OK so I know how to remove class files from all the jars under a dir. But, now I have different layer from a docker image, each layer is a tar file, and in the tar file there are the jar files.
Can I remove the class files from the jar files, packaged in tar files?
$ tree -L 3
.
├── 29e0fb8afe376cb02219c977cba1c9a80cca895f7f17b72c356f3e25a63337b9
│ ├── json
│ ├── layer.tar
│ └── VERSION
├── 3b75d6634da4d4f4932d2affeabb7454dc51ba160c3833b386c34e328da8f0ba
│ ├── amq # <<<<< this layer is extracted already, and you can see all the jars here. Other layers are not
│ │ ├── activemq-all-5.11.0.redhat-630495.jar
│ │ ├── bin
│ │ ├── conf
│ │ ├── data
│ │ ├── docs
│ │ ├── examples
│ │ ├── lib
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ ├── README.txt
│ │ ├── webapps
│ │ └── webapps-demo
│ ├── json
│ ├── layer.tar
│ ├── temp
│ └── VERSION
├── c1fa0e994b2d29f60fd2a6caecbe1ac3f987d001903523d60e532b6e08b094f0
│ ├── json
│ ├── layer.tar
│ └── VERSION
├── c8c84a6c1be5bdfc8caafd23082fd725e84f1c9cddb98fd56cad3a62544b2a3c.json
├── ef5088f89fbac64d2d5982ba14492227f60db1221f6bfd6290c6364a2a95a7e3
│ ├── json
│ ├── layer.tar
│ └── VERSION
├── manifest.json
├── repositories
└── script.sh # <<<<< the script is here
So you ask me why? Well, did you hear people talking about log4j recently? :) I am doing this right now: log4j vulnerability check: how to quickly detect if log4j is used, in mavevn/in an image? "mvn dependency:tree" does not give a full picture
If someone can tell me how to remove these classes from jib maven plugin, that's better. They are from a base image and I doubt we could do that, though.
