Adam Roberts created HADOOP-17555:
-------------------------------------
Summary: Image scan shows something in Hadoop using
jackson-databind 2.4.0...what?
Key: HADOOP-17555
URL: https://issues.apache.org/jira/browse/HADOOP-17555
Project: Hadoop Common
Issue Type: Bug
Reporter: Adam Roberts
Hi everyone, I've done a Twistlock container-level scan of a Flink/Hadoop image
(so, it's the Hadoop shaded uber jar specifically, for Hadoop 3.3.1 snapshot
and Flink 1.11.3).
The most interesting result is as follows I think it is used in Hadoop and not
Flink because my container scan without the Hadoop jar does not show this
result.
_{{ "version": "2.4.0",_
_"name": "com.fasterxml.jackson.core_jackson-databind",_
_"path": "/opt/flink/lib/flink-shaded-hadoop-3-uber-3.3.1-SNAPSHOT-10.0.jar"}}_
That's a very old version and likely very susceptible to CVEs I would imagine,
does anybody know what might be using it and if we can upgrade the version?
[https://github.com/apache/hadoop/search?l=Maven+POM&q=2.4.0] shows 113 results
and searching with
[https://github.com/apache/hadoop/search?q=com.fasterxml.jackson.core_jackson-databind]
isn't helpful either unfortunately (in fact less so).
So I am wondering what could be using it..any input would be awesome, thank
you! I will do my own digging as well to keep looking but if anyone knows
off-hand that would be fantastic
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
