-
Notifications
You must be signed in to change notification settings - Fork 958
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exclude org.codehaus.jackson #351
Conversation
@mneethiraj why shim modules requires so many dependencies? I see that in hive plugin as well as in hbase. The more dependencies we put the higher risk for CVEs. How can I check what is actually used? I removed some of them and I see that project (module) compiles just fine, is this good enough for testing? |
@mneethiraj ping |
@kokosing - you are right, shim modules only have dependency on libraries that include classes referenced in authorization interface (like HiveAuthorizer, HiveAuthorizerFactory), and ranger-plugin-classloader library. About this patch, given org.codehaus.jackson libraries are not included in Hive plugin packaging, is it necessary to exclude them from pom.xml file? |
I used
Is it safe to remove these dependencies and assume that if project compiles we are good? If that would be the case then we could remove plenty of dependencies. |
Please rebase the PR to run all checks, 1 check is missing. |
This libraries are old (2013) and have plenty of CVEs. They were migrated to org.fasterxml.jackson.
80101e5
to
1bd10cb
Compare
Done |
… library - PR #351 Signed-off-by: Madhan Neethiraj <madhan@apache.org>
@kokosing - the patch is merged in master and ranger-2.5 branches. Thank you! |
Thank you! |
Exclude org.codehaus.jackson
This libraries are old (2013) and have plenty of CVEs. They were
migrated to org.fasterxml.jackson.