Skip to content

Fix shading of multi-release BouncyCastle classes#47127

Merged
vcolin7 merged 2 commits intoAzure:mainfrom
vcolin7:jca-shading-fix
Nov 3, 2025
Merged

Fix shading of multi-release BouncyCastle classes#47127
vcolin7 merged 2 commits intoAzure:mainfrom
vcolin7:jca-shading-fix

Conversation

@vcolin7
Copy link
Member

@vcolin7 vcolin7 commented Oct 30, 2025
edited
Loading

Description

Currently, we're not correctly shading release-specific BouncyCastle classes meant for multi-relase JARs. This is caused because the maven-shade-plugin does not properly support this at this time; the plugin does rewrite the class references and package names, but does not relocate the classes themselves (see this issue and this PR). This PR fixes the problem by manually relocating the classes in question. It also updates the plugin version from 3.6.0 to 3.6.1.

Fixes: #45277

Tests

Ran a small bash script to check the before and after status of multi-release classes:

Before

==========================================
Final Shading Verification Report
==========================================
JAR: target/azure-security-keyvault-jca-2.11.0-beta.1.jar
==========================================

1. Bouncy Castle Classes:
   Unshaded classes: 859
   Shaded classes: 583
   Multi-release shaded: 0
   ❌ Leaked classes found!

2. OSGI Metadata:
   OSGI files: 8
   ⚠️  OSGI files present

3. Multi-Release Structure:
   Total multi-release entries: 877
   Class files (total): 792
     - Shaded: 0
     - Unshaded (excl. module-info): 791
     - Module descriptor: 1
   Directories/other: 85
   OSGI entries: 8
   ⚠️  Unshaded multi-release classes found
   ⚠️  OSGI metadata present

After

==========================================
Final Shading Verification Report
==========================================
JAR: target/azure-security-keyvault-jca-2.11.0-beta.1.jar
==========================================

1. Bouncy Castle Classes:
   Unshaded classes: 0
   Shaded classes: 1442
   Multi-release shaded: 859
   ✅ No leaks!

2. OSGI Metadata:
   OSGI files: 0
   ✅ Clean - no outdated OSGI metadata!

3. Multi-Release Structure:
   Total multi-release entries: 896
   Class files (total): 791
     - Shaded: 791
     - Unshaded (excl. module-info): 0
     - Module descriptor: 0
   Directories/other: 105
   OSGI entries: 0
   ✅ All multi-release classes properly shaded!
   ✅ No OSGI metadata in multi-release structure!

All SDK Contribution checklist:

  • The pull request does not introduce [breaking changes]
  • CHANGELOG is updated for new features, bug fixes or other significant changes.
  • I have read the contribution guidelines.

General Guidelines and Best Practices

  • Title of the pull request is clear and informative.
  • There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.

Testing Guidelines

  • Pull request includes test coverage for the included changes.

Copilot AI review requested due to automatic review settings October 30, 2025 20:17
@github-actions github-actions bot added azure-spring All azure-spring related issues Azure.Core azure-core clientcore Cosmos EngSys This issue is impacting the engineering system. Storage Storage Service (Queues, Blobs, Files) labels Oct 30, 2025
Copilot AI reviewed Oct 30, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates the Maven Shade Plugin from version 3.6.0 to 3.6.1 across multiple POM files in the Azure SDK for Java repository. The update includes a critical fix in the KeyVault JCA module to properly handle multi-release JAR shading for BouncyCastle dependencies.

Key Changes:

  • Updates maven-shade-plugin version from 3.6.0 to 3.6.1 across 16 POM files
  • Adds OSGI metadata exclusion and multi-release JAR relocation workaround in azure-security-keyvault-jca
  • Updates CHANGELOG.md to document the BouncyCastle shading fix

Reviewed Changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
eng/versioning/external_dependencies.txt Updates the centralized external dependency version from 3.6.0 to 3.6.1
sdk/parents/azure-client-sdk-parent/pom.xml Updates shade plugin version in parent POM
sdk/parents/azure-client-sdk-parent-v2/pom.xml Updates shade plugin version in v2 parent POM
sdk/parents/clientcore-parent/pom.xml Updates shade plugin version in clientcore parent POM
sdk/keyvault/azure-security-keyvault-jca/pom.xml Updates shade plugin version and adds OSGI exclusion and multi-release JAR relocation configuration
sdk/keyvault/azure-security-keyvault-jca/CHANGELOG.md Documents the fix for BouncyCastle multi-release JAR shading issue
sdk/serialization/azure-json/pom.xml Updates shade plugin version
sdk/serialization/azure-xml/pom.xml Updates shade plugin version
sdk/storage/azure-storage-blob-stress/pom.xml Updates shade plugin version
sdk/storage/azure-storage-file-datalake-stress/pom.xml Updates shade plugin version
sdk/storage/azure-storage-file-share-stress/pom.xml Updates shade plugin version
sdk/template/azure-template-stress/pom.xml Updates shade plugin version
sdk/cosmos/azure-cosmos-kafka-connect/pom.xml Updates shade plugin version
sdk/cosmos/azure-cosmos-spark_3/pom.xml Updates shade plugin version
sdk/cosmos/azure-cosmos-spark-account-data-resolver-sample/pom.xml Updates shade plugin version
sdk/cosmos/fabric-cosmos-spark-auth_3/pom.xml Updates shade plugin version
sdk/clientcore/http-stress/pom.xml Updates shade plugin version

@vcolin7 vcolin7 self-assigned this Oct 30, 2025
@vcolin7 vcolin7 merged commit 30cc65f into Azure:main Nov 3, 2025
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@alzimmermsft alzimmermsft alzimmermsft approved these changes

@samvaity samvaity Awaiting requested review from samvaity

@g2vinay g2vinay Awaiting requested review from g2vinay

@JonathanGiles JonathanGiles Awaiting requested review from JonathanGiles

@rujche rujche Awaiting requested review from rujche

@Netyyyy Netyyyy Awaiting requested review from Netyyyy

@saragluna saragluna Awaiting requested review from saragluna

@moarychan moarychan Awaiting requested review from moarychan

@srnagar srnagar Awaiting requested review from srnagar

Assignees

@vcolin7 vcolin7

Labels

Azure.Core azure-core azure-spring All azure-spring related issues clientcore Cosmos EngSys This issue is impacting the engineering system. Storage Storage Service (Queues, Blobs, Files)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] azure-security-keyvault-jca 2.11 JAR publishes (multirelease) classes under org.bouncycastle package

2 participants

@vcolin7 @alzimmermsft