[ https://issues.apache.org/jira/browse/OOZIE-3172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16346507#comment-16346507 ]
Attila Sasvari commented on OOZIE-3172: --------------------------------------- There are transitive dependencies. Spark ShareLib for example: {code:java} [INFO] Building Apache Oozie Share Lib Spark 5.0.0-beta1 [INFO] ------------------------------------------------------------------------ [INFO] [INFO] --- maven-dependency-plugin:2.4:tree (default-cli) @ oozie-sharelib-spark --- [INFO] org.apache.oozie:oozie-sharelib-spark:jar:5.0.0-beta1 [INFO] +- com.google.guava:guava:jar:14.0.1:compile [INFO] +- org.apache.hadoop:hadoop-mapreduce-client-core:jar:2.6.0:compile [INFO] | +- org.apache.hadoop:hadoop-yarn-common:jar:2.6.0:compile [INFO] | | +- org.apache.hadoop:hadoop-yarn-api:jar:2.6.0:compile [INFO] | | +- javax.xml.bind:jaxb-api:jar:2.2.2:compile [INFO] | | | +- javax.xml.stream:stax-api:jar:1.0-2:compile [INFO] | | | \- javax.activation:activation:jar:1.1:compile [INFO] | | +- org.apache.commons:commons-compress:jar1.4.1:compile [INFO] | | | \- org.tukaani:xz:jar:1.0:compile [INFO] | | +- org.mortbay.jetty:jetty-util:jar:6.1.26:compile [INFO] | | +- com.sun.jersey:jersey-client:jar:1.9:compile [INFO] | | +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile{code} I would submit the example workflows to verify it does not cause issues. > Upgrade non-transitive Jackson dependencies from org.codehaus.jackson to > com.fasterxml.jackson > ---------------------------------------------------------------------------------------------- > > Key: OOZIE-3172 > URL: https://issues.apache.org/jira/browse/OOZIE-3172 > Project: Oozie > Issue Type: Improvement > Components: core > Affects Versions: 5.0.0b1 > Reporter: Andras Piros > Assignee: Andras Piros > Priority: Major > Attachments: OOZIE-3172.001.patch, OOZIE-3172.002.patch > > > Jackson 1.9.3 is way too old, and has several security vulnerabilities as > well. Jackson 2.9.2 covers most of these. > Let's switch from {{org.codehaus.jackson}} to {{com.fasterxml.jackson}} in > Oozie's direct (non-transitive) dependencies. -- This message was sent by Atlassian JIRA (v7.6.3#76005)