vtutrinov opened a new pull request, #6454: URL: https://github.com/apache/ozone/pull/6454
## What changes were proposed in this pull request? It's a continuation of the discussion started here - https://github.com/apache/ozone/pull/6441 hdds-hadoop-dependency-(client|server) modules depend on hadoop-common, the latter depends on com.nimbusds:nimbus-jose-jwt:9.8.1 (through org.apache.hadoop:hadoop-auth). The 9.8.1th version of the com.nimbusds:nimbus-jose-jwt library contains a shaded version of the net.minidev:json-smart:1.3.2 (https://bitbucket.org/connect2id/nimbus-jose-jwt/src/815b98228df7be7b918ae368ea003a034768f769/pom.xml#lines-59) that has a CVE - https://nvd.nist.gov/vuln/detail/CVE-2021-31684. Upgrading the nimbus-jose-jwt up to 9.24 will resolve the issue - there the json-smart was replaced with google-gson library ## What is the link to the Apache JIRA https://issues.apache.org/jira/browse/HDDS-10600 ## How was this patch tested? Existing hadoop-related robot tests -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
