Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exclude netty http modules from shading #2531

Merged
merged 1 commit into from
Mar 24, 2021
Merged

Exclude netty http modules from shading #2531

merged 1 commit into from
Mar 24, 2021

Conversation

shakuzen
Copy link
Member

@shakuzen shakuzen commented Mar 24, 2021
edited
Loading

We do not use HTTP in the StatsD registry implementation, so we would avoid some of the pain of false positive CVE detection on our shaded netty dependencies by excluding HTTP-related modules we don't use. This will also reduce the size of the statsd registry artifact.

See #2525

@shakuzen shakuzen added enhancement A general enhancement registry: statsd A StatsD Registry related issue build A change in our build-system labels Mar 24, 2021
@shakuzen shakuzen added this to the 1.5.13 milestone Mar 24, 2021
@shakuzen
Exclude netty http modules
2f00d91 
We do not use HTTP in the StatsD registry implementation, so we would avoid some of the pain of false positive CVE detections on our shaded netty dependencies by excluding those we don't use.
@shakuzen
Copy link
Member Author

@violetagg would you mind letting me know if this seems reasonable? This branch is on reactor-netty 0.9.x and we don't use the HttpClient or any servers; only UdpClient/TcpClient. On our main branch, we plan to use reactor-netty-core when we upgrade to 1.0.x to avoid the HTTP stuff we don't use.

@violetagg
Copy link
Contributor

@violetagg would you mind letting me know if this seems reasonable? This branch is on reactor-netty 0.9.x and we don't use the HttpClient or any servers; only UdpClient/TcpClient. On our main branch, we plan to use reactor-netty-core when we upgrade to 1.0.x to avoid the HTTP stuff we don't use.

That's exactly what was the reason for separating Reactor Netty on modules.

@shakuzen shakuzen merged commit a6198da into micrometer-metrics:1.5.x Mar 24, 2021
@shakuzen shakuzen deleted the exclude-netty-http branch March 24, 2021 16:03
@shakuzen shakuzen mentioned this pull request Mar 24, 2021
Closed
@shakuzen shakuzen changed the title Exclude netty http modules Exclude netty http modules from shading Mar 24, 2021
@stevefranchak
Copy link

stevefranchak commented Dec 21, 2021
edited
Loading

Did #2588 undo excluding netty http codec modules, and, if so, was that intentional?

I updated micrometer-registry-statsd from 1.7.6 to 1.8.1 and noticed that io/micrometer/shaded/io/netty/handler/codec/http is being included in the JAR file. Previously, I was able to write off CVEs like CVE-2021-43797 as a false positive because the http modules weren't being included, but that's not possible for me to justify anymore if I update to micrometer-registry-statsd >= 1.8.0.

@shakuzen shakuzen mentioned this pull request Dec 22, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
build A change in our build-system enhancement A general enhancement registry: statsd A StatsD Registry related issue
Projects
None yet
Milestone
1.5.13
Development

Successfully merging this pull request may close these issues.
3 participants
@shakuzen @violetagg @stevefranchak