[fs] Scope jetty exclusion to fluss-fs-azure and fix NOTICE

morazow · claude · morazow · commit d9fda26fd445 · 2026-06-23T15:30:47.000+02:00
Only hadoop-azure actually bundles jetty (jetty-util / jetty-util-ajax)
into the shaded FS jar; hadoop-aliyun (oss) and hadoop-huaweicloud (obs)
do not pull jetty into the bundle, and jetty-http/server/servlet/webapp
are never bundled. Trim the exclusions to the two artifacts that are
really present and revert the no-op oss/obs changes.

Also remove the now-stale jetty entries from the fluss-fs-azure NOTICE:
the license-check CI only fails on bundled-but-unlisted dependencies, so
a listed-but-unbundled entry stays green and had to be cleaned up by hand.

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/fluss-filesystems/fluss-fs-azure/pom.xml b/fluss-filesystems/fluss-fs-azure/pom.xml
@@ -80,17 +80,10 @@
                     <groupId>org.slf4j</groupId>
                     <artifactId>slf4j-reload4j</artifactId>
                 </exclusion>
-                <!-- Jetty is only used by Hadoop's web UI server and the unused WASB native
-                     store; Fluss uses ABFS. Excluded to drop vulnerable jetty-http (CVE-2026-2332,
-                     CVE-2024-6763, CVE-2025-11143) and other transitive jetty 9.x jars. -->
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-server</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-http</artifactId>
-                </exclusion>
+                <!-- jetty-util(-ajax) is pulled in transitively by hadoop-azure but is only
+                     used by Hadoop's web UI server and the unused WASB native store; Fluss uses
+                     ABFS. Excluded to keep them off the bundled FS jar (also drops jetty 9.x
+                     CVEs as a side benefit). -->
                 <exclusion>
                     <groupId>org.eclipse.jetty</groupId>
                     <artifactId>jetty-util</artifactId>
@@ -99,14 +92,6 @@
                     <groupId>org.eclipse.jetty</groupId>
                     <artifactId>jetty-util-ajax</artifactId>
                 </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-servlet</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-webapp</artifactId>
-                </exclusion>
             </exclusions>
         </dependency>
         <dependency>
diff --git a/fluss-filesystems/fluss-fs-azure/src/main/resources/META-INF/NOTICE b/fluss-filesystems/fluss-fs-azure/src/main/resources/META-INF/NOTICE
@@ -72,11 +72,4 @@ This project bundles the following dependencies under the MIT License (https://o
 
 - org.checkerframework:checker-qual:2.5.2
 - org.codehaus.mojo:animal-sniffer-annotations:1.17
-- org.bouncycastle:bcprov-jdk15on:1.70
-
-This project bundles the following dependencies under the Eclipse Public License 2.0 and Apache License 2.0 (dual license). See bundled license files for details.
-- EPL-2.0: https://www.eclipse.org/legal/epl-2.0/
-- Apache-2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
-
-- org.eclipse.jetty:jetty-util-ajax:9.4.43.v20210629
-- org.eclipse.jetty:jetty-util:9.4.43.v20210629
+- org.bouncycastle:bcprov-jdk15on:1.70
diff --git a/fluss-filesystems/fluss-fs-obs/pom.xml b/fluss-filesystems/fluss-fs-obs/pom.xml
@@ -77,33 +77,6 @@
                     <groupId>org.slf4j</groupId>
                     <artifactId>slf4j-reload4j</artifactId>
                 </exclusion>
-                <!-- Jetty is only used by Hadoop's web UI server, never on the FS client path.
-                     Excluded to drop vulnerable jetty-http (CVE-2026-2332, CVE-2024-6763,
-                     CVE-2025-11143) and other transitive jetty 9.x jars. -->
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-server</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-http</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-util</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-util-ajax</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-servlet</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-webapp</artifactId>
-                </exclusion>
             </exclusions>
         </dependency>
 
diff --git a/fluss-filesystems/fluss-fs-oss/pom.xml b/fluss-filesystems/fluss-fs-oss/pom.xml
@@ -76,33 +76,6 @@
                     <groupId>org.slf4j</groupId>
                     <artifactId>slf4j-reload4j</artifactId>
                 </exclusion>
-                <!-- Jetty is only used by Hadoop's web UI server, never on the FS client path.
-                     Excluded to drop vulnerable jetty-http (CVE-2026-2332, CVE-2024-6763,
-                     CVE-2025-11143) and other transitive jetty 9.x jars. -->
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-server</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-http</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-util</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-util-ajax</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-servlet</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-webapp</artifactId>
-                </exclusion>
             </exclusions>
         </dependency>
 
