search

newrelic / newrelic-telemetry-sdk-java

Java library for sending telemetry data to New Relic
Apache License 2.0
41 stars 37 forks source link

Need to upgrade OKHTTP versions #316

Closed edyu002 closed 7 months ago

edyu002 commented 7 months ago

Snyk scan of newrelic-telemetry-sdk-java is reporting com.squareup.okhttp3:okhttp@4.9.0 vulnerabilities. https://security.snyk.io/package/maven/com.squareup.okhttp3:okhttp/4.9.0

Request to upgrade com.squareup.okhttp3 to a non-vulnerable version.

workato-integration[bot] commented 7 months ago

https://new-relic.atlassian.net/browse/NR-232712

meiao commented 7 months ago

Version 0.16.0 of the telemetry sdk already uses okhttp 4.12.0. https://github.com/newrelic/newrelic-telemetry-sdk-java/blob/d0a86c94c33bdb8a64d936b8515ab8a4eca8000f/gradle.properties#L31

edyu002 commented 7 months ago

Hi, Andre;

The version 0.16.0 still reports this: [image: image.png]

https://security.snyk.io/vuln/SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744

Is there any plan to fix this?

--Ed Yu

On Mon, Feb 26, 2024 at 7:29 AM André Onuki @.***> wrote:

Version 0.16.0 of the telemetry sdk already uses okhttp 4.12.0.

https://github.com/newrelic/newrelic-telemetry-sdk-java/blob/d0a86c94c33bdb8a64d936b8515ab8a4eca8000f/gradle.properties#L31

— Reply to this email directly, view it on GitHub https://github.com/newrelic/newrelic-telemetry-sdk-java/issues/316#issuecomment-1964423716, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXIGKDVV32PV56GJUDH5CBLYVSS7HAVCNFSM6AAAAABD2MZDEOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRUGQZDGNZRGY . You are receiving this because you authored the thread.Message ID: @.***>

meiao commented 7 months ago

image Unfortunately, there is no version of kotlin-stdlib that has a fix.

As a workaround if you are using Java 11+ you can use com.newrelic.telemetry:telemetry-http-java11 instead of com.newrelic.telemetry:telemetry-http-okhttp. You'd also have to change the TelemetryClient initialization code to use the other provider.

edyu002 commented 7 months ago

Thanks for the reply. Unfortunately, our product New Relic monitoring for SAP is targeting SAP environments, which still use java 8. I read somewhere that OKHttp 5.0 stopped using the kotline library and this issue is fixed. However, it looks like OKHttp 5.0 is still in alpha release stage. Do we have any plans to go to OkHttp5.0?

Best --Ed Yu

On Mon, Feb 26, 2024 at 1:06 PM André Onuki @.***> wrote:

image.png (view on web) https://github.com/newrelic/newrelic-telemetry-sdk-java/assets/292463/10621254-8854-4e44-b8fa-b2306010dca7 Unfortunately, there is no version of kotlin-stdlib that has a fix.

As a workaround if you are using Java 11+ you can use com.newrelic.telemetry:telemetry-http-java11 instead of com.newrelic.telemetry:telemetry-http-okhttp. You'd also have to change the TelemetryClient initialization code to use the other provider.

— Reply to this email directly, view it on GitHub https://github.com/newrelic/newrelic-telemetry-sdk-java/issues/316#issuecomment-1965273012, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXIGKDR7VWL3UNGRY6XU6H3YVT2LVAVCNFSM6AAAAABD2MZDEOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRVGI3TGMBRGI . You are receiving this because you authored the thread.Message ID: @.***>

meiao commented 7 months ago

When it is GA.