Skip to content

HDDS-10589. set the net.minidev:json-smart dependency version up to 2.5.0 #6441

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
vtutrinov wants to merge 1 commit into from
Closed

HDDS-10589. set the net.minidev:json-smart dependency version up to 2.5.0 #6441

vtutrinov wants to merge 1 commit into from

Conversation

@vtutrinov
Copy link
Contributor

@vtutrinov vtutrinov commented Mar 26, 2024

What changes were proposed in this pull request?

ozone-filesystem-hadoop2 transitively depends on net.minidev:json-smart:2.3 that contains a CVE-2021-31684:

https://nvd.nist.gov/vuln/detail/CVE-2021-31684
netplex/json-smart-v2#67

The version of the library needs to be upgraded to 2.5.0

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-10589

How was this patch tested?

Existing hadoop related robot tests

@adoroszlai adoroszlai added the dependencies Pull requests that update a dependency file label Mar 26, 2024
adoroszlai
adoroszlai requested changes Mar 26, 2024
View reviewed changes
Copy link
Contributor

@adoroszlai adoroszlai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As the changes in jar-report.txt indicate, Ozone currently does not depend on json-smart. We should not introduce this dependency.

The dependency on Hadoop 2.x is provided, meaning that users need to supply Hadoop and its dependencies. Therefore, anyone using ozone-filesystem-hadoop2-*.jar can simply upgrade json-smart on their end.

dineshchitlangia
dineshchitlangia requested changes Mar 26, 2024
View reviewed changes
Copy link
Contributor

@dineshchitlangia dineshchitlangia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree with @adoroszlai

@vtutrinov
Copy link
Contributor Author

vtutrinov commented Mar 27, 2024

As the changes in jar-report.txt indicate, Ozone currently does not depend on json-smart. We should not introduce this dependency.

The dependency on Hadoop 2.x is provided, meaning that users need to supply Hadoop and its dependencies. Therefore, anyone using ozone-filesystem-hadoop2-*.jar can simply upgrade json-smart on their end.

@adoroszlai do you suggest not touch the json-smart dependency in ozone-filesystem-hadoop2 module, but in the place where the module is used? (e.g. in hadoop-ozone/dist/pom.xml -> profile=build-with-ozonefs)

@adoroszlai
Copy link
Contributor

adoroszlai commented Mar 27, 2024

do you suggest not touch the json-smart dependency in ozone-filesystem-hadoop2 module, but in the place where the module is used? (e.g. in hadoop-ozone/dist/pom.xml -> profile=build-with-ozonefs)

I suggest closing this PR, json-smart is not a problem.

@vtutrinov vtutrinov closed this Mar 27, 2024
@vtutrinov
Copy link
Contributor Author

vtutrinov commented Mar 27, 2024

do you suggest not touch the json-smart dependency in ozone-filesystem-hadoop2 module, but in the place where the module is used? (e.g. in hadoop-ozone/dist/pom.xml -> profile=build-with-ozonefs)

I suggest closing this PR, json-smart is not a problem.

Done

@vtutrinov
Copy link
Contributor Author

vtutrinov commented Mar 27, 2024

@adoroszlai @dineshchitlangia thanks for the review

@adoroszlai
Copy link
Contributor

adoroszlai commented Mar 27, 2024

Thanks @vtutrinov for working on these version bumps for security.

@vtutrinov vtutrinov mentioned this pull request Mar 28, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adoroszlai adoroszlai adoroszlai requested changes

@dineshchitlangia dineshchitlangia dineshchitlangia requested changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vtutrinov @adoroszlai @dineshchitlangia