[
https://issues.apache.org/jira/browse/PHOENIX-6982?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Istvan Toth updated PHOENIX-6982:
---------------------------------
Summary: Exclude Maven descriptors from shaded JARs (was: Shaded jar
includes irrelevant Maven descriptors)
> Exclude Maven descriptors from shaded JARs
> ------------------------------------------
>
> Key: PHOENIX-6982
> URL: https://issues.apache.org/jira/browse/PHOENIX-6982
> Project: Phoenix
> Issue Type: Improvement
> Reporter: Krzysztof Sobolewski
> Assignee: Krzysztof Sobolewski
> Priority: Major
>
> These descriptors are included in the dependencies, from which the shaded
> JARs are compiled, but they do not really describe the contents of those JARs
> - instead, they are information about _their_ transitive dependencies. These
> descriptors would be included in the shaded JAR and misrepresent the actual
> contents of the JAR. Also, multiple dependencies may include the same
> descriptor from different versions of a particular transitive dependency, and
> the Shade plugin will pick one at random to include in the shaded JAR.
> Usually the one picked will be from a different version than we actually
> include in the JAR. For example, for {{jackson-databind}} we (used to) depend
> on version 2.12.6, but the Maven descriptor in the shaded JAR would be from
> version 2.4.0.
> As an additional concern, these descriptors would confuse security scanners,
> which would flag the JAR as including an old, vulnerable version of a
> dependency even if that's not actually true.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
