Andrew Kyle Purtell created HBASE-27436:
-------------------------------------------
Summary: Remove protobuf 2 dependencies
Key: HBASE-27436
URL: https://issues.apache.org/jira/browse/HBASE-27436
Project: HBase
Issue Type: Bug
Reporter: Andrew Kyle Purtell
Protobuf 2 is subject to CVE-2015-5237, CVE-2021-22569, CVE-2022-3171 and
scanners checking compliance with zero tolerance CVE policies will hit on HBase
because a dependency on com.google.protobuf:protobuf-java:2.5.0 is still
exported by 2.x versions.
It is impossible to remove that dependency given our compatibility guidelines
but nonetheless it is a problem for downstream consumers of HBase with such
security policies.
HBase 2 uses Protobuf 3 internally for RPC, in hbase-protocol-shaded.
We still depend on some protobuf-java v2.5 classes because we use the Protobuf
2 compiler to compile the IDL in the backwards compatible hbase-protocol
module. Perhaps we can extract and produce a scaffold from protobuf-java v2.5,
just enough so the generated classes from the IDL will compile, and ship that
scaffold included, so the dependency on protobuf-java 2.5 proper can be
dropped. Protobuf is MIT licensed so partial appropriation of the source would
be allowable.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
