Remove <pkg.skip.bootjar>false</pkg.skip.bootjar> from all child
module <properties> blocks. The root POM already defaults it to false,
and child declarations block the skip-pkg profile override, so
-Dpkg.skip=true was never actually skipping spring-boot:repackage.
Also remove the unused surefire.version property (superseded by
maven-surefire-plugin.version).
The docker-info artifact type was produced by the removed
dockerfile-maven-plugin. Replace with pom type since the
upstream docker modules use pom packaging. This preserves
the reactor ordering dependency.
The com.spotify:dockerfile-maven-plugin:1.4.13 is deprecated and broken
on modern macOS (Apple Silicon) due to its Java HTTP client being
incompatible with current Docker Desktop socket/API.
Replace the Java-based plugin with exec-maven-plugin calling the docker
CLI directly — the same approach already used by the multiarch push
profiles (push-docker-amd-arm-images).
All existing Maven property contracts preserved:
- dockerfile.skip (default true) controls docker build
- push-docker-image profile for single-arch push
- push-docker-amd-arm-images profiles unchanged (already use exec)
Introduces four independent flags to skip individual packaging artifacts:
-Dpkg.skip.bootjar=true skip spring-boot repackage (*-boot.jar)
-Dpkg.skip.deb=true skip Gradle buildDeb + Maven attach-artifact
-Dpkg.skip.rpm=true skip Gradle buildRpm
-Dpkg.skip.zip=true skip maven-assembly-plugin Windows ZIP
Adds -Dpkg.skip=true as a single convenience flag that sets all four
at once. msa/pom.xml mirrors the skip-pkg profile to override its own
<pkg.deb.phase>package</pkg.deb.phase> property (child POM properties
have higher priority than parent profile properties in Maven).
msa/* docker modules used ${basedir}/../.. (non-canonical) for main.dir.
maven-enforcer-plugin 3.5.0's osIndependentNameMatch() compares
file.toURI() vs file.getCanonicalFile().toURI() — these differ when the
path contains '..', causing RequireFilesExist to report false-negative.
Fix: replace ${basedir}/../.. with ${maven.multiModuleProjectDirectory}.
- Use kebab-case 'report-only' in web-ui configs to match thingsboard.yml
- Add log.warn for unrecognized X-Frame-Options values in customizer
- Replace @Configuration with @Component on HttpSecurityHeadersProperties
- Add comment explaining '!== false' vs truthiness pattern in server.ts
Fix security issues from penetration test report:
- M2: Add configurable X-Frame-Options and CSP headers (disabled by default)
- L2: Add X-Content-Type-Options and Referrer-Policy headers (enabled by default)
- L3: Make CORS allowed-origin-patterns configurable via TB_CORS_* env vars
Root cause: ThingsboardSecurityConfiguration called .disable() on the entire
HeadersConfigurer, which removed ALL security headers including Cache-Control.
Fix uses defaultsDisabled() + selective header enablement via a new
HttpSecurityHeadersCustomizer component.
Both Spring Boot (tb-node) and Express.js (web-ui) share the same
SECURITY_HEADERS_* environment variables for consistent configuration
across monolith and microservice deployments.
When building with -T6, multiple JS modules run yarn install concurrently.
The --mutex network flag serializes yarn processes, but if node_modules from
a previous build (or a different branch/version) is left on disk, yarn may
skip reinstalling packages — including devDependencies — treating the stale
state as up-to-date. This causes tools like tsc to be missing at build time.
Configure maven-clean-plugin to delete node_modules during mvn clean for
all JS modules (ui-ngx, msa/js-executor, msa/web-ui). Yarn restores from
its global cache (~/.cache/yarn), so the overhead is relinking only.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Viacheslav Klimov
Vladyslav_Prykhodko
Sergey Matvienko
dashevchenko
IrynaMatveieva