James,
On 6/10/24 13:09, James H. H. Lampert wrote:
Please forgive me if this is a RTFM issue, or if it's outside the scope
of this List (and this isn't exactly the first time I've imposed upon
the friendly nature of this List, knowing that it's a much more
forgiving environment than a lot of StackExchange forums are).
I've just been alerted that our WAR files contain ".DS_Store" (Mac OS
desktop information) files.
So far as I'm aware, it's difficult or impossible to keep Mac OS from
generating these files, but is there some WAR file generation parameter
that can be used to exclude them?
The short answer to this is "yes" but the slightly longer answer is "ask
your developers to arrange for artifacts such as these to be ignored
when building ZIP files."
Others are offering some specifics, but if it's not your job to package
the ZIP files then, well, don't bother to try to find the solution
yourself. Just tell your devs to fix this.
If you want to fix your existing JAR files, you can do this if you are
on a UNIX-like system and have the "zip" utility installed:
$ zip -d data.zip "*/.DS_Store"
The "*" here should expand to include all prefixes so it should remove
these files from all directories.
Back to the original issue: .DS_Store files in ZIP files [is a security
issue] as claimed by your customer's security scan. Eh... yeah, sure I
guess. But it's not going to leak very much information from your
developers' machines. The real problem would be if *other* files from
your developers machines are ending up in the build... the only thing
the presence of the .DS_Store files would be to indicate that other
(usually more sensitive) files are also available.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
