maven-heaven: Collect list of suspected packages with shading

[pombredanne]

To fine tune our code, we need to collect a list of suspected Maven packages with shading, and other binaries.

The ASF may know of some? So does Maven Central? This will be handy for testing.

We should just list these here in comments for now.

[pombredanne]

Some culprits:

• https://repo1.maven.org/maven2/org/apache/htrace/htrace-core/4.0.0-incubating/ has a bunch of shaded vulnerable packages
• https://repo1.maven.org/maven2/com/sun/jna/jna/3.0.9/ has C code compiled to Elf, Mach-O and WinPE and source is not in the source JAR, only in the upstream git repo

[pombredanne]

• https://repo1.maven.org/maven2/org/apache/tomcat/jakartaee-migration/1.0.9/ has both shaded and not shaded JARs