Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exclude org.codehaus.jackson #351

Closed
wants to merge 1 commit into from
Closed

Exclude org.codehaus.jackson #351

wants to merge 1 commit into from

Conversation

kokosing
Copy link
Contributor

Exclude org.codehaus.jackson

This libraries are old (2013) and have plenty of CVEs. They were
migrated to org.fasterxml.jackson.

@kokosing
Copy link
Contributor Author

FYI @mneethiraj

See GHSA-c27h-mcmw-48hv and https://mvnrepository.com/artifact/org.codehaus.jackson/jackson-mapper-asl

@kokosing
Copy link
Contributor Author

@mneethiraj why shim modules requires so many dependencies? I see that in hive plugin as well as in hbase. The more dependencies we put the higher risk for CVEs. How can I check what is actually used? I removed some of them and I see that project (module) compiles just fine, is this good enough for testing?

@kokosing
Copy link
Contributor Author

@mneethiraj ping

@mneethiraj
Copy link
Contributor

why shim modules requires so many dependencies

@kokosing - you are right, shim modules only have dependency on libraries that include classes referenced in authorization interface (like HiveAuthorizer, HiveAuthorizerFactory), and ranger-plugin-classloader library.

About this patch, given org.codehaus.jackson libraries are not included in Hive plugin packaging, is it necessary to exclude them from pom.xml file?

@kokosing
Copy link
Contributor Author

kokosing commented Jul 24, 2024
edited
Loading

About this patch, given org.codehaus.jackson libraries are not included in Hive plugin packaging, is it necessary to exclude them from pom.xml file?

I used mvn dependency:tree and I excluded it until the moment I no longer saw this dependency. So I believe it is necessary this way.

shim modules only have dependency on libraries that include classes referenced in authorization interface (like HiveAuthorizer, HiveAuthorizerFactory), and ranger-plugin-classloader library.

Is it safe to remove these dependencies and assume that if project compiles we are good? If that would be the case then we could remove plenty of dependencies.

@kumaab
Copy link
Contributor

kumaab commented Jul 25, 2024

Please rebase the PR to run all checks, 1 check is missing.

@kokosing
Exclude org.codehaus.jackson
1bd10cb 
This libraries are old (2013) and have plenty of CVEs. They were
migrated to org.fasterxml.jackson.
@kokosing
Copy link
Contributor Author

Done

mneethiraj pushed a commit that referenced this pull request Jul 26, 2024
@kokosing @mneethiraj
RANGER-4225: updated Hive plugin shim to exclude org.codehaus.jackson…
e5053e1 
… library - PR #351

Signed-off-by: Madhan Neethiraj <madhan@apache.org>
mneethiraj pushed a commit that referenced this pull request Jul 26, 2024
@kokosing @mneethiraj
RANGER-4225: updated Hive plugin shim to exclude org.codehaus.jackson…
8bbdd44 
… library - PR #351

Signed-off-by: Madhan Neethiraj <madhan@apache.org>
(cherry picked from commit e5053e1)
@mneethiraj
Copy link
Contributor

@kokosing - the patch is merged in master and ranger-2.5 branches. Thank you!

@mneethiraj mneethiraj closed this Jul 26, 2024
@kokosing kokosing deleted the origin/master/005 branch July 26, 2024 09:57
@kokosing
Copy link
Contributor Author

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kokosing @mneethiraj @kumaab