HADOOP-18676. jettison dependency override in hadoop-common lib (#5513)

2023-03-27 09:59:02 +02:00 · 2023-03-27 09:59:02 +02:00 · ee01c64c6c
parent b82bcbd8ad
commit ee01c64c6c
2 changed files with 24 additions and 0 deletions
--- a/hadoop-client-modules/hadoop-client/pom.xml
+++ b/hadoop-client-modules/hadoop-client/pom.xml
@ -69,6 +69,10 @@
          <groupId>com.github.pjfanning</groupId>
          <artifactId>jersey-json</artifactId>
        </exclusion>
+        <exclusion>
+          <groupId>org.codehaus.jettison</groupId>
+          <artifactId>jettison</artifactId>
+        </exclusion>
        <exclusion>
          <groupId>com.sun.jersey</groupId>
          <artifactId>jersey-server</artifactId>
@ -182,6 +186,10 @@
          <groupId>com.github.pjfanning</groupId>
          <artifactId>jersey-json</artifactId>
        </exclusion>
+        <exclusion>
+          <groupId>org.codehaus.jettison</groupId>
+          <artifactId>jettison</artifactId>
+        </exclusion>
        <exclusion>
          <groupId>io.netty</groupId>
          <artifactId>netty</artifactId>
@ -233,6 +241,10 @@
          <groupId>com.github.pjfanning</groupId>
          <artifactId>jersey-json</artifactId>
        </exclusion>
+        <exclusion>
+          <groupId>org.codehaus.jettison</groupId>
+          <artifactId>jettison</artifactId>
+        </exclusion>
        <exclusion>
          <groupId>com.sun.jersey</groupId>
          <artifactId>jersey-servlet</artifactId>
@ -290,6 +302,10 @@
          <groupId>com.github.pjfanning</groupId>
          <artifactId>jersey-json</artifactId>
        </exclusion>
+        <exclusion>
+          <groupId>org.codehaus.jettison</groupId>
+          <artifactId>jettison</artifactId>
+        </exclusion>
        <exclusion>
          <groupId>io.netty</groupId>
          <artifactId>netty</artifactId>
--- a/hadoop-common-project/hadoop-common/pom.xml
+++ b/hadoop-common-project/hadoop-common/pom.xml
@ -175,6 +175,14 @@
        </exclusion>
      </exclusions>
    </dependency>
+    <dependency>
+      <!--
+      adding jettison as direct dependency (as jersey-json's jettison dependency is vulnerable with verison 1.1),
+      so those who depends on hadoop-common externally will get the non-vulnerable jettison
+      -->
+      <groupId>org.codehaus.jettison</groupId>
+      <artifactId>jettison</artifactId>
+    </dependency>
    <dependency>
      <groupId>com.sun.jersey</groupId>
      <artifactId>jersey-server</artifactId>