Remove unused dependencies from quarkus production image

Solution Verified - Updated -

Issue

  • We use quarkus 2.7.5 and use mvn for building our service. We use liquibase for unit testing (mvn test) and in dev mode with h2 database (mvn quarkus:dev). For production we create docker image and do not use liquibase packaged in service.
    How to remove liquibase libraries packaged in service. With recent liquibase CVE-2022-0839, we wanted to reduce the number of packages or libraries in my service image to reduce surface of attack.

  • I see these two files in target folder, how to remove them.

ls -l target/quarkus-app/lib/main/*liquibase*
-rw-rw-r--. 1 vagrant vagrant   33557 Aug 10 13:54 target/quarkus-app/lib/main/io.quarkus.quarkus-liquibase-2.7.6.Final.jar
-rw-rw-r--. 1 vagrant vagrant 6647613 Aug 10 13:54 target/quarkus-app/lib/main/org.liquibase.liquibase-core-4.7.1.jar

Environment

  • Red Hat build of Quarkus
    • 2.7.5

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content