Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Release an up-to-date jar and one for java 6
See original GitHub issueFollow-up of https://github.com/prometheus/jmx_exporter/pull/584#issuecomment-801915128
How about releasing a dedicated jar for java 6? e.g.
jmx_prometheus_javaagent-0.16.0.jar- one with all dependencies updatedjmx_prometheus_javaagent-0.16.0-jdk6.jar- tbo I don’t really get how these are named but here is how other do it http://www.bouncycastle.org/latest_releases.html
The problem we are having is that we do security scans on our docker images and have processes to force people to fix their issues. And we have to log exceptions and keep explaining that this is not really a vulnerability.
The main benefit of fixing this is that you’ll reduce the amount of communication in random other companies 😄 and this may be masking a real problem in the actual jars of people.
We are currently using 0.14.0 🤷 because 0.15.0 gets flagged.
ps. Happy to help with something of the sort but I am not very familiar with the java world.
fyi @fstab @brian-brazil (I’ve extracted the question in this issue)
Issue Analytics
- State:
- Created 2 years ago
- Reactions:8
- Comments:11 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I merged it to master. I still need to verify the build and update documentation, but if all goes well I might be able to release this over the weekend.
Thanks a lot for the suggestion, and sorry for the delay. I will do this. Just to be clear: There is no security risk, because the CVE is just about parsing YAML from untrusted sources, and not about parsing your own config files. However, I understand that it’s annoying to be flagged in security scans, so I will release two versions as suggested above.
As a first step, I created a feature branch for testing the agent with different Java versions (https://github.com/prometheus/jmx_exporter/tree/integration-test). I would like to create automated tests for both the jdk6 version and the jdk8 version, because it will be error prone to check manually if Java 6 still works. Once automated integration tests for both versions are in place, I will create a release.