Details
-
Improvement
-
Status: Patch Available
-
Major
-
Resolution: Unresolved
-
None
-
None
Description
Problem Statement
HBase has to explicitly depends on org.glassfish:javax.el:jar:3.0.1-b08 as this dependency is needed by javax.servlet.jsp. This direct dependency was added due to https://issues.apache.org/jira/browse/HBASE-18831
mvn dependency tree shows below
[INFO] | +- org.glassfish.web:javax.servlet.jsp:jar:2.3.2:compile [INFO] | | \- org.glassfish:javax.el:jar:3.0.1-b08:compile
org.glassfish:javax.el:jar:3.0.1-b08:compile has https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250
We have ton of Jiras and HBase around glass fish and issues caused due to it. With this Jira I plan to completely remove org.glassfish:javax.el:jar:3.0.1-b08 from our dependency tree. Also org.glassfish:javax.el is EOL and needs migration to jakarta-el which is not trivial. See https://mvnrepository.com/artifact/org.glassfish/javax.el
Proposed Solution
This Jira aims to replace javax.servlet.jsp dependency with tomcat-jasper (as javax.servlet.jsp strictly needs glassfish) and this requires minimal change wrt to migrating to jakarta-el.
Also, we use javax.servlet.jsp to generate/build JSP and same can be achieved via tomcat-jasper.
CC: zhangduo
Attachments
Issue Links
- relates to
-
HBASE-18831 Add explicit dependency on javax.el
- Resolved
-
HBASE-27817 Migrate javax.el:3.0.1-b08 to jakarta.el-4.0.2
- Open
- links to