Is there a reason why the docker image uses an uberjar? Most SCA tools can't work with them, and replacing a dependency jar with patched one is much more tedious (i.e. rolling out log4j2 updates quickly).
m
Mayank
02/10/2022, 2:47 PM
@User
x
Xiang Fu
02/10/2022, 6:40 PM
It’s same jar we use from the pinot release process, the single built from pinot-distribution, major issue here is about library shading issue. Actually pinot-tools has all the dependency jars in
libs
directory.
Xiang Fu
02/10/2022, 6:43 PM
@User do you see any issue move to tweak release process a bit for this?
s
Seunghyun
02/10/2022, 8:41 PM
i think that we originally used separate lib jars + shaded jars but we moved to the uber jar from the certain point.
Seunghyun
02/10/2022, 8:42 PM
I think that it’s fine to fall back to the previous approach as long as our release can execute our code correctly
Seunghyun
02/10/2022, 8:44 PM
another quicker way is to upgrade Pinot with the docker image with log4j2 fix..
m
Mayank
02/10/2022, 9:52 PM
I think @User already did the upgrade with all the fixes, iirc.
z
Zsolt Takacs
02/10/2022, 9:53 PM
The log4j2 issue was just an example, if someone had a tight deadline for upgrades waiting for the official image was too slow.
x
Xiang Fu
02/10/2022, 9:53 PM
The log4j fix is already there, this is more like a general setup problem
z
Zsolt Takacs
02/10/2022, 10:22 PM
The bigger issue is that most SCA tools can't scan uberjars, which can be a compliance problem.