-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release an up-to-date jar and one for java 6 #592
Comments
@fstab 👀 What do you think about this one? |
Thanks a lot for the suggestion, and sorry for the delay. I will do this. Just to be clear: There is no security risk, because the CVE is just about parsing YAML from untrusted sources, and not about parsing your own config files. However, I understand that it's annoying to be flagged in security scans, so I will release two versions as suggested above. As a first step, I created a feature branch for testing the agent with different Java versions (https://github.com/prometheus/jmx_exporter/tree/integration-test). I would like to create automated tests for both the jdk6 version and the jdk8 version, because it will be error prone to check manually if Java 6 still works. Once automated integration tests for both versions are in place, I will create a release. |
Thanks @fstab. This will definitely help. Out of curiosity, why still support Java 6 since Oracle dropped extended support in 2016? |
There are still users who have to operate legacy Java 6 applications, and Azul offer paid support for Java 6 until December 2023 (https://en.wikipedia.org/wiki/Java_version_history). |
@fstab Were you able to make any progress on the integration tests? |
Sorry for the delay. I picked it up again today and I'll do my best to finish it soon. |
I merged it to master. I still need to verify the build and update documentation, but if all goes well I might be able to release this over the weekend. |
Outstanding @fstab. I really appreciate the work you put in to get this working! 🥇 |
👍 I've tried |
The collector (and the jmx_prometheus_httpserver) still has a reference to 1.23 at jmx_exporter/collector/pom.xml Line 31 in ea03179
|
Follow-up of #584 (comment)
How about releasing a dedicated jar for java 6? e.g.
jmx_prometheus_javaagent-0.16.0.jar
- one with all dependencies updatedjmx_prometheus_javaagent-0.16.0-jdk6.jar
- tbo I don't really get how these are named but here is how other do it http://www.bouncycastle.org/latest_releases.htmlThe problem we are having is that we do security scans on our docker images and have processes to force people to fix their issues. And we have to log exceptions and keep explaining that this is not really a vulnerability.
The main benefit of fixing this is that you'll reduce the amount of communication in random other companies :D and this may be masking a real problem in the actual jars of people.
We are currently using 0.14.0 🤷 because 0.15.0 gets flagged.
ps. Happy to help with something of the sort but I am not very familiar with the java world.
fyi @fstab @brian-brazil (I've extracted the question in this issue)
The text was updated successfully, but these errors were encountered: