nicoloboschi opened a new pull request #13746: URL: https://github.com/apache/pulsar/pull/13746
### Motivation The offloaders Nar files contain dependecies with open CVEs #### tiered-storage-file-system `hadoop-commons:3.3.0` brings several vulnerable transitive dependencies: (severity >= 7.5) * com.faster.xml.woodstox:woodstox-core:5.0.3 -> CVE-2020-15250 * log4j:log4j:2.17 * net.minidev:json-smart:2.3 -> CVE-2021-27568 * jackson-mapper-asl:1.9.2 * okhttp 2.7.5 * jetty 9.4.20 * Avro 1.7.7 ### tiered-storage-jcloud the dependency `org.apache.jclouds:jclouds-core` looks like an uber jar containing only a dependency inside the `lib` directory: gson:2.8.5 which is vulnerable to `sonatype-2021-1694` ### Modifications #### tiered-storage-file-system * Upgraded hadoop packages to from 3.3.0 to 3.3.1 * Fixed Log4j transitive dependency * excluded deprecated Jackson from Jetty 1 (transitive dependency of hadoop-commons) * forced Avro to 1.10.2 * forced json-smart to 2.4.7 #### tiered-storage-jcloud * excluded the exceeding gson jar and added the correct latest one (2.8.9) ### Verifying this change This change is already covered by existing tests, such as *(please describe tests)*. * integrations test about offloading ### Does this pull request potentially affect one of the following parts: - Dependencies (does it add or upgrade a dependency): (yes) ### Documentation - [x] `no-need-doc` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@pulsar.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
