Closed edyu002 closed 7 months ago
Version 0.16.0 of the telemetry sdk already uses okhttp 4.12.0. https://github.com/newrelic/newrelic-telemetry-sdk-java/blob/d0a86c94c33bdb8a64d936b8515ab8a4eca8000f/gradle.properties#L31
Hi, Andre;
The version 0.16.0 still reports this: [image: image.png]
https://security.snyk.io/vuln/SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744
Is there any plan to fix this?
--Ed Yu
On Mon, Feb 26, 2024 at 7:29 AM André Onuki @.***> wrote:
Version 0.16.0 of the telemetry sdk already uses okhttp 4.12.0.
— Reply to this email directly, view it on GitHub https://github.com/newrelic/newrelic-telemetry-sdk-java/issues/316#issuecomment-1964423716, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXIGKDVV32PV56GJUDH5CBLYVSS7HAVCNFSM6AAAAABD2MZDEOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRUGQZDGNZRGY . You are receiving this because you authored the thread.Message ID: @.***>
Unfortunately, there is no version of kotlin-stdlib that has a fix.
As a workaround if you are using Java 11+ you can use com.newrelic.telemetry:telemetry-http-java11
instead of com.newrelic.telemetry:telemetry-http-okhttp
.
You'd also have to change the TelemetryClient initialization code to use the other provider.
Thanks for the reply. Unfortunately, our product New Relic monitoring for SAP is targeting SAP environments, which still use java 8. I read somewhere that OKHttp 5.0 stopped using the kotline library and this issue is fixed. However, it looks like OKHttp 5.0 is still in alpha release stage. Do we have any plans to go to OkHttp5.0?
Best --Ed Yu
On Mon, Feb 26, 2024 at 1:06 PM André Onuki @.***> wrote:
image.png (view on web) https://github.com/newrelic/newrelic-telemetry-sdk-java/assets/292463/10621254-8854-4e44-b8fa-b2306010dca7 Unfortunately, there is no version of kotlin-stdlib that has a fix.
As a workaround if you are using Java 11+ you can use com.newrelic.telemetry:telemetry-http-java11 instead of com.newrelic.telemetry:telemetry-http-okhttp. You'd also have to change the TelemetryClient initialization code to use the other provider.
— Reply to this email directly, view it on GitHub https://github.com/newrelic/newrelic-telemetry-sdk-java/issues/316#issuecomment-1965273012, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXIGKDR7VWL3UNGRY6XU6H3YVT2LVAVCNFSM6AAAAABD2MZDEOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRVGI3TGMBRGI . You are receiving this because you authored the thread.Message ID: @.***>
When it is GA.
Snyk scan of newrelic-telemetry-sdk-java is reporting com.squareup.okhttp3:okhttp@4.9.0 vulnerabilities. https://security.snyk.io/package/maven/com.squareup.okhttp3:okhttp/4.9.0
Request to upgrade com.squareup.okhttp3 to a non-vulnerable version.