Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SPARK-33695][BUILD] Upgrade to jackson to 2.10.5 and jackson-databind to 2.10.5.1 #30656

Closed
wants to merge 2 commits into from
Closed

[SPARK-33695][BUILD] Upgrade to jackson to 2.10.5 and jackson-databind to 2.10.5.1 #30656

wants to merge 2 commits into from

Conversation

n-marion
Copy link
Contributor

@n-marion n-marion commented Dec 7, 2020

What changes were proposed in this pull request?

Upgrade the jackson dependencies to 2.10.5 and jackson-databind to 2.10.5.1

Why are the changes needed?

Jackson dependency has vulnerability CVE-2020-25649.

Does this PR introduce any user-facing change?

No.

How was this patch tested?

Existing unit tests.

@n-marion n-marion changed the title Upgrade to jackson to 2.10.5 and jackson-databind to 2.10.5.1 [SPARK-33695] Upgrade to jackson to 2.10.5 and jackson-databind to 2.10.5.1 Dec 7, 2020
@github-actions github-actions bot added the BUILD label Dec 7, 2020
@n-marion n-marion changed the title [SPARK-33695] Upgrade to jackson to 2.10.5 and jackson-databind to 2.10.5.1 [SPARK-33695][BUILD] Upgrade to jackson to 2.10.5 and jackson-databind to 2.10.5.1 Dec 7, 2020
maropu
maropu reviewed Dec 8, 2020
View reviewed changes
pom.xml
@@ -169,7 +169,8 @@
<!-- for now, not running scalafmt as part of default verify pipeline -->
<scalafmt.skip>true</scalafmt.skip>
<codehaus.jackson.version>1.9.13</codehaus.jackson.version>
<fasterxml.jackson.version>2.10.0</fasterxml.jackson.version>
<fasterxml.jackson.version>2.10.5</fasterxml.jackson.version>
<fasterxml.jackson-databind.version>2.10.5.1</fasterxml.jackson-databind.version>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why you added a new entry here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Jackson does this often and databind sometimes has a different subrevision. This follows the previous style before the recent update.

maropu
maropu reviewed Dec 8, 2020
View reviewed changes
pom.xml
@@ -169,7 +169,8 @@
<!-- for now, not running scalafmt as part of default verify pipeline -->
<scalafmt.skip>true</scalafmt.skip>
<codehaus.jackson.version>1.9.13</codehaus.jackson.version>
<fasterxml.jackson.version>2.10.0</fasterxml.jackson.version>
<fasterxml.jackson.version>2.10.5</fasterxml.jackson.version>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We cannot bump up it to 2.12.0?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking over Jackson's release information both Jackson Release 2.11 and Jackson Release 2.12 showed a large amounts of changes; and although I could attempt a build to make sure compilation fails, I'd personally be uncertain that unit tests would be sufficient enough to ensure compatibility.

@maropu
Copy link
Member

maropu commented Dec 8, 2020

ok to test

@maropu
Copy link
Member

maropu commented Dec 8, 2020

Also, you need to update the manifest files:

./dev/test-dependencies.sh --replace-manifest

@SparkQA
Copy link

SparkQA commented Dec 8, 2020

Kubernetes integration test starting
URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/36990/

@SparkQA
Copy link

SparkQA commented Dec 8, 2020

Kubernetes integration test status failure
URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/36990/

@SparkQA
Copy link

SparkQA commented Dec 8, 2020

Kubernetes integration test starting
URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/36992/

@SparkQA
Copy link

SparkQA commented Dec 8, 2020

Test build #132390 has finished for PR 30656 at commit 8e40796.

  • This patch fails Spark unit tests.
  • This patch merges cleanly.
  • This patch adds no public classes.

@SparkQA
Copy link

SparkQA commented Dec 8, 2020

Kubernetes integration test status failure
URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/36992/

@SparkQA
Copy link

SparkQA commented Dec 8, 2020

Test build #132392 has finished for PR 30656 at commit 7040f75.

  • This patch passes all tests.
  • This patch merges cleanly.
  • This patch adds no public classes.

dongjoon-hyun
dongjoon-hyun approved these changes Dec 8, 2020
View reviewed changes
Copy link
Member

@dongjoon-hyun dongjoon-hyun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1, LGTM. Thanks, @n-marion , @maropu , @srowen .
Merged to master for Apache Spark 3.2.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maropu maropu maropu left review comments

@dongjoon-hyun dongjoon-hyun dongjoon-hyun approved these changes

@srowen srowen srowen approved these changes

Assignees
No one assigned
Labels
BUILD
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@n-marion @maropu @SparkQA @srowen @dongjoon-hyun