(phoenix) branch 5.1 updated: PHOENIX-6982 Exclude Maven descriptors from shaded JARs

Wed, 09 Oct 2024 07:40:45 -0700 

This is an automated email from the ASF dual-hosted git repository.

stoty pushed a commit to branch 5.1
in repository https://gitbox.apache.org/repos/asf/phoenix.git


The following commit(s) were added to refs/heads/5.1 by this push:
     new 8644628301 PHOENIX-6982 Exclude Maven descriptors from shaded JARs
8644628301 is described below

commit 864462830110b91dfc87b68d2a9e1a758550a4f8
Author: Krzysztof Sobolewski <[email protected]>
AuthorDate: Wed May 31 10:07:56 2023 +0200

    PHOENIX-6982 Exclude Maven descriptors from shaded JARs
    
    These descriptors are included in the dependencies, from which the
    shaded JARs are compiled, but they do not really describe the contents
    of those JARs - instead, they are information about *their* transitive
    dependencies. These descriptors would be included in the shaded JAR and
    misrepresent the actual contents of the JAR. Also, multiple dependencies
    may include the same descriptor from different versions of a particular
    transitive dependency, and the Shade plugin will pick one at random to
    include in the shaded JAR. Usually the one picked will be from a
    different version than we actually include in the JAR. For example, for
    `jackson-databind` we depend on version 2.12.6, but the Maven descriptor
    in the shaded JAR would be from version 2.4.0.
    
    As an additional concern, these descriptors would confuse security
    scanners, which would flag the JAR as including an old, vulnerable
    version of a dependency even if that's not actually true.
    
    Co-authored-by: Istvan Toth <[email protected]>
---
 phoenix-client-parent/pom.xml | 1 +
 phoenix-server/pom.xml        | 1 +
 2 files changed, 2 insertions(+)

diff --git a/phoenix-client-parent/pom.xml b/phoenix-client-parent/pom.xml
index f0cda6f87e..502c901491 100644
--- a/phoenix-client-parent/pom.xml
+++ b/phoenix-client-parent/pom.xml
@@ -78,6 +78,7 @@
               <filter>
                 <artifact>*:*</artifact>
                 <excludes>
+                  <exclude>META-INF/maven/**</exclude>
                   <exclude>META-INF/*.SF</exclude>
                   <exclude>META-INF/*.DSA</exclude>
                   <exclude>META-INF/*.RSA</exclude>
diff --git a/phoenix-server/pom.xml b/phoenix-server/pom.xml
index aeb8f59df6..985439ce38 100644
--- a/phoenix-server/pom.xml
+++ b/phoenix-server/pom.xml
@@ -128,6 +128,7 @@
                     <filter>
                         <artifact>*:*</artifact>
                         <excludes>
+                            <exclude>META-INF/maven/**</exclude>
                             <exclude>META-INF/*.SF</exclude>
                             <exclude>META-INF/*.DSA</exclude>
                             <exclude>META-INF/*.RSA</exclude>

Reply via email to