[ https://issues.apache.org/jira/browse/HBASE-24802?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17280050#comment-17280050 ]
Sean Busbey commented on HBASE-24802: ------------------------------------- Attached is 'compat_report.html' to show coverage for htrace-core4 on a branch staged for 3.5.0 RCs. The exact command run was: {code} hbase-thirdparty$ japi-compliance-checker ~/.m2/repository/org/apache/htrace/htrace-core4/4.2.0-incubating/htrace-core4-4.2.0-incubating.jar hbase-noop-htrace/target/hbase-noop-htrace-3.5.0.jar --skip-internal-packages 'org\.apache\.htrace\.shaded' -l htrace -v1 htrace-core4-4.2.0-incubating -v2 hbase-noop-htrace-3.5.0 Preparing, please wait ... Using Java 1.8.0_272 Reading classes htrace-core4-4.2.0-incubating ... Reading classes hbase-noop-htrace-3.5.0 ... Comparing classes ... Creating compatibility report ... Binary compatibility: 97.1% Source compatibility: 97.1% Total binary compatibility problems: 7, warnings: 3 Total source compatibility problems: 7, warnings: 0 Report: compat_reports/htrace/htrace-core4-4.2.0-incubating_to_hbase-noop-htrace-3.5.0/compat_report.html {code} > make a drop-in compatible impl of htrace APIs that does not do anything > ----------------------------------------------------------------------- > > Key: HBASE-24802 > URL: https://issues.apache.org/jira/browse/HBASE-24802 > Project: HBase > Issue Type: Bug > Components: Client, dependencies, thirdparty > Affects Versions: 1.4.0, 2.2.0, 2.3.0, 1.6.0 > Reporter: Rodney Aaron Stainback > Assignee: Sean Busbey > Priority: Critical > Fix For: thirdparty-3.5.0 > > Attachments: compat_report.html > > > htrace-core4 is a retired project and even on the latest version they Shade > Jackson databind version 2.4.0 which has the following CVEs: > |cve|severity|cvss| > |CVE-2017-15095|critical|9.8| > |CVE-2018-1000873|medium|6.5| > |CVE-2018-14718|critical|9.8| > |CVE-2018-5968|high|8.1| > |CVE-2018-7489|critical|9.8| > |CVE-2019-14540|critical|9.8| > |CVE-2019-14893|critical|9.8| > |CVE-2019-16335|critical|9.8| > |CVE-2019-16942|critical|9.8| > |CVE-2019-16943|critical|9.8| > |CVE-2019-17267|critical|9.8| > |CVE-2019-17531|critical|9.8| > |CVE-2019-20330|critical|9.8| > |CVE-2020-10672|high|8.8| > |CVE-2020-10673|high|8.8| > |CVE-2020-10968|high|8.8| > |CVE-2020-10969|high|8.8| > |CVE-2020-11111|high|8.8| > |CVE-2020-11112|high|8.8| > |CVE-2020-11113|high|8.8| > |CVE-2020-11619|critical|9.8| > |CVE-2020-11620|critical|9.8| > |CVE-2020-14060|high|8.1| > |CVE-2020-14061|high|8.1| > |CVE-2020-14062|high|8.1| > |CVE-2020-14195|high|8.1| > |CVE-2020-8840|critical|9.8| > |CVE-2020-9546|critical|9.8| > |CVE-2020-9547|critical|9.8| > |CVE-2020-9548|critical|9.8| > > Our security team is trying to block us from using hbase because of this -- This message was sent by Atlassian Jira (v8.3.4#803005)