From 6b2c652ea0aa8aa14e7d7113e6d7cbf83ec76230 Mon Sep 17 00:00:00 2001 From: Yashwant Date: Mon, 30 Dec 2024 22:47:29 +0530 Subject: [PATCH 1/2] exclude protobuf deps --- javaagent/build.gradle.kts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/javaagent/build.gradle.kts b/javaagent/build.gradle.kts index 076c4126..144f7d0e 100644 --- a/javaagent/build.gradle.kts +++ b/javaagent/build.gradle.kts @@ -58,6 +58,9 @@ tasks { // exclude because it would be shaded twice and the META-INF/services/ would be io.opentelemetry.javaagent.shaded.io.grpc exclude("inst/META-INF/services/io.grpc*") } + // Fix CVE-2024-7254, opentelemetry-javaagent brings in io.prometheus.metrics which uses deps of high vulnerability protobuf-java version + // This was fixed in 2.x.x versions of opentelemetry-javaagent(which needs us to upgrade from 1.33.0) + exclude("inst/io/prometheus/metrics/shaded/com_google_protobuf_3_21_7/**") exclude("**/module-info.class") manifest { attributes.put("Implementation-Title", "javaagent") From 02c4dabe3ecb8a5f266f2075263b86c7954ec120 Mon Sep 17 00:00:00 2001 From: Yashwant Date: Fri, 17 Jan 2025 19:10:47 +0530 Subject: [PATCH 2/2] adding TODO statement --- javaagent/build.gradle.kts | 1 + 1 file changed, 1 insertion(+) diff --git a/javaagent/build.gradle.kts b/javaagent/build.gradle.kts index 144f7d0e..0137a2f3 100644 --- a/javaagent/build.gradle.kts +++ b/javaagent/build.gradle.kts @@ -60,6 +60,7 @@ tasks { } // Fix CVE-2024-7254, opentelemetry-javaagent brings in io.prometheus.metrics which uses deps of high vulnerability protobuf-java version // This was fixed in 2.x.x versions of opentelemetry-javaagent(which needs us to upgrade from 1.33.0) + // TODO: Remove this exclusion after otel-javaagent upgrade which has CVE-2024-7254 fix exclude("inst/io/prometheus/metrics/shaded/com_google_protobuf_3_21_7/**") exclude("**/module-info.class") manifest {