Bringing together the Apache Cassandra experts from the community and DataStax.

Want to learn? Have a question? Want to share your expertise? You are in the right place!

Not sure where to begin? Getting Started

 

question

Ryan Quey avatar image
Ryan Quey asked Erick Ramirez edited

The POM for org.codehaus.jackson:jackson-core-asl:jar:1.9.13.1.dse is missing

I was working on a project using DSE 6.7.7, and had no problem building my java app that uses dse-graph-frames. However, when I tried upgrading to 6.7.10, I ran into this issue:

The POM for org.codehaus.jackson:jackson-core-asl:jar:1.9.13.1.dse is missing, no dependency information available

To confirm, I checked in the Datastax repository, and for 6.7.7 it just uses jackson-core-asl:jar:1.9.13. However, in 6.7.8 through 6.7.12, it uses jackson-core-asl:jar:1.9.13.1.dse.

I also confirmed that jackson-core-asl:jar:1.9.13.1.dse does not exist in maven's repository. This is not a surprise, since with a version name that has "dse" appended to the end, I would expect that it's something that should be in Datastax's repository anyways. However, I could not find it in Datastax's repository either (both show 1.9.13 but not 1.9.13.1.dse).

Is there's something I need to do in order to build projects using DSE GraphFrames v. 6.7.10? Or is there a way around this issue?

(by the way, I had trouble finding a tag for DSE GraphFrames so only tagged this as graph)

graph
10 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

1 Answer

Erick Ramirez avatar image
Erick Ramirez answered Erick Ramirez edited

We addressed a vulnerability with the Jackson Core and Jackson Mapper (CVE-2019-10172).

However, Jackson 1.x is no longer being maintained but since DSE has a dependency on it we forked the source and back-ported the fixes we cherry-picked from Debian to Jackson 1.9.13.

Since it's our own build, we've tagged the version 1.9.13.1.dse and included them with DSE 5.1.18, 6.0.12, 6.7.8, 6.8.1 (internal reference DSP-20073).

Thanks for bringing it to our attention. Let me find out from the engineers here at DataStax why it's missing from the repository. I suspect it was a minor oversight and hopefully we can get it sorted quickly.

P.S. I've condensed anything related to DSE Graph into the graph topic so it's the right choice. Cheers!

[UPDATE] That version ID was not meant to be published externally and it's an accident that it leaked out. Jaroslaw Grabowski recommends that a workaround is to exclude this dependency and include the OSS version in your build.

Share
10 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.