Uploaded image for project: 'Oozie'
  1. Oozie
  2. OOZIE-2410

Fork collections-generic

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Won't Fix
    • trunk
    • None
    • None
    • None

    Description

      The Jung library used by the GraphGenerator code is using an old fork of Commons-Collections which added generics. There was recently a security bug in Commons-Collections (COLLECTIONS-580). The fork we're using hasn't been updated since 2010 and is dead, so it won't get the security fix (Commons-Collections 3.2.2 or 4.1). While Oozie isn't currently vulnerable to an attack due to this, it would be good to patch this just to be safe.

      Unfortunately, the best way to fix this is to fork the fork, which isn't super great. Anyway, we can make a new "oozie-collections-generic" module with the collections-generic code + the security fixes applied.

      In the long run, we should implement OOZIE-2406, which will completely rewrite the GraphGenerator (there's a number of other downsides with the current implementation listed there), at which time we can remove this new module.

      Attachments

        1. security-fixes.patch
          21 kB
          Robert Kanter
        2. OOZIE-2410.001.patch
          3.15 MB
          Robert Kanter

        Issue Links

          is related to

          New Feature - A new feature of the product, which has yet to be developed. OOZIE-2406 Completely rewrite GraphGenerator code

          • Major - Major loss of function.
          • Closed

          Activity

            People

              rkanter Robert Kanter
              rkanter Robert Kanter
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: