Skip to content

Commit

Permalink
OBSDATA-3298: part 1: replace grpc protobuf to address CVEs (#176)
Browse files Browse the repository at this point in the history 
* replace grpc protobuf to address CVEs

* add grpc to ignore list of maven dependency tool

* add additional dependencies to ignore list

---------

Co-authored-by: Parth Agrawal <[email protected]>
  • Loading branch information
@janjwerner-confluent @pagrawal10
janjwerner-confluent and pagrawal10 authored Jan 3, 2024
1 parent 688e2a6 commit d242285
Showing 1 changed file with 24 additions and 0 deletions.
24 changes: 24 additions & 0 deletions extensions-contrib/opencensus-extensions/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,8 +47,17 @@
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</exclusion>
<exclusion>
<groupId>io.grpc</groupId>
<artifactId>grpc-protobuf</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-protobuf</artifactId>
<version>1.60.0</version>
</dependency>
<dependency>
<groupId>org.apache.druid</groupId>
<artifactId>druid-processing</artifactId>
Expand Down Expand Up @@ -133,6 +142,21 @@
</dependency>
</dependencies>
<build>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<configuration>
<!-- analyze incorrectly flags this dependency as missing when omitted, and unused when declared -->
<ignoredDependencies>io.grpc:grpc-protobuf</ignoredDependencies>
<!-- Transitive dependencies from opentelemetry but explicitly added to be shadowed -->
<ignoredUnusedDeclaredDependency>io.grpc:grpc-netty-shaded</ignoredUnusedDeclaredDependency>
<ignoredUnusedDeclaredDependency>com.google.guava:guava</ignoredUnusedDeclaredDependency>
</configuration>
</plugin>
</plugins>
</pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
Expand Down

0 comments on commit d242285

Please sign in to comment.