Conversation
There was a problem hiding this comment.
Pull request overview
This PR performs cleanup of the LiquidJava project by removing unused code, correcting dependency configurations, and adding Maven Wrapper support for build reproducibility.
Changes:
- Added Maven Wrapper (mvnw, mvnw.cmd) version 3.3.4 with Maven 3.9.11 distribution
- Fixed junit-jupiter-engine dependency scope from compile to test in liquidjava-verifier
- Removed unused antlr4 full dependency (kept antlr4-runtime which is actually used)
- Deleted unused utility classes and example code from liquidjava-api module
Reviewed changes
Copilot reviewed 12 out of 14 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| pom.xml | Added maven-wrapper-plugin configuration to support Maven Wrapper |
| mvnw | Added Maven Wrapper shell script for Unix-like systems (version 3.3.4) |
| mvnw.cmd | Added Maven Wrapper batch/PowerShell script for Windows (version 3.3.4) |
| .mvn/wrapper/maven-wrapper.properties | Maven Wrapper configuration specifying Maven 3.9.11 distribution |
| liquidjava-verifier/pom.xml | Fixed junit-jupiter-engine scope to test; removed unused antlr4 full dependency |
| liquidjava-api/.../Processor.java | Deleted unused utility class (no references found in codebase) |
| liquidjava-api/.../Prettify.java | Deleted empty utility class (no references found in codebase) |
| liquidjava-api/.../InducedRefinementsParser.java | Deleted unused parser class (no references found in codebase) |
| liquidjava-api/.../Main.java | Deleted unused main class that referenced deleted utilities |
| liquidjava-api/.../example/*.java | Deleted example classes (Simple, ToSimple, NumericExample) not referenced elsewhere |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| wrapperVersion=3.3.4 | ||
| distributionType=only-script | ||
| distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.11/apache-maven-3.9.11-bin.zip |
There was a problem hiding this comment.
The Maven wrapper scripts are designed to verify the SHA-256 checksum of the downloaded Maven distribution when distributionSha256Sum is configured, but .mvn/wrapper/maven-wrapper.properties omits this property, so no integrity verification is actually performed for the remote Maven binary. An attacker who can tamper with traffic to distributionUrl (or compromise the artifact at that URL) could cause developers/CI to download and execute a malicious Maven distribution with full access to build secrets and artifacts. Add a distributionSha256Sum entry with the expected SHA-256 hash of apache-maven-3.9.11-bin.zip and keep it updated when bumping Maven to ensure the wrapper refuses modified or tampered distributions.
2 participants
No description provided.