cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Keong Lim <Keong....@huawei.com>
Subject Replacement of Jackson usage in Cassandra with some other JSON library e.g. gson?
Date Thu, 11 Oct 2018 08:27:22 GMT
Hi all,

I have been working on another open source project called ONAP: https://wiki.onap.org/

As part of that system, there is a database using http://janusgraph.org/ with the Cassandra
backend.
The ONAP code has been scanned for vulnerabilities and the scans identified the FasterXML
Jackson library as a problem.

While we can address our code issues (e.g. to rewrite using some other JSON library) and substitute
Spring Boot dependencies (e.g. JAX-RS), we are unsure of how to handle Cassandra's usage of
Jackson.

Searching through the mailing list archives and JIRA cases, I can see that some effort has
been made to upgrade Jackson in Cassandra, e.g.

- https://issues.apache.org/jira/browse/CASSANDRA-4102
- https://issues.apache.org/jira/browse/CASSANDRA-8974
- https://issues.apache.org/jira/browse/CASSANDRA-14427

And that there has also been some movement from a different JSON library towards Jackson:
https://issues.apache.org/jira/browse/CASSANDRA-8785

The analysis done in CASSANDRA-14427 reached similar conclusions as in the ONAP project, i.e.
"We don't do this".
However, we are still attempting to completely eliminate the Jackson vulnerabilities by replacing
it with something else, e.g. https://github.com/google/gson

There is a comment on https://issues.apache.org/jira/browse/CASSANDRA-7970 that requested
some abstraction layer around the JSON parsing:

- "Maybe we could abstract slighty our use of jackson (put the helpers we need in Json.java
maybe?), so that 1) we have only one place to change if we upgrade jackson and the API change
(or we want to change of library) and 2) we save creating multiple ObjectMapper or JsonStringEncoder
objects."


Has this JSON abstraction has been implemented and can be used to effectively substitute Jackson
for gson in Cassandra?

What is the possibility for Cassandra to completely eliminate usage of Jackson and replace
it with gson?

Could such a replacement of Jackson be on the roadmap for Cassandra?


The current direction of the investigation in the ONAP project is to replace Jackson with
gson, since gson has also been scanned for vulnerabilities and does not appear in the reports
as needing any upgrade.

Thanks for your time,
Keong


Customer Experience and Platform Integration R&D Dept
--
Keong Lim, Huawei Technologies Co. Ltd (keong.lim@huawei.com)
Ground Floor, Suite 1, 5 Lakeside Drive, BURWOOD EAST VIC 3151 AUSTRALIA
--
  "If ye love wealth better than liberty, the tranquillity of servitude than the
   animating contest of freedom-go from us in peace. We ask not your counsels
   or arms. Crouch down and lick the hands which feed you. May your chains sit
   lightly upon you, and may posterity forget that ye were our countrymen!"
    - Samuel Adams



---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org
For additional commands, e-mail: user-help@cassandra.apache.org


Mime
View raw message