From 8b2774d14a0984da9ed6662ef275213e17b83a1b Mon Sep 17 00:00:00 2001
From: Nihal Jain <nihaljain@apache.org>
Date: Wed, 23 Oct 2024 17:46:42 +0530
Subject: [PATCH 1/3] HBASE-28921 Skip bundling hbase-webapps folder in jars

We are bundling all webapp resources in hbase-server, hbase-thrift, hbase-rest and transitively to hbase-shaded-mapreduce jar. This can be an issue, say if any of the Js projects used by hbase are vulnerable, security scan tools like sonatype start flagging the jars too as vulnerable since they contain vulnerable code.

With this JIRA, we want to avoid bundling static webapp resources in our jars as these are available during runtime via hbase-webapps directory bundled in our assembly.

But, we still need this for our minicluster based tests which expects it to be present in test classpath. Hence, we are copying hbase-webapps to hbase-server tests jar, which contains class SingleProcessHBaseCluster responsible for hbase minicluster creation. This class eventually needs hbase-webapps in classpath during HttpServer initialisation and hence we are copying it to hbase-server tests.
---
 hbase-rest/pom.xml   |  9 +++++
 hbase-server/pom.xml | 94 +++++++++++++++++++++++++++++++++++++-------
 hbase-thrift/pom.xml |  9 +++++
 pom.xml              |  4 +-
 4 files changed, 99 insertions(+), 17 deletions(-)

diff --git a/hbase-rest/pom.xml b/hbase-rest/pom.xml
index cf629b62991a..734f8db0b5be 100644
--- a/hbase-rest/pom.xml
+++ b/hbase-rest/pom.xml
@@ -289,6 +289,15 @@
           <skipAssembly>true</skipAssembly>
         </configuration>
       </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jar-plugin</artifactId>
+        <configuration>
+          <excludes>
+            <exclude>**/hbase-webapps/**</exclude>
+          </excludes>
+        </configuration>
+      </plugin>
       <!-- Make a jar and put the sources in the jar -->
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
diff --git a/hbase-server/pom.xml b/hbase-server/pom.xml
index 92b696d2feca..b633c0e23a89 100644
--- a/hbase-server/pom.xml
+++ b/hbase-server/pom.xml
@@ -35,6 +35,8 @@
     <license.bundles.bootstrap>true</license.bundles.bootstrap>
     <license.bundles.jquery>true</license.bundles.jquery>
     <license.bundles.vega>true</license.bundles.vega>
+    <hbase.webapps.dir>target/hbase-webapps</hbase.webapps.dir>
+    <test.classes.webapps.dir>target/test-classes/hbase-webapps</test.classes.webapps.dir>
   </properties>
   <dependencies>
     <dependency>
@@ -437,24 +439,86 @@
           <skipAssembly>true</skipAssembly>
         </configuration>
       </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-resources-plugin</artifactId>
+        <executions>
+          <!-- Copy hbase-webapps from build directory to test classes directory -->
+          <execution>
+            <id>copy-hbase-webapps-to-test</id>
+            <goals>
+              <goal>copy-resources</goal>
+            </goals>
+            <phase>process-test-resources</phase>
+            <configuration>
+              <!-- Output directory for the copied resources -->
+              <outputDirectory>${test.classes.webapps.dir}</outputDirectory>
+              <resources>
+                <resource>
+                  <!-- Directory containing hbase-webapps, which needs to be copied -->
+                  <directory>${hbase.webapps.dir}</directory>
+                  <includes>
+                    <include>**/*</include>
+                  </includes>
+                </resource>
+              </resources>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-jar-plugin</artifactId>
-        <configuration>
-          <!-- Exclude these 2 packages, because their dependency _binary_ files
-            include the sources, and Maven 2.2 appears to add them to the sources to compile,
-            weird -->
-          <excludes>
-            <exclude>org/apache/jute/**</exclude>
-            <exclude>org/apache/zookeeper/**</exclude>
-            <exclude>**/*.jsp</exclude>
-            <exclude>hbase-site.xml</exclude>
-            <exclude>hdfs-site.xml</exclude>
-            <exclude>log4j.properties</exclude>
-            <exclude>mapred-queues.xml</exclude>
-            <exclude>mapred-site.xml</exclude>
-          </excludes>
-        </configuration>
+        <executions>
+          <!-- Exclude specified file(s) from the default JAR -->
+          <execution>
+            <id>default-jar</id>
+            <goals>
+              <goal>jar</goal>
+            </goals>
+            <phase>package</phase>
+            <configuration>
+              <excludes>
+                <!-- Exclude these 2 packages, because their dependency _binary_ files
+                include the sources, and Maven 2.2 appears to add them to the sources to compile,
+                weird -->
+                <exclude>org/apache/jute/**</exclude>
+                <exclude>org/apache/zookeeper/**</exclude>
+                <exclude>**/*.jsp</exclude>
+                <exclude>hbase-site.xml</exclude>
+                <exclude>hdfs-site.xml</exclude>
+                <exclude>log4j.properties</exclude>
+                <exclude>mapred-queues.xml</exclude>
+                <exclude>mapred-site.xml</exclude>
+                <!-- NOTE: We have the below exclude only for the default JAR -->
+                <exclude>**/hbase-webapps/**</exclude>
+              </excludes>
+            </configuration>
+          </execution>
+          <!-- Copy of default jar exclusions, minus not removing hbase-webapps-->
+          <execution>
+            <id>test-jar</id>
+            <goals>
+              <goal>test-jar</goal>
+            </goals>
+            <phase>package</phase>
+            <configuration>
+              <classifier>tests</classifier>
+              <excludes>
+                <exclude>org/apache/jute/**</exclude>
+                <exclude>org/apache/zookeeper/**</exclude>
+                <exclude>**/*.jsp</exclude>
+                <exclude>hbase-site.xml</exclude>
+                <exclude>hdfs-site.xml</exclude>
+                <exclude>log4j.properties</exclude>
+                <exclude>mapred-queues.xml</exclude>
+                <exclude>mapred-site.xml</exclude>
+                <!-- We do not want to exclude hbase-webapps from tests. We actually copied it with
+                copy-hbase-webapps-to-test. See HBASE-28921 for details! -->
+              </excludes>
+            </configuration>
+          </execution>
+        </executions>
       </plugin>
       <!-- General ant tasks, bound to different build phases -->
       <plugin>
diff --git a/hbase-thrift/pom.xml b/hbase-thrift/pom.xml
index b75b288c8789..fd21b18db5cf 100644
--- a/hbase-thrift/pom.xml
+++ b/hbase-thrift/pom.xml
@@ -194,6 +194,15 @@
           <skipAssembly>true</skipAssembly>
         </configuration>
       </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jar-plugin</artifactId>
+        <configuration>
+          <excludes>
+            <exclude>**/hbase-webapps/**</exclude>
+          </excludes>
+        </configuration>
+      </plugin>
       <!-- General ant tasks, bound to different build phases -->
       <plugin>
         <artifactId>maven-antrun-plugin</artifactId>
diff --git a/pom.xml b/pom.xml
index d121edadcb38..6059062e6910 100644
--- a/pom.xml
+++ b/pom.xml
@@ -803,9 +803,9 @@
     <!-- override on command line to have generated LICENSE files include
          diagnostic info for verifying notice requirements -->
     <license.debug.print.included>false</license.debug.print.included>
-    <!-- When a particular module bundles its depenendencies, should be true -->
+    <!-- When a particular module bundles its dependencies, should be true -->
     <license.bundles.dependencies>false</license.bundles.dependencies>
-    <!-- modules that include a the logo in their source tree should set true -->
+    <!-- modules that include a logo in their source tree should set true -->
     <license.bundles.logo>false</license.bundles.logo>
     <!-- modules that include bootstrap in their source tree should set true -->
     <license.bundles.bootstrap>false</license.bundles.bootstrap>

From 57942b622e6f7cc2683a610471bc2b68e5b23d9b Mon Sep 17 00:00:00 2001
From: Nihal Jain <nihaljain@apache.org>
Date: Thu, 24 Oct 2024 21:26:51 +0530
Subject: [PATCH 2/3] - Switch to build-helper-maven-plugin

---
 hbase-server/pom.xml | 30 +++++++++++++-----------------
 1 file changed, 13 insertions(+), 17 deletions(-)

diff --git a/hbase-server/pom.xml b/hbase-server/pom.xml
index b633c0e23a89..7a1176c261da 100644
--- a/hbase-server/pom.xml
+++ b/hbase-server/pom.xml
@@ -35,8 +35,7 @@
     <license.bundles.bootstrap>true</license.bundles.bootstrap>
     <license.bundles.jquery>true</license.bundles.jquery>
     <license.bundles.vega>true</license.bundles.vega>
-    <hbase.webapps.dir>target/hbase-webapps</hbase.webapps.dir>
-    <test.classes.webapps.dir>target/test-classes/hbase-webapps</test.classes.webapps.dir>
+    <hbase.webapps.dir>hbase-webapps</hbase.webapps.dir>
   </properties>
   <dependencies>
     <dependency>
@@ -440,26 +439,23 @@
         </configuration>
       </plugin>
       <plugin>
-        <groupId>org.apache.maven.plugins</groupId>
-        <artifactId>maven-resources-plugin</artifactId>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>build-helper-maven-plugin</artifactId>
         <executions>
-          <!-- Copy hbase-webapps from build directory to test classes directory -->
           <execution>
-            <id>copy-hbase-webapps-to-test</id>
+            <id>add-test-source</id>
             <goals>
-              <goal>copy-resources</goal>
+              <goal>add-test-resource</goal>
             </goals>
-            <phase>process-test-resources</phase>
+            <phase>generate-test-sources</phase>
             <configuration>
-              <!-- Output directory for the copied resources -->
-              <outputDirectory>${test.classes.webapps.dir}</outputDirectory>
+              <!-- Add the hbase-webapps directory to the test resources -->
               <resources>
                 <resource>
-                  <!-- Directory containing hbase-webapps, which needs to be copied -->
-                  <directory>${hbase.webapps.dir}</directory>
-                  <includes>
-                    <include>**/*</include>
-                  </includes>
+                  <!-- Directory containing hbase-webapps -->
+                  <directory>target/${hbase.webapps.dir}</directory>
+                  <!-- Target directory under test-classes -->
+                  <targetPath>${hbase.webapps.dir}</targetPath>
                 </resource>
               </resources>
             </configuration>
@@ -513,8 +509,8 @@
                 <exclude>log4j.properties</exclude>
                 <exclude>mapred-queues.xml</exclude>
                 <exclude>mapred-site.xml</exclude>
-                <!-- We do not want to exclude hbase-webapps from tests. We actually copied it with
-                copy-hbase-webapps-to-test. See HBASE-28921 for details! -->
+                <!-- We do not want to exclude hbase-webapps from tests. We actually intentionally
+                add this directory to out test resources. See HBASE-28921 for details! -->
               </excludes>
             </configuration>
           </execution>

From 434a3ed40c65e94146dda8f790d310291ce1661d Mon Sep 17 00:00:00 2001
From: Nihal Jain <nihaljain@apache.org>
Date: Mon, 28 Oct 2024 11:56:43 +0530
Subject: [PATCH 3/3] - Revert dummy whitespace changes

---
 pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index 6059062e6910..d121edadcb38 100644
--- a/pom.xml
+++ b/pom.xml
@@ -803,9 +803,9 @@
     <!-- override on command line to have generated LICENSE files include
          diagnostic info for verifying notice requirements -->
     <license.debug.print.included>false</license.debug.print.included>
-    <!-- When a particular module bundles its dependencies, should be true -->
+    <!-- When a particular module bundles its depenendencies, should be true -->
     <license.bundles.dependencies>false</license.bundles.dependencies>
-    <!-- modules that include a logo in their source tree should set true -->
+    <!-- modules that include a the logo in their source tree should set true -->
     <license.bundles.logo>false</license.bundles.logo>
     <!-- modules that include bootstrap in their source tree should set true -->
     <license.bundles.bootstrap>false</license.bundles.bootstrap>