Skip to content

Zipkin Reporter 2.17.0
Compare
Choose a tag to compare
@codefromthecrypt codefromthecrypt released this 15 Dec 00:16
· 60 commits to master since this release
2.17.0
d21c18e

Zipkin Reporter v2.17.0 updates default versions of dependencies so that CVE scanners like trivy pass by default. Details below for the interested.

For example, trivy is now clean.

$ trivy -q --skip-files "**/src/it/*/pom.xml" repo https://github.com/openzipkin/zipkin-reporter-java

In order to do this, and based on user demand, we had to change some default practice in our senders (the transport plug-in for sending spans to a zipkin compatible endpoint). Here is a summary of each and how versions are handled.

  • activemq-client - Note that the recently released 6.x version is not compatible with 5.x due to package import change from javax.jms to jakarta.jms. Raise an issue if you need a later client as it will require a copy of the entire module to resolve.
  • amqp-client (rabbitmq) - The 4.x version is no longer maintained, so we set a 5.x version and test the old one.
  • kafka - the kafka-clients driver has not had any known compatibility problems, so we've left it as-is.
  • libthrift (scribe) - libthrift (used for the deprecated scribe transport) has never released a 1.0 version, so occasionally causes revlocks. @zhfeng noticed this in apache camel, as updating past the 4 year old 0.13 was impossible to work around. Luckily versions after that seem compatible with each other.
  • okhttp3 - The 3.x version is no longer maintained, so we set a 4.x version and test the old one. Thanks @evantorrie for explaining why this is important and @shakuzen for helping in the discussion.

While not end-user affecting, we have also migrated from JUnit 4 to JUnit 5, thanks to OpenRewrite recipes from @TeamModerne. Also, we use docker images to test all messaging transports. This ensures compatibility with upstream in transparent ways, and also removes classpath conflicts from java-based messaging transports such as ActiveMQ and Kafka.

Thanks a lot to @anuraaga for copious support work on this release, as well.

Full Changelog: 2.16.5...2.17.0

Note: To pass Trivy at the moment, we have to skip old versions used only for compatibility testing. There is a discussion about making this default.

Contributors

anuraaga, zhfeng, and 3 other contributors
Assets 2
Loading