Maven release of shaded icu4j-23.1.2.jar causes issues because of file name

[d-schmidt]

Describe the issue
depending on this in a Spring Boot project:

        <dependency>
            <groupId>org.graalvm.polyglot</groupId>
            <artifactId>js-community</artifactId>
            <version>23.1.2</version>
            <type>pom</type>
            <scope>runtime</scope>
        </dependency>

includes a

    <dependency>
      <groupId>org.graalvm.shadowed</groupId>
      <artifactId>icu4j</artifactId>
      <version>23.1.2</version>
    </dependency>

Which get copied into projects main jar as icu4j-23.1.2.jar:

Besides the potential name conflict in 25 years, and the hiding of the real version this triggers CVE checks:

91119 [ERROR] Failed to execute goal org.owasp:dependency-check-maven:9.0.8:aggregate (default-cli) on project de.bdr.bundesportal.leistungsbeantragung: 
91119 [ERROR] 
91119 [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0': 
91119 [ERROR] 
91120 [ERROR] icu4j-23.1.2.jar: CVE-2016-6293(9.8), CVE-2011-4599(7.5), CVE-2016-7415(9.8), CVE-2014-7926(7.5), CVE-2017-17484(9.8), CVE-2017-7867(7.5), CVE-2014-9911(9.8), CVE-2014-7923(7.5), CVE-2020-10531(8.8), CVE-2014-8147(7.5), CVE-2014-9654(9.8), CVE-2014-7940(7.5), CVE-2017-14952(9.8), CVE-2017-7868(7.5), CVE-2014-8146(7.5), CVE-2015-5922(10.0)
91120 [ERROR] 
91120 [ERROR] See the dependency-check report for more details.

PS: Why is it so much larger than the original icu4j?

Steps to reproduce the issue
maven depend on js-community in a Spring Boot project

Describe GraalVM and your environment:

• GraalVM version (latest snapshot builds can be found here), or commit id if built from source: maven > org.graalvm.polyglot > js-community > 23.1.2
• JDK major version: 17

More details
This is obviously a false positive, but now we have to whitelist this jar.
Please improve the name and version.

[chumer]

Besides the potential name conflict in 25 years, and the hiding of the real version this triggers CVE checks:

I agree. I do not know why we decided to use the same artefact name here. We shouldn't have.
@woess Any opinion on changing that?

The size difference is probably missing compression. But I'd need to double check that.
@woess does our shading support compression?

[woess]

@chumer happy to change that, if it solves potential name conflicts. Unfortunately, we'll need to change the artifactId for that.

does our shading support compression?

none of our deployed jars are compressed currently, and shaded jars aren't handled differently. But we can change that for icu4j.

[woess]

@d-schmidt if we changed the name of icu4j-23.1.2.jar to e.g. truffle-icu4j-23.1.2.jar, would that solve the issue or still trigger CVEs?

[d-schmidt]

@woess that should solve the CVE warning, all the tools check the artifact names

[chumer]

To me its weird that they do not use group ids as well to identify artefacts. Artefact names seem quite conflict prone.

[d-schmidt]

I assume some tools check the released production jar or in one case even the docker image where we only have the artifacts. There are no poms anymore.