...
- Mailing list archives for Cassandra: http://cassandra.apache.org/community/#mailing
- Suggested upgrade of Jackson major version (1.4 to 2+): https://issues.apache.org/jira/browse/CASSANDRA-4102
- Key feature of JSON support: https://issues.apache.org/jira/browse/CASSANDRA-7970
- Comment asking for JSON abstraction: https://issues.apache.org/jira/browse/CASSANDRA-7970?focusedCommentId=14333620&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14333620
- "Maybe we could abstract slighty our use of jackson (put the helpers we need in Json.java maybe?), so that 1) we have only one place to change if we upgrade jackson and the API change (or we want to change of library) and 2) we save creating multiple ObjectMapper or JsonStringEncoder objects."
- Comment asking for JSON abstraction: https://issues.apache.org/jira/browse/CASSANDRA-7970?focusedCommentId=14333620&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14333620
- Suggested move from json-simple to Jackson: https://issues.apache.org/jira/browse/CASSANDRA-8785
- Upgrade of Jackson minor version due to vulnerabilities (1.9.x): https://issues.apache.org/jira/browse/CASSANDRA-8974
- Upgrade of Jackson major version due to vulnerabilities (1.9.x to 2.9.5): https://issues.apache.org/jira/browse/CASSANDRA-14427
- Similar analysis of the databind problems and gave themselves a similar waiver: https://issues.apache.org/jira/browse/CASSANDRA-14427?focusedCommentId=16479994&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16479994
- "Assuming that condition is met, ObjectMapper also needs to be able to be able to handle polymorphic types.This can be done in 2 ways:
- ObjectMapper.enableDefaultTyping(). We don't do this in the code base.
- Explicitly defining polymorphic types using annotations JsonSubType or JsonTypeInfo. We don't do this either."
- "Assuming that condition is met, ObjectMapper also needs to be able to be able to handle polymorphic types.This can be done in 2 ways:
- Similar analysis of the databind problems and gave themselves a similar waiver: https://issues.apache.org/jira/browse/CASSANDRA-14427?focusedCommentId=16479994&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16479994
- Request sent to 'user@cassandra.apache.org' mailing list:
- Response from Greg Matza, who is "Enterprise Account Executive" at ScyllaDB: https://www.scylladb.com/company/#team
From: Greg Matza [mailto:greg@scylladb.com]
Sent: Friday, 12 October 2018 09:56
To: Keong Lim <Keong.Lim@huawei.com>
Subject: ScyllaDBKeong,
I saw your post on the Cassandra mailing list.
ScyllaDB is an open source drop-in replacement for Apache Cassandra. You can easily substitute Scylla for Cassandra in JanusGraph - in fact IBM has publicly spoken about why they chose Scylla instead of Cassandra for their JanusGraph as a Service. https://www.scylladb.com/tech-talk/performance-evaluation-scylla-database-backend-janusgraph-scylla-summit-2017/
And, because ScyllaDB is written in C++, there are no Jackson dependencies. So you'll be able to satisfy your security concerns, and take advantage of the fact that Scylla is faster and easier to manage.
We believe that there are already users of ScyllaDB within Huawei. For example, in March of 2018, our CEO and CTO met with Huawei Cloud, who are interested in offering Scylla as a Service. That potential partnership is still under discussion.
If you are interested in learning more, I would recommend dowloading the software at https://www.scylladb.com/download/, and joining our ScyllaDB Users Slack, where there are many Scylla users and engineers who can answer questions. http://slack.scylladb.com. (There is even a Chinese-language channel - #general-cn - on the Slack, if you prefer that to the mostly-English #general channel)
Good luck, and I hope to see you on the Slack!!!
Greg
---
Greg Matza
650-400-9648
Conclusion So Far
For AAI project:
- code already uses Google gson, so
- gson has already been scanned for vulnerabilities
- gson does not appear on Seccom lists for package upgrade or replacement
- currently no usage for the alternative Json libraries, so
- introducing the new libraries may also bring in new vulnerabilities and problems
- there is already at least one worked example for translating from Jackson usage to gson usage, facilitating further conversions to gson
- the POC shows that transitive dependencies on Jackson could also be eliminated in some cases
- there are nearly 30 AAI repositories and over 200 files that need to be updated
- fully eliminating Jackson may not be possible due to other tools, such as Cassandra
- could Cassandra be replaced by using ScyllaDB?