[jira] [Reopened] (HBASE-20582) Bump up JRuby version because of some reported vulnerabilities
[ https://issues.apache.org/jira/browse/HBASE-20582?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sean Busbey reopened HBASE-20582:
[~elserj] this change broke us in nightly, specifically the check that we can go through the release process:
[INFO] --- maven-enforcer-plugin:3.0.0-M1:enforce (hadoop-profile-min-maven-min-java-banned-xerces) @ hbase-shell ---
[INFO] Restricted to JDK 1.8 yet org.jruby:jruby-complete:jar:18.104.22.168:compile contains module-info.class targeted to JDK 1.9
[WARNING] Rule 4: org.apache.maven.plugins.enforcer.EnforceBytecodeVersion failed with message:
HBase has unsupported dependencies.
HBase requires that all dependencies be compiled with version 1.8 or earlier
of the JDK to properly build from source. You appear to be using a newer dependency. You can use
either "mvn -version" or "mvn enforcer:display-info" to verify what version is active.
Non-release builds can temporarily build with a newer JDK version by setting the
'compileSource' property (eg. mvn -DcompileSource=1.8 clean package).
Found Banned Dependency: org.jruby:jruby-complete:jar:22.214.171.124
Use 'mvn dependency:tree' to locate the source of the banned dependencies.
here's the full build log:
Same thing shows up in branch-2.
> Bump up JRuby version because of some reported vulnerabilities
> Key: HBASE-20582
> URL: https://issues.apache.org/jira/browse/HBASE-20582
> Project: HBase
> Issue Type: Bug
> Reporter: Ankit Singhal
> Assignee: Josh Elser
> Priority: Major
> Fix For: 3.0.0, 2.1.0
> Attachments: HBASE-20582.002.patch, HBASE-20582.patch
> There are some vulnerabilities reported with two of the libraries used in HBase.
> Tool somehow able to relate the vulnerability of Ruby with JRuby(Java implementation). (Jackson will be handled in a different issue.)
> Not all of them directly affects HBase but [~elserj] suggested that it is better to be on the updated version to avoid issues during an audit in security sensitive organization.
This message was sent by Atlassian JIRA