Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
3.0.0-alpha-1, 2.3.0
-
None
-
Reviewed
-
Description
Partly forwardport from branch-1 Jira: HBASE-22728
Even though master and branch-2 have moved away from Jackson1 some time back, HBase is still pulling in some vulnerable jackson dependencies (e.g. jackson-mapper-asl:1.9.13) from Hadoop:
[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ hbase-mapreduce ---
[INFO] org.apache.hbase:hbase-mapreduce:jar:3.0.0-SNAPSHOT
[INFO] +- org.apache.hbase:hbase-server:jar:3.0.0-SNAPSHOT:compile
[INFO] | \- org.apache.hbase:hbase-http:jar:3.0.0-SNAPSHOT:compile
[INFO] | \- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] +- org.apache.hadoop:hadoop-mapreduce-client-jobclient:test-jar:tests:2.8.5:test
[INFO] | \- org.apache.avro:avro:jar:1.7.7:compile
[INFO] | \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
[INFO] \- org.apache.hadoop:hadoop-mapreduce-client-core:jar:2.8.5:compile
[INFO] \- org.apache.hadoop:hadoop-yarn-common:jar:2.8.5:compile
[INFO] +- org.codehaus.jackson:jackson-jaxrs:jar:1.9.13:compile
[INFO] \- org.codehaus.jackson:jackson-xc:jar:1.9.13:compile
[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ hbase-shaded-testing-util ---
[INFO] org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT
[INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:compile
[INFO] +- com.sun.jersey:jersey-json:jar:1.9:compile
[INFO] | +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:compile
[INFO] | \- org.codehaus.jackson:jackson-xc:jar:1.8.3:compile
[INFO] +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
[INFO] org.apache.hbase:hbase-shaded-testing-util-tester:jar:3.0.0-SNAPSHOT [INFO] \- org.apache.hbase:hbase-shaded-testing-util:jar:3.0.0-SNAPSHOT:test [INFO] \- org.apache.hadoop:hadoop-common:test-jar:tests:2.8.5:test [INFO] +- com.sun.jersey:jersey-json:jar:1.9:test [INFO] | +- org.codehaus.jackson:jackson-jaxrs:jar:1.8.3:test [INFO] | \- org.codehaus.jackson:jackson-xc:jar:1.8.3:test [INFO] +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile [INFO] \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
Jackson1 is not being used in HBase code anymore and hence, we should include it only at test scope if required by Hadoop but definitely exclude it from corresponding Hadoop dependencies.
Attachments
Attachments
Issue Links
- links to