[jira] [Commented] (HADOOP-16485) Remove dependency on jackson

[Tatu Saloranta (Jira)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-16485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16950719#comment-16950719
 ] 

Tatu Saloranta commented on HADOOP-16485:
-----------------------------------------

Just to add quick comment regarding Jackson versions: unless "Default Typing" 
is enabled, with call to `mapper.enableDefaultTyping(...)` (which is something 
most projects do not do, and is not the default), none of multiple CVEs 
actually applies. Full explanation of when it does apply can be found from 
[https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062]
 .

Unfortunately security tools faithfully indicate that every single version with 
CVEs is considered suspect (unfortunately they have no concept of conditional 
applicability?) and it is annoying to get reports about existing version having 
CVEs against it.

This will change with Jackson 2.10 – 2.10.0 having been released 2 weeks ago 
(Sep 26, 2019). CVEs of this class will not be applicable for 2.10 or later 
versions. So regardless of what ultimate plan is for json handling, it is 
possible to at least get rid of CVE warnings by upgrading.
I would probably recommend waiting until 2.10.1, as standard precaution: that 
should be released during October.

 

 

> Remove dependency on jackson
> ----------------------------
>
>                 Key: HADOOP-16485
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16485
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Wei-Chiu Chuang
>            Priority: Major
>              Labels: release-blocker
>
> Looking at git history, there were 5 commits related to updating jackson 
> versions due to various CVEs since 2018. And it seems to get worse more 
> recently.
> File this jira to discuss the possibility of removing jackson dependency once 
> for all. I see that jackson is deeply integrated into Hadoop codebase, so not 
> a trivial task. However, if Hadoop is forced to make a new set of releases 
> because of Jackson vulnerabilities, it may start to look not so costly.
> At the very least, consider stripping jackson-databind coode, since that's 
> where the majority of CVEs come from.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org