Krzysztof Sobolewski created PHOENIX-6982:
---------------------------------------------
Summary: Shaded jar includes irrelevant Maven descriptors
Key: PHOENIX-6982
URL: https://issues.apache.org/jira/browse/PHOENIX-6982
Project: Phoenix
Issue Type: Improvement
Reporter: Krzysztof Sobolewski
These descriptors are included in the dependencies, from which the shaded JARs
are compiled, but they do not really describe the contents of those JARs -
instead, they are information about _their_ transitive dependencies. These
descriptors would be included in the shaded JAR and misrepresent the actual
contents of the JAR. Also, multiple dependencies may include the same
descriptor from different versions of a particular transitive dependency, and
the Shade plugin will pick one at random to include in the shaded JAR. Usually
the one picked will be from a different version than we actually include in the
JAR. For example, for {{jackson-databind}} we (used to) depend on version
2.12.6, but the Maven descriptor in the shaded JAR would be from version 2.4.0.
As an additional concern, these descriptors would confuse security scanners,
which would flag the JAR as including an old, vulnerable version of a
dependency even if that's not actually true.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
