如何使用 Maven 3“排除”嵌入在 uber-jar 中的依赖项?
[英]How to “exclude” dependencies embedded in an uber-jar using Maven 3?
问题描述
I have an a project A that has a "managed dependency" a .
我有一个项目A具有“托管依赖项” a 。 a is a "shaded jar" (uber-jar) with another dependency b relocated within. a是一个“阴影 jar”(uber-jar),其中另一个依赖项b重新定位。 The problem is that the version of b relocated into a has several >7.5 CVE's filed against it and I would like to exclude it from the CLASSPATH and use a patched version of b with the CVE's addressed.问题是重新定位到a的b版本有几个>7.5的 CVE 文件针对它,我想将它从 CLASSPATH 中排除,并使用b的修补版本,并解决了 CVE 的问题。
How can I do this using Maven3?如何使用 Maven3 做到这一点?
EDIT: additional context a is htrace-core4:4.0.1-incubating a transitive dependency of hadoop-common:2.8.3 .编辑:附加上下文a是htrace-core4:4.0.1-incubating hadoop-common:2.8.3的传递依赖。 htrace-core4:4.0.1-incubating is no longer supported and of course contains a vulnerable jackson-databind:2.4.0 shaded jar ( b for sake of my labels above) which has proven resilient to normal maven "managed dependency" tactics. htrace-core4:4.0.1-incubating不再受支持,当然包含易受攻击的jackson-databind:2.4.0阴影 jar ( b为了我上面的标签),它已被证明对正常的 maven “托管依赖”策略具有弹性。
❯ mvn dependency:tree -Dincludes="org.apache.htrace*"
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------< com.s****m.**:s****s >-------------------------
[INFO] Building s*****s 1.21.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:3.0.2:tree (default-cli) @ s****s ---
[INFO] com.s****m.**:s****s:jar:1.0.0-SNAPSHOT
[INFO] \- org.apache.hadoop:hadoop-client:jar:2.8.3:compile
[INFO] \- org.apache.hadoop:hadoop-common:jar:2.8.3:compile
[INFO] \- org.apache.htrace:htrace-core4:jar:4.0.1-incubating:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.676 s
[INFO] Finished at: 2020-04-27T11:57:11-03:00
[INFO] ------------------------------------------------------------------------
1 个解决方案
解决方案1
1 已采纳 2021-01-22 22:28:51
There is a question in my mind over whether you should do this if you have any viable alternative.如果您有任何可行的替代方案,是否应该这样做,我的脑海中有一个问题。
Sounds like a situation where you are trying to work around something that is just wrong.听起来像是您试图解决一些错误的情况。 Conceptually, depending on something that has incorporated specific versions of dependent classes is clearly a potential nightmare especially as you have discovered if there are CVEs identified against one of those shaded dependencies.从概念上讲,依赖于包含特定版本的依赖类的东西显然是一场潜在的噩梦,尤其是当您发现是否存在针对这些阴影依赖项之一的 CVE 时。 Depending on an uber-jar essentially breaks the dependency management model.依赖于 uber-jar 基本上破坏了依赖管理 model。
I'm guessing it is internally created in your organisation, rather than coming from a central repository, so can you put pressure on that team to do the right thing?我猜它是在您的组织内部创建的,而不是来自中央存储库,所以您可以向该团队施加压力以做正确的事情吗?
Alternatively the dependency plugin's unpack may be an option - unpack that dependency with exclusions based on package into your build - https://maven.apache.org/plugins/maven-dependency-plugin/usage.html#dependency:unpack Alternatively the dependency plugin's unpack may be an option - unpack that dependency with exclusions based on package into your build - https://maven.apache.org/plugins/maven-dependency-plugin/usage.html#dependency:unpack
The following works for me as an example - unpacks the dependency without the auth package into the classes directory of target before the default-jar is built by maven-jar plugin, and then I have to exclude the original jar - this is a spring-boot project so I use the spring-boot plugin configuration, which is used during the repackage goal, if you are using the war plugin I suspect there is a similar exclusion capability.以下以我为例 - 在由 maven-jar 插件构建 default-jar 之前,将没有 auth package 的依赖项解压缩到目标的类目录中,然后我必须排除原始 jar - 这是一个 Z66868BF1BZF4897CFF7 项目所以我使用 spring-boot 插件配置,在重新打包目标期间使用,如果您使用的是 war 插件,我怀疑有类似的排除功能。
End result is the filtered down classes from http client in my jar classes directory alongside my application classes.最终结果是我的 jar 类目录中的 http 客户端与我的应用程序类一起过滤的类。
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<version>3.1.2</version>
<executions>
<execution>
<id>default-jar</id>
<phase>prepare-package</phase>
<goals>
<goal>unpack</goal>
</goals>
<configuration>
<artifactItems>
<artifactItem>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<outputDirectory>${project.build.directory}/classes</outputDirectory>
<excludes>org/apache/http/auth/</excludes>
</artifactItem>
</artifactItems>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<excludes>
<exclude>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
</exclude>
</excludes>
</configuration>
</plugin>
Note, since the question update I had a look at htrace-core-4, and you can easily include all the htrace classes without the jackson databind shaded classes using请注意,由于问题更新我查看了 htrace-core-4,并且您可以轻松地包含所有 htrace 类,而无需使用 jackson 数据绑定阴影类
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<version>3.1.2</version>
<executions>
<execution>
<id>default-jar</id>
<phase>prepare-package</phase>
<goals>
<goal>unpack</goal>
</goals>
<configuration>
<artifactItems>
<artifactItem>
<groupId>org.apache.htrace</groupId>
<artifactId>htrace-core4</artifactId>
<outputDirectory>${project.build.directory}/classes</outputDirectory>
<excludes>org/apache/htrace/fasterxml/</excludes>
</artifactItem>
</artifactItems>
</configuration>
</execution>
</executions>
</plugin>
then it just remains for you to exclude the original htrace-core4-4.0.1-incubating.jar, which you can do as I have done if you have a spring-boot application, or using the maven war plugin if you are creating a war file or using whatever plugin creates your final build.那么您只需排除原始的 htrace-core4-4.0.1-incubating.jar,如果您有 spring-boot 应用程序,或者使用 Z402C5D9AF65B43714DZ070 战争文件,您可以像我所做的那样做或使用任何插件创建您的最终构建。 During unpack you may also want to exclude some of the pom.xml files that are in the jar file and which you don't really need.在解压过程中,您可能还希望排除 jar 文件中的一些 pom.xml 文件,并且您并不真正需要这些文件。
Also add a dependency on a safe version of jackson-databind, though there is always the risk that htrace is using a method or class that only exists in the vulnerable version, so you might hit tricky runtime errors.还要添加对 jackson-databind 安全版本的依赖,尽管 htrace 始终存在使用仅存在于易受攻击版本中的方法或 class 的风险,因此您可能会遇到棘手的运行时错误。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.