1

I would like to use a GitHub repo inside a Script I'm writing. The Script will run inside an application which requires that the Script has minimal dependencies. By this I mean it can have a dependency on a standalone .jar or library, but not on one that has further dependencies. This is a security measure. My Script needs to have a dependency on a GitHub project, but that project also has its own dependencies. Is there any way to compress that GitHub project and its chain of dependencies into one standalone library or .jar?

I'm using IntelliJ (most recent version) if that helps. The GitHub project I need to use can be one of the following:

https://github.com/RuedigerMoeller/fast-serialization

https://github.com/EsotericSoftware/kryo

I need it to serialize and deserialize large object structures very quickly and frequently, otherwise my program doesn't operate on current data.

EDIT: So I did solve this issue, the solution was to use the Maven Shade plugin to compile an uber or fat .jar of the Maven project. This allowed me to bypass the security measure.

Kael Eppcohen
  • 177
  • 1
  • 2
  • 10
  • How does moving dependencies from one JAR to another help security? Your requirement makes no sense. – SLaks Dec 25 '17 at 17:55
  • @SLaks Not my requirement; I'm very frustrated by it but it does make it a lot easier for the app to detect code that's potentially harmful to its users. – Kael Eppcohen Dec 25 '17 at 20:28

1 Answers1

1

Having a dependency on a GitHub repo is having a source dependency (which might declare itself binaries dependencies in its own repo).

You would need to fork that repo, and transform its maven project in order to generate a fat jar (with for instance the Shade plugin).
And you would need to publish that new artifact to an artifact repository (like your own Nexus) in order for your project to depend on it.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Why would you need to publish the artifact ? If your build scripts simply produce it locally and ship it on the machine that needs to run the code, that seems to be enough. If it has to be shipped to a fleet of machines then it really depends how OP's deployment model look like. Say, if it was for their system at work for example, they probably have build tools that allow doing this so I would probably not include this type of details in an answer – Dici Dec 25 '17 at 18:01
  • 1
    @Dici Yes, if you install it in your local maven cache, that is enough. But if anyone wants to recompile your project, you still need to publish that artifact in order for others to resolve it. – VonC Dec 25 '17 at 18:04
  • That is asuming they use maven. They can also just commit it to the source repository in some lib directory. Totally depends on how they deal with dependencies. – NickL Dec 25 '17 at 19:07
  • This pointed me in the right direction. I didn't know you could make uber or fat .jars with Maven. I had to mess around a bit in IntelliJ settings to get it to build the Maven project correctly but in the end it worked and I have everything working. Thank you @VonC! – Kael Eppcohen Dec 25 '17 at 22:19