Hi all, I have been working on another open source project called ONAP: https://wiki.onap.org/
As part of that system, there is a database using http://janusgraph.org/ with the Cassandra backend. The ONAP code has been scanned for vulnerabilities and the scans identified the FasterXML Jackson library as a problem. While we can address our code issues (e.g. to rewrite using some other JSON library) and substitute Spring Boot dependencies (e.g. JAX-RS), we are unsure of how to handle Cassandra's usage of Jackson. Searching through the mailing list archives and JIRA cases, I can see that some effort has been made to upgrade Jackson in Cassandra, e.g. - https://issues.apache.org/jira/browse/CASSANDRA-4102 - https://issues.apache.org/jira/browse/CASSANDRA-8974 - https://issues.apache.org/jira/browse/CASSANDRA-14427 And that there has also been some movement from a different JSON library towards Jackson: https://issues.apache.org/jira/browse/CASSANDRA-8785 The analysis done in CASSANDRA-14427 reached similar conclusions as in the ONAP project, i.e. "We don't do this". However, we are still attempting to completely eliminate the Jackson vulnerabilities by replacing it with something else, e.g. https://github.com/google/gson There is a comment on https://issues.apache.org/jira/browse/CASSANDRA-7970 that requested some abstraction layer around the JSON parsing: - "Maybe we could abstract slighty our use of jackson (put the helpers we need in Json.java maybe?), so that 1) we have only one place to change if we upgrade jackson and the API change (or we want to change of library) and 2) we save creating multiple ObjectMapper or JsonStringEncoder objects." Has this JSON abstraction has been implemented and can be used to effectively substitute Jackson for gson in Cassandra? What is the possibility for Cassandra to completely eliminate usage of Jackson and replace it with gson? Could such a replacement of Jackson be on the roadmap for Cassandra? The current direction of the investigation in the ONAP project is to replace Jackson with gson, since gson has also been scanned for vulnerabilities and does not appear in the reports as needing any upgrade. Thanks for your time, Keong Customer Experience and Platform Integration R&D Dept -- Keong Lim, Huawei Technologies Co. Ltd (keong....@huawei.com) Ground Floor, Suite 1, 5 Lakeside Drive, BURWOOD EAST VIC 3151 AUSTRALIA -- "If ye love wealth better than liberty, the tranquillity of servitude than the animating contest of freedom-go from us in peace. We ask not your counsels or arms. Crouch down and lick the hands which feed you. May your chains sit lightly upon you, and may posterity forget that ye were our countrymen!" - Samuel Adams --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org For additional commands, e-mail: user-h...@cassandra.apache.org
