Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade com.fasterxml.jackson library to 2.13.3 #243

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

alexopoulos7
Copy link

Fix for issue #241

@alexopoulos7
Copy link
Author

Updating fasterxml library to 2.13.3
Trying to fix: https://cwe.mitre.org/data/definitions/502.html

Here for more comments:
https://www.cybersecurity-help.cz/vulnerabilities/49367/

@dmikurube
Copy link
Member

dmikurube commented Oct 3, 2022

@alexopoulos7 Thanks for your contribution!

But sorry and unfortunately, we are not able to merge this immediately. This is because :

  • Embulk's core has had its own dependencies on Jackson core, databind, and annotations 2.6.7. Those are actually used even in Embulk plugins (until Embulk v0.10.31).
  • Embulk plugins have assumed that the Embulk core has its own Jackson dependencies. The Embulk core is loaded by the parent class loader, then, the core's dependencies are visible to plugins. Some Embulk plugins have depended some additional dependencies on some extra Jackson librarires (ex. jackson-dataformat-xxx), kept with the same version 2.6.7.
  • The situation has caused a complicated situation of mutual locking. Once the Embulk core upgrades its own Jackson, some plugins would run with mixed Jackson versions. Once a plugin upgrades its own Jackson, the plugin would run with mixed Jackson versions, too. Mixing Jackson versions could cause unexpected problems.

This is why we have kept Jackson versions such old so far. We're trying to resolve this problem fundamentally, through the "development" series, Embulk v0.10.

It was definitely a bad design. But we had to fight with it because the Embulk eco-system was already established when I took it over.

See:


The v0.10 effort needs a lot of plugins to "catch-up", and we've spent much time on the catch-ups.

After the catch-up, the Embulk core would have its own Jackson which is invisible to plugins, and plugins would have their own Jackson which are not interfered by the Embulk core. The core and plugins would be able to upgrade without any mutual locking.

We are aware of the vulnerability, of course. But after investigating it, we concluded that normal use-cases of Embulk are not highly impacted by it. Then we decided to keep it until the catch-ups and v0.10 are done.

Sorry for taking time on it. The catch-up has taken much longer time than expected, but I believe we're close to the goal...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants