Samrat002 commented on code in PR #27026:
URL: https://github.com/apache/flink/pull/27026#discussion_r3472293551
##########
flink-filesystems/flink-s3-fs-base/pom.xml:
##########
@@ -87,6 +91,19 @@ under the License.
<groupId>com.sun.jersey</groupId>
<artifactId>jersey-server</artifactId>
</exclusion>
+ <!-- Pulled in by hadoop-common 3.4.x via
com.github.pjfanning:jersey-json,
+ ships com/sun/jersey/json/** classes. -->
+ <exclusion>
+ <groupId>com.github.pjfanning</groupId>
+ <artifactId>jersey-json</artifactId>
+ </exclusion>
+ <!-- Transitive of jersey-json above; ships
com/sun/xml/bind/** classes
+ (CDDL+GPLv2-with-classpath-exception). The
JDK provides JAXB RI; we
+ only ship the API as a Java 11+
multi-release resource. -->
+ <exclusion>
+ <groupId>com.sun.xml.bind</groupId>
+ <artifactId>jaxb-impl</artifactId>
+ </exclusion>
Review Comment:
Isn't this exclusion breaking hadoop-s3-fs-presto?
##########
flink-filesystems/flink-s3-fs-hadoop/src/main/resources/META-INF/NOTICE:
##########
@@ -3,56 +3,107 @@ Copyright 2014-2026 The Apache Software Foundation
This project bundles the following dependencies under the Apache Software
License 2.0 (http://www.apache.org/licenses/LICENSE-2.0.txt)
-- com.amazonaws:aws-java-sdk-core:1.12.779
-- com.amazonaws:aws-java-sdk-dynamodb:1.12.779
-- com.amazonaws:aws-java-sdk-kms:1.12.779
-- com.amazonaws:aws-java-sdk-s3:1.12.779
-- com.amazonaws:aws-java-sdk-sts:1.12.779
-- com.amazonaws:jmespath-java:1.12.779
- com.fasterxml.jackson.core:jackson-annotations:2.21
- com.fasterxml.jackson.core:jackson-core:2.21.3
- com.fasterxml.jackson.core:jackson-databind:2.21.3
-- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.21.3
-- com.fasterxml.woodstox:woodstox-core:5.3.0
-- com.google.guava:failureaccess:1.0
-- com.google.guava:guava:27.0-jre
+- com.fasterxml.woodstox:woodstox-core:5.4.0
+- com.google.guava:failureaccess:1.0.1
+- com.google.guava:guava:32.0.1-jre
- com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-- com.google.j2objc:j2objc-annotations:1.1
-- commons-beanutils:commons-beanutils:1.9.4
Review Comment:
This removal can bring back the security vulnerablity back .
https://issues.apache.org/jira/browse/FLINK-21123
##########
flink-filesystems/flink-s3-fs-presto/pom.xml:
##########
@@ -523,14 +554,6 @@ under the License.
</exclusion>
</exclusions>
</dependency>
-
- <dependency>
- <!-- Bumped for security purposes -->
- <groupId>commons-beanutils</groupId>
- <artifactId>commons-beanutils</artifactId>
- <version>1.9.4</version>
-
<optional>${flink.markBundledAsOptional}</optional>
- </dependency>
Review Comment:
Why is this dependency removed? What version of commons-beanutils is there
by default?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
