have moved away from Jackson1 some time back, HBase is still pulling in some vulnerable jackson dependencies (e.g. jackson-mapper-asl:1.9.13) from Hadoop:

[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ hbase-mapreduce ---
[INFO] org.apache.hbase:hbase-mapreduce:jar:3.0.0-SNAPSHOT
[INFO] +- org.apache.hbase:hbase-server:jar:3.0.0-SNAPSHOT:compile
[INFO] |  \- org.apache.hbase:hbase-http:jar:3.0.0-SNAPSHOT:compile
[INFO] |     \- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] +- org.apache.hadoop:hadoop-mapreduce-client-jobclient:test-jar:tests:2.8.5:test
[INFO] |  \- org.apache.avro:avro:jar:1.7.7:compile
[INFO] |     \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
[INFO] \- org.apache.hadoop:hadoop-mapreduce-client-core:jar:2.8.5:compile
[INFO]    \- org.apache.hadoop:hadoop-yarn-common:jar:2.8.5:compile
[INFO]       +- org.codehaus.jackson:jackson-jaxrs:jar:1.9.13:compile
[INFO]       \- org.codehaus.jackson:jackson-xc:jar:1.9.13:compile

[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ hbase-shaded-testing-util ---
[INFO] org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT
[INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:compile
[INFO]    +- com.sun.jersey:jersey-json:jar:1.9:compile
[INFO]    |  +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:compile
[INFO]    |  \- org.codehaus.jackson:jackson-xc:jar:1.8.3:compile
[INFO]    +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO]    \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile

[INFO] org.apache.hbase:hbase-shaded-testing-util-tester:jar:3.0.0-SNAPSHOT
[INFO] \- org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT:test
[INFO]    \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:test
[INFO]       +- com.sun.jersey:jersey-json:jar:1.9:test
[INFO]       |  +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:test
[INFO]       |  \- org.codehaus.jackson:jackson-xc:jar:1.8.3:test
[INFO]       +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO]       \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile

Jackson1 is not being used in HBase code anymore and hence, we should include it only at test scope if required by Hadoop but definitely exclude it from corresponding Hadoop dependencies.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HBASE-22863.branch-2.000.patch
21/Aug/19 05:23
14 kB
Viraj Jasani
HBASE-22863.master.000.patch
16/Aug/19 10:51
30 kB
Viraj Jasani
HBASE-22863.master.001.patch
19/Aug/19 17:34
14 kB
Viraj Jasani

Issue Links

links to

GitHub Pull Request #505

Activity

People

Assignee:: Viraj Jasani

Reporter:: Viraj Jasani

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 15/Aug/19 18:09

Updated:: 22/Aug/19 04:36

Resolved:: 21/Aug/19 14:59