You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@phoenix.apache.org by "Krzysztof Sobolewski (Jira)" <ji...@apache.org> on 2023/06/16 16:12:00 UTC

[jira] [Created] (PHOENIX-6982) Shaded jar includes irrelevant Maven descriptors

Krzysztof Sobolewski created PHOENIX-6982:
---------------------------------------------

             Summary: Shaded jar includes irrelevant Maven descriptors
                 Key: PHOENIX-6982
                 URL: https://issues.apache.org/jira/browse/PHOENIX-6982
             Project: Phoenix
          Issue Type: Improvement
            Reporter: Krzysztof Sobolewski


These descriptors are included in the dependencies, from which the shaded JARs are compiled, but they do not really describe the contents of those JARs - instead, they are information about _their_ transitive dependencies. These descriptors would be included in the shaded JAR and misrepresent the actual contents of the JAR. Also, multiple dependencies may include the same descriptor from different versions of a particular transitive dependency, and the Shade plugin will pick one at random to include in the shaded JAR. Usually the one picked will be from a different version than we actually include in the JAR. For example, for {{jackson-databind}} we (used to) depend on version 2.12.6, but the Maven descriptor in the shaded JAR would be from version 2.4.0.

As an additional concern, these descriptors would confuse security scanners, which would flag the JAR as including an old, vulnerable version of a dependency even if that's not actually true.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)