[Q] Nacos client 1.x policy and 2.x package mode

[wu-sheng]

Is your feature request related to a problem? Please describe.
SkyWalking community received a CVE report due to a Nacos client CVE issue. 1.x seems not released by Nacos team, so, we may not be able to find a version to upgrade.

When we consider v2 as option, we noticed,

they started to package all dependencies by shading into their client SDK so the package becomes really large, what's more, the dependencies that are packed into the SDK also have CVE, so we have literally NO way to upgrade them.

This means, on one side, we have to depend on Nacos' a new release to fix this CVE, rather than using dependency management to override; on the other side, using a shaded uber jar would be an issue for another OSS project like SkyWalking. This would increase our binary tar a lot, and make us hard to observe the dependencies' licenses as they could be changed w/o any update.

Describe the solution you'd like
Could Nacos 1.x release a CVE release or could nacos 2.x release a pure Nacos client jar with dependencies in the pom only w/o shaded dependencies?

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

[KomachiSion]

I see the issues and CVE, I think it's not a client problem. nacos use a default value as the token generator, users can avoid it by setting the default token when they setup cluster.

The issue author has provide solution in #7182

About released 2.x client without shaded dependencies. It can be considered.

[wu-sheng]

I see the issues and CVE, I think it's not a client problem. nacos use a default value as the token generator, users can avoid it by setting the default token when they setup cluster.
The issue author has provide solution in #7182

Thanks for the explanation, Then maybe some security tools report this incorrectly.

[wu-sheng]

About released 2.x client without shaded dependencies. It can be considered.

Should we keep this issue open for a conclusion about this consideration?

[KomachiSion]

About released 2.x client without shaded dependencies. It can be considered.

Should we keep this issue open for a conclusion about this consideration?

Sure. In fact, releasing a client without shaded dependencies is easy. The discussion point is which one use nacos-client artifactId.
If the simple client use nacos-client artifactId, most of users will solve the dependencies conflict about grpc and netty.

So I think the shaded client still use nacos-client artifactId, the simple client use a new artifactId like nacos-client-simple

[kezhenxu94]

About released 2.x client without shaded dependencies. It can be considered.

Should we keep this issue open for a conclusion about this consideration?

Sure. In fact, releasing a client without shaded dependencies is easy. The discussion point is which one use nacos-client artifactId.

If the simple client use nacos-client artifactId, most of users will solve the dependencies conflict about grpc and netty.

So I think the shaded client still use nacos-client artifactId, the simple client use a new artifactId like nacos-client-simple

Another idea to use different version format like 2.4.0-with-dependencies and 2.4.0 or 2.4.0 and 2.4.0-without-dependencies. So when users upgrade they can be aware of there are two variants of the new versions.

[linghengqian]

• If this is not a short-term fix, should this issue be linked to the Nacos 3.0 discussion What features do you expect from Nacos 3.0? #9129 ?

• I noticed some unreasonable behavior when trying to track GraalVM Reachability Metadata with GraalVM Agent for Nacos Client 2.0. If this issue will not be resolved in this major release, I will only submit metadata for Nacos Client 1.x to https:/oracle/graalvm-reachability-metadata.

• Not sure how this affects nacos不支持spring native #9085 , I just linked to Make ShardingSphere Proxy in GraalVM Native Image form available apache/shardingsphere#21347 .

[KomachiSion]

The new idea is use classifier. like

        <dependency>
            <groupId>com.alibaba.nacos</groupId>
            <artifactId>nacos-client</artifactId>
            <version>2.1.2</version>
            <classifier>pure</classifier>
        </dependency>

If no classifier set, use default shaded version.

[wu-sheng]

@kezhenxu94 Does this work for us? We may consider to bump up?

[wu-sheng]

@KomachiSion Is 2.1.2 going to release soon? I would post an issue on SkyWalking issue list to see who could help to bump up to the latest release.

[kezhenxu94]

@kezhenxu94 Does this work for us? We may consider to bump up?

I'm tracking on this, but since the 2.1.2 is not yet released, I can bump up to 2.1.2 when it's released

[KomachiSion]

@KomachiSion Is 2.1.2 going to release soon? I would post an issue on SkyWalking issue list to see who could help to bump up to the latest release.

Yes, plan to release in this month

[KomachiSion]

2.1.2 version has released.

how to use pure sdk has update to document https://nacos.io/en-us/docs/sdk.html

[kezhenxu94]

    <!-- Same version of nacos-api and nacos-common must be introduced for pure SDK, otherwise there may be a problem that the class cannot be found at runtime -->

This looks weird to me as "pure" means the dependency doesn't include third-party dependencies, but I suppose it includes "self dependencies" like nacos-common / nacos-api.

[KomachiSion]

Because shaded version and pure version is same pom file, shaded version shaded api and common into client, so the pom dependencies is optional.

pure version should depend them by self. Use pure version need user set classifier, and set an api and common.

[KomachiSion]

I think the issue has been solved after 2.1.2 released, I will close issue and close the related millstone.
If there are some problem for 2.1.2 client, I think we should submit new issue.

[wu-sheng]

Hi @KomachiSion Yesterday, we just realized this would somehow block the Maven(mvnw). We still can't find out the reason yet.

apache/skywalking#9799