Konrad Windszus created SLING-10398:
---------------------------------------
Summary: Embed classes with Bnd only
Key: SLING-10398
URL: https://issues.apache.org/jira/browse/SLING-10398
Project: Sling
Issue Type: Improvement
Components: XSS Protection API
Affects Versions: XSS Protection API 2.2.14
Reporter: Konrad Windszus
Currently XSS embeds certain classes via bnd's Private-Package instruction
(https://bnd.bndtools.org/heads/private_package.html) and in addition the full
contents of JARs also via {{maven-dependency-plugin}} and
{{maven-resource-plugin}}. As the latter is executed at {{prepare-package}}
(https://github.com/apache/sling-org-apache-sling-xss/blob/ee14b1be2918805a9372754f9d2a1621d396759b/pom.xml#L133)
it happens after generating the manifest with {{bnd-maven-plugin}}. That is
really dangerous as certain classes are then not taken into account for the
OSGi manifest generation.
Instead embedding should be done purely with bnd so that all classes are
properly taken into consideration for the manifest generation.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
