You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@phoenix.apache.org by "ksobolew (via GitHub)" <gi...@apache.org> on 2023/05/31 08:26:58 UTC

[GitHub] [phoenix] ksobolew opened a new pull request, #1613: Exclude Maven descriptors from shaded JARs

ksobolew opened a new pull request, #1613:
URL: https://github.com/apache/phoenix/pull/1613

   These descriptors are included in the dependencies, from which the shaded JARs are compiled, but they do not really describe the contents of those JARs - instead, they are information about *their* transitive dependencies. These descriptors would be included in the shaded JAR and misrepresent the actual contents of the JAR. Also, multiple dependencies may include the same descriptor from different versions of a particular transitive dependency, and the Shade plugin will pick one at random to include in the shaded JAR. Usually the one picked will be from a different version than we actually include in the JAR. For example, for `jackson-databind` we depend on version 2.12.6, but the Maven descriptor in the shaded JAR would be from version 2.4.0.
   
   As an additional concern, these descriptors would confuse security scanners, which would flag the JAR as including an old, vulnerable version of a dependency even if that's not actually true.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@phoenix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [phoenix] stoty commented on pull request #1613: PHOENIX-6982 Exclude Maven descriptors from shaded JARs

Posted by "stoty (via GitHub)" <gi...@apache.org>.

stoty commented on PR #1613:
URL: https://github.com/apache/phoenix/pull/1613#issuecomment-1658329152

   Shouldn't we do the same for phoenix-server ?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@phoenix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org