Open ghevge opened 3 years ago
+1
This has been bumped in version 3.3.3 but has not been released to MVN Central - seemingly because of a CICD failure(?)
Any progress? opentracing-spring-jaeger-cloud-starter:3.3.1 is still the latest version on Maven Central.
Also interested in the progression of this issue. Does anyone know of a smart workaround to implement libthrift 0.14.0+ while still using opentracing-spring-jaeger-web-starter 3.3.1?
We also have the same issue with libthrift-0.13.0.jar, org.owasp:dependency-check reports CVE-2020-13949 . I have added the following two dependencies manually and that seems to work:
implementation("org.apache.thrift:libthrift:0.15.0")
implementation("io.jaegertracing:jaeger-thrift:1.7.0")
I also had the same issue, reported on Nexus IQ and managed to get version version 3.3.1 working by including an updated jaeger client my project pom.xml:
<dependency>
<groupId>io.opentracing.contrib</groupId>
<artifactId>opentracing-spring-jaeger-web-starter</artifactId>
<version>3.3.1</version>
</dependency>
<dependency>
<groupId>io.jaegertracing</groupId>
<artifactId>jaeger-client</artifactId>
<version>1.8.0</version>
</dependency>
Additional Notes from #133 : As mentioned by @Harmelodic, the recommendation is to move to OpenTelemetry. I just wanted to share for those who still have a legacy jaeger backend without support for OpenTelemetry client or for whatever reason need to use the jaeger client for now. This overrides the problematic jaeger-client included in 3.3.1. Kindly consider that this is a temporary workaround.
Veracode is reporting a the following security flaw in libthrift-0.13.0.jar a dependency of opentracing-spring-jaeger-web-starter 3.3.1:
Any chance to have this library bumped up ? There are newer version available. The problem was resolved in libthrift-0.14.0.jar +
I've tried to do this upgrade manually at my project .pom level, but it seems opentracing-spring-jaeger-web-starter 3.3.1 tries to call a method that is not available anymore in libthrift-0.14.0.jar.
Thanks