It appears that both thrift 0.12 (which HBase 1.6 uses) and Thrift 0.13 (which HBase 1.7 is targeted for and that Reid is having trouble building for JDK 7) have CVEs attached to them, which is why later branches are using Thrift 0.14.1.
(See CVE-2019-0205 [1] for Thrift 0.12, and CVE-2020-13949 [2] for both Thrift 0.12 and 0.13) Given that we need to support JDK 7 due to HBase 1.x compatibility guidelines, and the 0.14 version of Thrift doesn't support JDK 7 [3], do we have a way forward? I hope so, but I'm not seeing one offhand. Geoffrey [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0205 [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13949 [3] https://github.com/apache/thrift/blob/v0.14.0/LANGUAGES.md On Tue, Apr 13, 2021 at 12:35 AM Reid Chan <reidchan0...@gmail.com> wrote: > Hi team and community: > > This is the error message when I tried to make a release 1.7.0: > > [INFO] Restricted to JDK 1.7 yet > org.apache.thrift:libthrift:jar:0.13.0:compile contains > org/apache/thrift/TNonblockingMultiFetchClient.class targeted to JDK 1.8 > HBase has unsupported dependencies. > HBase requires that all dependencies be compiled with version 1.7 or > earlier > of the JDK to properly build from source. You appear to be using a newer > dependency. You can use > either "mvn -version" or "mvn enforcer:display-info" to verify what > version is active. > Non-release builds can temporarily build with a newer JDK version by > setting the > 'compileSource' property (eg. mvn -DcompileSource=1.8 clean package). > Found Banned Dependency: org.apache.thrift:libthrift:jar:0.13.0 > [ERROR] Failed to execute goal > org.apache.maven.plugins:maven-enforcer-plugin:3.0.0-M1:enforce > (enforce-maven-version) on project hbase-thrift: Some Enforcer rules have > failed. Look above for specific messages explaining why the rule failed. -> > [Help 1] > [ERROR] > [ERROR] To see the full stack trace of the errors, re-run Maven with the -e > switch. > [ERROR] Re-run Maven using the -X switch to enable full debug logging. > [ERROR] > [ERROR] For more information about the errors and possible solutions, > please read the following articles: > [ERROR] [Help 1] > http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException > [ERROR] > [ERROR] After correcting the problems, you can resume the build with the > command > [ERROR] mvn <args> -rf :hbase-thrift > > > This happened at Thrift module, it seems that thrift-0.13.0 is targeted to > JDK 1.8, but I need to use JDK 7 to do the release. > > Thus I couldn't run the make_rc.sh successfully, any hints or experiences > about how to resolve this? > > > ------ > Best Regards, > R.C >
