(phoenix) branch master updated: PHOENIX-6982 Exclude Maven descriptors from shaded JARs

Wed, 02 Oct 2024 21:38:22 -0700 

This is an automated email from the ASF dual-hosted git repository.

stoty pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/phoenix.git


The following commit(s) were added to refs/heads/master by this push:
     new a57c1f91ba PHOENIX-6982 Exclude Maven descriptors from shaded JARs
a57c1f91ba is described below

commit a57c1f91ba910182f9347023edc9c28988b253be
Author: Krzysztof Sobolewski <[email protected]>
AuthorDate: Wed May 31 10:07:56 2023 +0200

    PHOENIX-6982 Exclude Maven descriptors from shaded JARs
    
    These descriptors are included in the dependencies, from which the
    shaded JARs are compiled, but they do not really describe the contents
    of those JARs - instead, they are information about *their* transitive
    dependencies. These descriptors would be included in the shaded JAR and
    misrepresent the actual contents of the JAR. Also, multiple dependencies
    may include the same descriptor from different versions of a particular
    transitive dependency, and the Shade plugin will pick one at random to
    include in the shaded JAR. Usually the one picked will be from a
    different version than we actually include in the JAR. For example, for
    `jackson-databind` we depend on version 2.12.6, but the Maven descriptor
    in the shaded JAR would be from version 2.4.0.
    
    As an additional concern, these descriptors would confuse security
    scanners, which would flag the JAR as including an old, vulnerable
    version of a dependency even if that's not actually true.
    
    Co-authored-by: Istvan Toth <[email protected]>
---
 phoenix-client-parent/pom.xml              | 1 +
 phoenix-mapreduce-byo-shaded-hbase/pom.xml | 1 +
 phoenix-server/pom.xml                     | 1 +
 3 files changed, 3 insertions(+)

diff --git a/phoenix-client-parent/pom.xml b/phoenix-client-parent/pom.xml
index 5b681570a8..0b3f15b8df 100644
--- a/phoenix-client-parent/pom.xml
+++ b/phoenix-client-parent/pom.xml
@@ -76,6 +76,7 @@
               <filter>
                 <artifact>*:*</artifact>
                 <excludes>
+                  <exclude>META-INF/maven/**</exclude>
                   <exclude>META-INF/*.SF</exclude>
                   <exclude>META-INF/*.DSA</exclude>
                   <exclude>META-INF/*.RSA</exclude>
diff --git a/phoenix-mapreduce-byo-shaded-hbase/pom.xml 
b/phoenix-mapreduce-byo-shaded-hbase/pom.xml
index 6dfaf8d31a..7a20de505b 100644
--- a/phoenix-mapreduce-byo-shaded-hbase/pom.xml
+++ b/phoenix-mapreduce-byo-shaded-hbase/pom.xml
@@ -76,6 +76,7 @@
               <filter>
                 <artifact>*:*</artifact>
                 <excludes>
+                  <exclude>META-INF/maven/**</exclude>
                   <exclude>META-INF/*.SF</exclude>
                   <exclude>META-INF/*.DSA</exclude>
                   <exclude>META-INF/*.RSA</exclude>
diff --git a/phoenix-server/pom.xml b/phoenix-server/pom.xml
index 8c10c74c28..e6eb646633 100644
--- a/phoenix-server/pom.xml
+++ b/phoenix-server/pom.xml
@@ -78,6 +78,7 @@
               <filter>
                 <artifact>*:*</artifact>
                 <excludes>
+                  <exclude>META-INF/maven/**</exclude>
                   <exclude>META-INF/*.SF</exclude>
                   <exclude>META-INF/*.DSA</exclude>
                   <exclude>META-INF/*.RSA</exclude>

Reply via email to