[HUDI-8213] Exclude jackson-databind from hudi-spark-bundle to fix CVE-2017-17485

[senthh]

Change Logs

We are seeing Critical level CVE CVE-2017-17485 in Hudi. And it is traced out from HTrace component(which uses jackson-databind version 2.4.0). So it is good to exclude jackson-databind in packaging hudi-spark-bundle module.

Impact

No performance change, but fixing CRITICAL CVE CVE-2017-17485.

Risk level (write none, low medium or high below)

CRITICAL

Documentation Update

Describe any necessary documentation update if there is any new feature, config, or user-facing change. If not, put "none".

• The config description must be updated if new configs are added or the default value of the configs are changed
• Any new feature or user-facing change requires updating the Hudi website. Please create a Jira ticket, attach the
  ticket number here and follow the instruction to make
  changes to the website.

Contributor's checklist

• Read through contributor's guide
• Change Logs and Impact were stated clearly
• Adequate tests were added if applicable
• CI passed

[hudi-bot]

CI report:

• 7aa6c12 Azure: SUCCESS

Bot commands

@hudi-bot supports the following commands:

• @hudi-bot run azure re-run the last Azure build

[yihua]

This change only removes the meta info from the bundle; the classes from jackson-databind are still included.

[senthh]

@yihua Yes correct, but this change is sufficient to get rid of critical CVE issue CVE-2017-17485
.

[yihua]

Thanks for your first contribution. Could you check if you can exclude the dependency in the bundle directly?

[senthh]

Thanks for your first contribution. Could you check if you can exclude the dependency in the bundle directly?

Yes @yihua I tried excluding directly, but it did not help and I wanted to do very minimal change so that actual functionality should not break. So found removing meta info is sufficient to get rid of critical CVE issue .

I welcome your alternate suggestion for fixing this issue.

[senthh]

@yihua below is the screen-shot after fixing CVE

[yihua]

Thanks for your first contribution. Could you check if you can exclude the dependency in the bundle directly?

Yes @yihua I tried excluding directly, but it did not help and I wanted to do very minimal change so that actual functionality should not break. So found removing meta info is sufficient to get rid of critical CVE issue .

I welcome your alternate suggestion for fixing this issue.

@senthh Thanks for the clarification. I prefer to exclude the dependencies directly or use alternatives to get the same functionality. The reason is that removing the META-INF only tricks the scan to report no security issue (if the scan uses META-INF for checking vulnerabilities, correct me if I'm wrong); the actual security issue in the bundled classes may still exist. This can make security detection worse as the security risk is still there, though there is no report, hiding the actual vulnerabilities.

[yihua]

If HTrace is of concern, the community is making effort to remove HBase dependencies as the required ones. I've introduced our own HFile readers (see #10241, #10330) that do not depend on HBase, and we have a plan to introduce HFile writer implementation that is independent of HBase dependencies (HUDI-8222), so we can remove HBase dependencies in the future.

[senthh]

If HTrace is of concern, the community is making effort to remove HBase dependencies as the required ones. I've introduced our own HFile readers (see #10241, #10330) that do not depend on HBase, and we have a plan to introduce HFile writer implementation that is independent of HBase dependencies (HUDI-8222), so we can remove HBase dependencies in the future.

Good to hear you have already initiated to remove the HBase dependencies. So Shall I remove the jackson-databind classes also, by 'exclude' as below

                <exclude>META-INF/services/com.fasterxml.jackson.core/jackson-databind/*</exclude>

Or We can close this PR and wait for your PR to be completed? I happy to follow-up your feedback