From 315118c5aed600e966c93753c1de1fd244242792 Mon Sep 17 00:00:00 2001
From: Nihal Jain <nihaljain@apache.org>
Date: Mon, 4 Nov 2024 11:13:17 +0530
Subject: [PATCH] HBASE-28921 Avoid bundling hbase-webapps folder in default
 jars (#6388)

We are bundling all webapp resources in hbase-server, hbase-thrift, hbase-rest and transitively to hbase-shaded-mapreduce jar. This can be an issue, say if any of the Js projects used by hbase are vulnerable, security scan tools like sonatype start flagging the jars too as vulnerable since they contain vulnerable code.

With this JIRA, we want to avoid bundling static webapp resources in our jars as these are available during runtime via hbase-webapps directory bundled in our assembly.

But, we still need this for our minicluster based tests which expects it to be present in test classpath. Hence, we are copying hbase-webapps to hbase-server tests jar, which contains class SingleProcessHBaseCluster responsible for hbase minicluster creation. This class eventually needs hbase-webapps in classpath during HttpServer initialisation and hence we are adding hbase-webapps to hbase-server test resources.

Signed-off-by: Istvan Toth <stoty@apache.org>
(cherry picked from commit 16c51d83ac980495b18d06e0b7480c665c99275b)
---
 hbase-rest/pom.xml   |  9 +++++
 hbase-server/pom.xml | 90 ++++++++++++++++++++++++++++++++++++--------
 hbase-thrift/pom.xml |  9 +++++
 3 files changed, 93 insertions(+), 15 deletions(-)

diff --git a/hbase-rest/pom.xml b/hbase-rest/pom.xml
index 2ac2686ec38c..5b60ed4c963e 100644
--- a/hbase-rest/pom.xml
+++ b/hbase-rest/pom.xml
@@ -297,6 +297,15 @@
           <skipAssembly>true</skipAssembly>
         </configuration>
       </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jar-plugin</artifactId>
+        <configuration>
+          <excludes>
+            <exclude>**/hbase-webapps/**</exclude>
+          </excludes>
+        </configuration>
+      </plugin>
       <!-- General ant tasks, bound to different build phases -->
       <plugin>
         <artifactId>maven-antrun-plugin</artifactId>
diff --git a/hbase-server/pom.xml b/hbase-server/pom.xml
index 132e1faa6ca6..3fa408ce53ef 100644
--- a/hbase-server/pom.xml
+++ b/hbase-server/pom.xml
@@ -35,6 +35,7 @@
     <license.bundles.bootstrap>true</license.bundles.bootstrap>
     <license.bundles.jquery>true</license.bundles.jquery>
     <license.bundles.vega>true</license.bundles.vega>
+    <hbase.webapps.dir>hbase-webapps</hbase.webapps.dir>
   </properties>
   <dependencies>
     <dependency>
@@ -449,24 +450,83 @@
           <skipAssembly>true</skipAssembly>
         </configuration>
       </plugin>
+      <plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>build-helper-maven-plugin</artifactId>
+        <executions>
+          <execution>
+            <id>add-test-source</id>
+            <goals>
+              <goal>add-test-resource</goal>
+            </goals>
+            <phase>generate-test-sources</phase>
+            <configuration>
+              <!-- Add the hbase-webapps directory to the test resources -->
+              <resources>
+                <resource>
+                  <!-- Directory containing hbase-webapps -->
+                  <directory>target/${hbase.webapps.dir}</directory>
+                  <!-- Target directory under test-classes -->
+                  <targetPath>${hbase.webapps.dir}</targetPath>
+                </resource>
+              </resources>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-jar-plugin</artifactId>
-        <configuration>
-          <!-- Exclude these 2 packages, because their dependency _binary_ files
-            include the sources, and Maven 2.2 appears to add them to the sources to compile,
-            weird -->
-          <excludes>
-            <exclude>org/apache/jute/**</exclude>
-            <exclude>org/apache/zookeeper/**</exclude>
-            <exclude>**/*.jsp</exclude>
-            <exclude>hbase-site.xml</exclude>
-            <exclude>hdfs-site.xml</exclude>
-            <exclude>log4j.properties</exclude>
-            <exclude>mapred-queues.xml</exclude>
-            <exclude>mapred-site.xml</exclude>
-          </excludes>
-        </configuration>
+        <executions>
+          <!-- Exclude specified file(s) from the default JAR -->
+          <execution>
+            <id>default-jar</id>
+            <goals>
+              <goal>jar</goal>
+            </goals>
+            <phase>package</phase>
+            <configuration>
+              <excludes>
+                <!-- Exclude these 2 packages, because their dependency _binary_ files
+                include the sources, and Maven 2.2 appears to add them to the sources to compile,
+                weird -->
+                <exclude>org/apache/jute/**</exclude>
+                <exclude>org/apache/zookeeper/**</exclude>
+                <exclude>**/*.jsp</exclude>
+                <exclude>hbase-site.xml</exclude>
+                <exclude>hdfs-site.xml</exclude>
+                <exclude>log4j.properties</exclude>
+                <exclude>mapred-queues.xml</exclude>
+                <exclude>mapred-site.xml</exclude>
+                <!-- NOTE: We have the below exclude only for the default JAR -->
+                <exclude>**/hbase-webapps/**</exclude>
+              </excludes>
+            </configuration>
+          </execution>
+          <!-- Copy of default jar exclusions, minus not removing hbase-webapps-->
+          <execution>
+            <id>test-jar</id>
+            <goals>
+              <goal>test-jar</goal>
+            </goals>
+            <phase>package</phase>
+            <configuration>
+              <classifier>tests</classifier>
+              <excludes>
+                <exclude>org/apache/jute/**</exclude>
+                <exclude>org/apache/zookeeper/**</exclude>
+                <exclude>**/*.jsp</exclude>
+                <exclude>hbase-site.xml</exclude>
+                <exclude>hdfs-site.xml</exclude>
+                <exclude>log4j.properties</exclude>
+                <exclude>mapred-queues.xml</exclude>
+                <exclude>mapred-site.xml</exclude>
+                <!-- We do not want to exclude hbase-webapps from tests. We actually intentionally
+                add this directory to out test resources. See HBASE-28921 for details! -->
+              </excludes>
+            </configuration>
+          </execution>
+        </executions>
       </plugin>
       <!-- General ant tasks, bound to different build phases -->
       <plugin>
diff --git a/hbase-thrift/pom.xml b/hbase-thrift/pom.xml
index 64d8fc933ab7..7bfc6f39a2bc 100644
--- a/hbase-thrift/pom.xml
+++ b/hbase-thrift/pom.xml
@@ -210,6 +210,15 @@
           <skipAssembly>true</skipAssembly>
         </configuration>
       </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jar-plugin</artifactId>
+        <configuration>
+          <excludes>
+            <exclude>**/hbase-webapps/**</exclude>
+          </excludes>
+        </configuration>
+      </plugin>
       <!-- General ant tasks, bound to different build phases -->
       <plugin>
         <artifactId>maven-antrun-plugin</artifactId>