hudi
hudi copied to clipboard
apache
[HUDI-8213] Exclude jackson-databind from hudi-spark-bundle to fix CVE-2017-17485
Change Logs
We are seeing Critical level CVE CVE-2017-17485 in Hudi. And it is traced out from HTrace component(which uses jackson-databind version 2.4.0). So it is good to exclude jackson-databind in packaging hudi-spark-bundle module.
Impact
No performance change, but fixing CRITICAL CVE CVE-2017-17485.
Risk level (write none, low medium or high below)
CRITICAL
Documentation Update
Describe any necessary documentation update if there is any new feature, config, or user-facing change. If not, put "none".
- The config description must be updated if new configs are added or the default value of the configs are changed
- Any new feature or user-facing change requires updating the Hudi website. Please create a Jira ticket, attach the ticket number here and follow the instruction to make changes to the website.
Contributor's checklist
- [x] Read through contributor's guide
- [x] Change Logs and Impact were stated clearly
- [x] Adequate tests were added if applicable
- [x] CI passed
CI report:
- 7aa6c129f52976a845599dd0968e82489e09644b Azure: SUCCESS
Bot commands
@hudi-bot supports the following commands:@hudi-bot run azurere-run the last Azure build
Thanks for your first contribution. Could you check if you can exclude the dependency in the bundle directly?
Yes @yihua I tried excluding directly, but it did not help and I wanted to do very minimal change so that actual functionality should not break. So found removing meta info is sufficient to get rid of critical CVE issue .
I welcome your alternate suggestion for fixing this issue.
Thanks for your first contribution. Could you check if you can exclude the dependency in the bundle directly?
Yes @yihua I tried excluding directly, but it did not help and I wanted to do very minimal change so that actual functionality should not break. So found removing meta info is sufficient to get rid of critical CVE issue .
I welcome your alternate suggestion for fixing this issue.
@senthh Thanks for the clarification. I prefer to exclude the dependencies directly or use alternatives to get the same functionality. The reason is that removing the META-INF only tricks the scan to report no security issue (if the scan uses META-INF for checking vulnerabilities, correct me if I'm wrong); the actual security issue in the bundled classes may still exist. This can make security detection worse as the security risk is still there, though there is no report, hiding the actual vulnerabilities.
If HTrace is of concern, the community is making effort to remove HBase dependencies as the required ones. I've introduced our own HFile readers (see #10241, #10330) that do not depend on HBase, and we have a plan to introduce HFile writer implementation that is independent of HBase dependencies (HUDI-8222), so we can remove HBase dependencies in the future.
If HTrace is of concern, the community is making effort to remove HBase dependencies as the required ones. I've introduced our own HFile readers (see #10241, #10330) that do not depend on HBase, and we have a plan to introduce HFile writer implementation that is independent of HBase dependencies (HUDI-8222), so we can remove HBase dependencies in the future.
Good to hear you have already initiated to remove the HBase dependencies. So Shall I remove the jackson-databind classes also, by 'exclude' as below
<exclude>META-INF/services/com.fasterxml.jackson.core/jackson-databind/*</exclude>
Or We can close this PR and wait for your PR to be completed? I happy to follow-up your feedback