From 72b01227062fcd5214c3561c4b81842ac1802bdd Mon Sep 17 00:00:00 2001
From: Andras Katona <41361962+akatona84@users.noreply.github.com>
Date: Fri, 24 Mar 2023 16:31:45 +0100
Subject: [PATCH] HADOOP-18676. Fixing jettison vulnerability of hadoop-common
 lib (#5507)

* HADOOP-18587. Fixing jettison vulnerability of hadoop-common lib

* no need for excluding, let it come

Change-Id: Ia6e4ad351158dd4b0510dec34bbde531a60e7654
---
 hadoop-common-project/hadoop-common/pom.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/hadoop-common-project/hadoop-common/pom.xml b/hadoop-common-project/hadoop-common/pom.xml
index 41efc183c3..5fb267cfd0 100644
--- a/hadoop-common-project/hadoop-common/pom.xml
+++ b/hadoop-common-project/hadoop-common/pom.xml
@@ -175,6 +175,14 @@
         </exclusion>
       </exclusions>
     </dependency>
+    <dependency>
+      <!--
+      adding jettison as direct dependency (as jersey-json's jettison dependency is vulnerable with verison 1.1),
+      so those who depends on hadoop-common externally will get the non-vulnerable jettison
+      -->
+      <groupId>org.codehaus.jettison</groupId>
+      <artifactId>jettison</artifactId>
+    </dependency>
     <dependency>
       <groupId>com.sun.jersey</groupId>
       <artifactId>jersey-server</artifactId>