On Tue, Jan 4, 2022 at 5:09 PM 'Jesse Glick' via Jenkins Developers <[email protected]> wrote: > > That basically takes us back to the unfortunate state we were in with > Kohsuke’s series of shaded & repackaged ASM libraries, where we could not > give a clear answer as to what we were actually bundling, and security > scanners complained, etc. Not sure that is an improvement.
Does not seem so bad if limited to Stapler (and a deprecated code path within Stapler at that). In the old status quo, plugins were also consuming the shaded copy, which would no longer be necessary. Once ASM is detached to an API plugin, plugins like SCM: API and Token Macro can consume the ASM API plugin without shading. The version of the shaded ASM consumed by Stapler would be updated by Dependabot; hopefully that addresses the security concern. > Right, you sometimes get into trouble when you try to use the library from > the same Maven module that Shades it. Better to create a separate module in > the reactor which solely Shades the library, then depend on that module from > Stapler core. https://github.com/jenkinsci/docker-traceability-plugin/pull/18 > shows the idea. Thank you for the pointer. That seems like an example I can follow. > Another possibility is to write a minimal bytecode parser that just groks the > symbol table, list of methods with their binary signatures, and method > parameter metadata. Like https://github.com/paul-hammant/paranamer/blob/master/paranamer/src/java/com/thoughtworks/paranamer/BytecodeReadingParanamer.java for example (though that is a stripped-down version of ASM, but the same basic concept). But whether we reuse that or write our own, the result would still be ~1,000 lines of low-level code for us to maintain compared to letting the ASM experts do it for us. Does not seem like a great use of time to me. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjptU9hBk2%3D%3DcRV794%3DHi4rVFNP01xFgCL4GcrZ1zeda%3Dw%40mail.gmail.com.
