[jira] [Commented] (OOZIE-3172) Upgrade non-transitive Jackson dependencies from org.codehaus.jackson to com.fasterxml.jackson

Wed, 31 Jan 2018 01:52:20 -0800 

    [ 
https://issues.apache.org/jira/browse/OOZIE-3172?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16346507#comment-16346507
 ] 

Attila Sasvari commented on OOZIE-3172:
---------------------------------------

There are transitive dependencies. Spark ShareLib for example:
{code:java}
[INFO] Building Apache Oozie Share Lib Spark 5.0.0-beta1
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.4:tree (default-cli) @ 
oozie-sharelib-spark ---
[INFO] org.apache.oozie:oozie-sharelib-spark:jar:5.0.0-beta1
[INFO] +- com.google.guava:guava:jar:14.0.1:compile
[INFO] +- org.apache.hadoop:hadoop-mapreduce-client-core:jar:2.6.0:compile
[INFO] |  +- org.apache.hadoop:hadoop-yarn-common:jar:2.6.0:compile
[INFO] |  |  +- org.apache.hadoop:hadoop-yarn-api:jar:2.6.0:compile
[INFO] |  |  +- javax.xml.bind:jaxb-api:jar:2.2.2:compile
[INFO] |  |  |  +- javax.xml.stream:stax-api:jar:1.0-2:compile
[INFO] |  |  |  \- javax.activation:activation:jar:1.1:compile
[INFO] |  |  +- org.apache.commons:commons-compress:jar1.4.1:compile
[INFO] |  |  |  \- org.tukaani:xz:jar:1.0:compile
[INFO] |  |  +- org.mortbay.jetty:jetty-util:jar:6.1.26:compile
[INFO] |  |  +- com.sun.jersey:jersey-client:jar:1.9:compile
[INFO] |  |  +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile{code}
I would submit the example workflows to verify it does not cause issues.

> Upgrade non-transitive Jackson dependencies from org.codehaus.jackson to 
> com.fasterxml.jackson
> ----------------------------------------------------------------------------------------------
>
>                 Key: OOZIE-3172
>                 URL: https://issues.apache.org/jira/browse/OOZIE-3172
>             Project: Oozie
>          Issue Type: Improvement
>          Components: core
>    Affects Versions: 5.0.0b1
>            Reporter: Andras Piros
>            Assignee: Andras Piros
>            Priority: Major
>         Attachments: OOZIE-3172.001.patch, OOZIE-3172.002.patch
>
>
> Jackson 1.9.3 is way too old, and has several security vulnerabilities as 
> well. Jackson 2.9.2 covers most of these.
> Let's switch from {{org.codehaus.jackson}} to {{com.fasterxml.jackson}} in 
> Oozie's direct (non-transitive) dependencies.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to