(hbase) branch master updated: HBASE-28921 Skip bundling hbase-webapps folder in jars (#6368)

Mon, 21 Oct 2024 08:56:55 -0700 

This is an automated email from the ASF dual-hosted git repository.

nihaljain pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hbase.git


The following commit(s) were added to refs/heads/master by this push:
     new 836630422df HBASE-28921 Skip bundling hbase-webapps folder in jars 
(#6368)
836630422df is described below

commit 836630422df2776287a860eff9d7104c3eca0582
Author: Nihal Jain <[email protected]>
AuthorDate: Mon Oct 21 21:26:41 2024 +0530

    HBASE-28921 Skip bundling hbase-webapps folder in jars (#6368)
    
    We are bundling all webapp resources in hbase-server, hbase-thrift, 
hbase-rest and transitively to hbase-shaded-mapreduce jar. This can be an 
issue, say if any of the Js projects used by hbase are vulnerable, security 
scan tools like sonatype start flagging the jars too as vulnerable since they 
contain vulnerable code.
    
    With this JIRA, we skip bundling static webapp resources in our jars.
    
    Signed-off-by: Istvan Toth <[email protected]>
    Reviewed-by: Dávid Paksy <[email protected]>
---
 hbase-rest/pom.xml   | 9 +++++++++
 hbase-server/pom.xml | 1 +
 hbase-thrift/pom.xml | 9 +++++++++
 3 files changed, 19 insertions(+)

diff --git a/hbase-rest/pom.xml b/hbase-rest/pom.xml
index cf629b62991..734f8db0b5b 100644
--- a/hbase-rest/pom.xml
+++ b/hbase-rest/pom.xml
@@ -289,6 +289,15 @@
           <skipAssembly>true</skipAssembly>
         </configuration>
       </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jar-plugin</artifactId>
+        <configuration>
+          <excludes>
+            <exclude>**/hbase-webapps/**</exclude>
+          </excludes>
+        </configuration>
+      </plugin>
       <!-- Make a jar and put the sources in the jar -->
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
diff --git a/hbase-server/pom.xml b/hbase-server/pom.xml
index 92b696d2fec..cb47a8ea7df 100644
--- a/hbase-server/pom.xml
+++ b/hbase-server/pom.xml
@@ -453,6 +453,7 @@
             <exclude>log4j.properties</exclude>
             <exclude>mapred-queues.xml</exclude>
             <exclude>mapred-site.xml</exclude>
+            <exclude>**/hbase-webapps/**</exclude>
           </excludes>
         </configuration>
       </plugin>
diff --git a/hbase-thrift/pom.xml b/hbase-thrift/pom.xml
index b75b288c878..fd21b18db5c 100644
--- a/hbase-thrift/pom.xml
+++ b/hbase-thrift/pom.xml
@@ -194,6 +194,15 @@
           <skipAssembly>true</skipAssembly>
         </configuration>
       </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jar-plugin</artifactId>
+        <configuration>
+          <excludes>
+            <exclude>**/hbase-webapps/**</exclude>
+          </excludes>
+        </configuration>
+      </plugin>
       <!-- General ant tasks, bound to different build phases -->
       <plugin>
         <artifactId>maven-antrun-plugin</artifactId>

Reply via email to