updates docker and library dependencies to the latest version (#224)

Signed-off-by: Adrian Cole <[email protected]>
Co-authored-by: Andriy Redko <[email protected]>

Author: codefromthecrypt

.github/workflows/security.yml

@@ -3,6 +3,7 @@ name: security
 
 # We don't scan documentation-only commits.
 on:  # yamllint disable-line rule:truthy
+  workflow_dispatch: # trigger ad-hoc runs of this action
   push:  # non-tagged pushes to master
     branches:
       - master

.mvn/wrapper/maven-wrapper.jar

@@ -14,5 +14,7 @@
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
-distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.6/apache-maven-3.9.6-bin.zip
-wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.2.0/maven-wrapper-3.2.0.jar
+wrapperVersion=3.3.2
+distributionType=bin
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.9/apache-maven-3.9.9-bin.zip
+wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar

.mvn/wrapper/maven-wrapper.properties

@@ -24,7 +24,7 @@
     <!-- CVE fix versions -->
     <!-- TODO: considering switching to something that doesn't use scala, such
          as testcontainers+localstack, as CVEs are common here. -->
-    <scala.version>2.13.14</scala.version>
+    <scala.version>2.13.16</scala.version>
 
     <!-- Only used in this repo's tests, which use floor JDK 17 -->
     <maven.compiler.source>17</maven.compiler.source>
@@ -64,7 +64,7 @@
     <dependency>
       <groupId>org.elasticmq</groupId>
       <artifactId>elasticmq-server_2.13</artifactId>
-      <version>1.6.1</version>
+      <version>1.6.11</version>
       <exclusions>
         <exclusion>
           <groupId>ch.qos.logback</groupId>

aws-junit/pom.xml

@@ -68,7 +68,7 @@
     <dependency>
       <groupId>uk.org.webcompere</groupId>
       <artifactId>system-stubs-jupiter</artifactId>
-      <version>2.1.6</version>
+      <version>2.1.7</version>
       <scope>test</scope>
     </dependency>
   </dependencies>

brave/instrumentation-aws-java-sdk-core/pom.xml

@@ -3,7 +3,7 @@ services:
   # TODO: this will pass because X-Ray just sends UDP at the moment.
   # Authenticate and use the other modules: sqs,kinesis,elasticsearch
 
-  # Use fixed service and container name 'sut; so our test script can copy/pasta
+  # Use fixed service and container name sut; so our test script can copy/pasta
   sut:
     # This is the image just built. It is not in a remote repository.
     image: openzipkin/zipkin-aws:test

build-bin/docker-compose-zipkin-aws-unauthenticated.yml

@@ -58,7 +58,7 @@ fi
 
 if ! test -f ${artifact_id}.jar && [ ${is_release} = "true" ]; then
   mvn_get="mvn -q --batch-mode -Denforcer.fail=false \
-  org.apache.maven.plugins:maven-dependency-plugin:3.6.1:get \
+  org.apache.maven.plugins:maven-dependency-plugin:3.8.1:get \
   -Dtransitive=false -DgroupId=${group_id} -DartifactId=${artifact_id} -Dversion=${version}"
 
   if [ -n "${classifier}" ]; then

build-bin/maven/maven_unjar

@@ -25,6 +25,9 @@
     <maven.compiler.source>17</maven.compiler.source>
     <maven.compiler.target>17</maven.compiler.target>
     <maven.compiler.release>17</maven.compiler.release>
+
+    <!-- Avoid CVEs in kinesis deps -->
+    <protobuf.version>3.25.5</protobuf.version>
   </properties>
 
   <dependencies>
@@ -38,7 +41,19 @@
     <dependency>
       <groupId>com.amazonaws</groupId>
       <artifactId>amazon-kinesis-client</artifactId>
-      <version>1.15.1</version>
+      <version>1.15.2</version>
+      <exclusions>
+        <exclusion>
+          <groupId>com.google.protobuf</groupId>
+          <artifactId>protobuf-java</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+
+    <dependency>
+      <groupId>com.google.protobuf</groupId>
+      <artifactId>protobuf-java</artifactId>
+      <version>${protobuf.version}</version>
     </dependency>
 
     <dependency>

collector/kinesis/pom.xml

@@ -42,7 +42,7 @@
     <dependency>
       <groupId>javax.xml.bind</groupId>
       <artifactId>jaxb-api</artifactId>
-      <version>2.2.12</version>
+      <version>2.3.1</version>
       <scope>provided</scope>
     </dependency>
 

collector/sqs/pom.xml

@@ -4,14 +4,14 @@
 #
 
 # zipkin version should match zipkin.version in /pom.xml
-ARG zipkin_version=3.4.0
+ARG zipkin_version=3.5.0
 
 # java_version is used during the installation process to build or download the module jar.
 #
 # Use latest version here: https://github.com/orgs/openzipkin/packages/container/package/java
 # This is defined in many places because Docker has no "env" script functionality unless you use
 # docker-compose: When updating, update everywhere.
-ARG java_version=21.0.3_p9
+ARG java_version=21.0.6_p7
 
 # We copy files from the context into a scratch container first to avoid a problem where docker and
 # docker-compose don't share layer hashes https://github.com/docker/compose/issues/883 normally.

docker/Dockerfile

@@ -28,6 +28,14 @@
 
   <dependencyManagement>
     <dependencies>
+      <!-- Avoid CVEs in armeria deps -->
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-bom</artifactId>
+        <version>${netty.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
       <dependency>
         <groupId>com.fasterxml.jackson.dataformat</groupId>
         <artifactId>jackson-dataformat-cbor</artifactId>