Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Build logs "Downloading from shibboleth-repo: .." #27358

Closed
Sanne opened this issue Aug 18, 2022 · 0 comments · Fixed by #27359
Closed

Build logs "Downloading from shibboleth-repo: .." #27358

Sanne opened this issue Aug 18, 2022 · 0 comments · Fixed by #27359
Assignees
@Sanne
Labels
area/build area/persistence area/securepipeline issues related to ensure Quarkus can be used in a secure pipeline setups like FIPS or similar kind/enhancement New feature or request
Milestone
2.12.0.Final

Comments

@Sanne
Copy link
Member

Sanne commented Aug 18, 2022
edited

Describe the bug

When building a Quarkus application using the MSSQL JDBC driver, this dependency is pulling in an additional dependency com.nimbusds:oauth2-oidc-sdk whose pom.xml defines an additional Maven repository <id>shibboleth-repo</id>.

This additional repository gets activated, as evidenced by the log:

Downloading from shibboleth-repo: https://build.shibboleth.net/nexus/content/repositories/releases/net/minidev/json-smart/maven-metadata.xml

Fetched metadata also actually pollute the local build repository; I'm considering this a problem as we don't want additional repositories being activated behind user's back:

  • they might not trust it (although this one looks sane)
  • it slows down other aspects of the build
  • it makes it harder to configure proxies and mirrors for firewalled builds

In general it's a bad practice to have such repositories in a pom as it leads to supply chain concerns.
@Sanne Sanne self-assigned this Aug 18, 2022
@Sanne Sanne mentioned this issue Aug 18, 2022
Merged
@sberyozkin sberyozkin added the area/securepipeline issues related to ensure Quarkus can be used in a secure pipeline setups like FIPS or similar label Aug 18, 2022
@Sanne Sanne added kind/enhancement New feature or request and removed kind/bug Something isn't working labels Aug 18, 2022
@quarkus-bot quarkus-bot bot added this to the 2.13 - main milestone Aug 18, 2022
@gsmet gsmet modified the milestones: 2.13 - main, 2.12.0.Final Aug 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Sanne Sanne

Labels
area/build area/persistence area/securepipeline issues related to ensure Quarkus can be used in a secure pipeline setups like FIPS or similar kind/enhancement New feature or request
Projects
None yet
Milestone
2.12.0.Final
Development

Successfully merging a pull request may close this issue.

Exclude com.microsoft.azure:msal4j from the application BOM Sanne/quarkus
3 participants
@Sanne @sberyozkin @gsmet