From 3ccb128dac4e02f5d7dccb5f2b5f08fe7fd830d1 Mon Sep 17 00:00:00 2001 From: Nihal Jain Date: Mon, 21 Oct 2024 21:26:41 +0530 Subject: [PATCH] HBASE-28921 Skip bundling hbase-webapps folder in jars (#6368) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We are bundling all webapp resources in hbase-server, hbase-thrift, hbase-rest and transitively to hbase-shaded-mapreduce jar. This can be an issue, say if any of the Js projects used by hbase are vulnerable, security scan tools like sonatype start flagging the jars too as vulnerable since they contain vulnerable code. With this JIRA, we skip bundling static webapp resources in our jars. Signed-off-by: Istvan Toth Reviewed-by: Dávid Paksy (cherry picked from commit 836630422df2776287a860eff9d7104c3eca0582) --- hbase-rest/pom.xml | 9 +++++++++ hbase-server/pom.xml | 1 + hbase-thrift/pom.xml | 9 +++++++++ 3 files changed, 19 insertions(+) diff --git a/hbase-rest/pom.xml b/hbase-rest/pom.xml index 87b9898a9c46..776b38a7cd69 100644 --- a/hbase-rest/pom.xml +++ b/hbase-rest/pom.xml @@ -289,6 +289,15 @@ true + + org.apache.maven.plugins + maven-jar-plugin + + + **/hbase-webapps/** + + + maven-antrun-plugin diff --git a/hbase-server/pom.xml b/hbase-server/pom.xml index 92b696d2feca..cb47a8ea7df0 100644 --- a/hbase-server/pom.xml +++ b/hbase-server/pom.xml @@ -453,6 +453,7 @@ log4j.properties mapred-queues.xml mapred-site.xml + **/hbase-webapps/** diff --git a/hbase-thrift/pom.xml b/hbase-thrift/pom.xml index 992b42960295..b0fcd8e3d439 100644 --- a/hbase-thrift/pom.xml +++ b/hbase-thrift/pom.xml @@ -194,6 +194,15 @@ true + + org.apache.maven.plugins + maven-jar-plugin + + + **/hbase-webapps/** + + + maven-antrun-plugin