feat: fix CVE-2024-7254 (#412)

thugrock7 · web-flow · commit 585866b7534a · 2025-01-17T20:10:00.000+05:30
* exclude protobuf deps

* adding TODO statement
diff --git a/javaagent/build.gradle.kts b/javaagent/build.gradle.kts
@@ -58,6 +58,10 @@ tasks {
             // exclude because it would be shaded twice and the META-INF/services/ would be io.opentelemetry.javaagent.shaded.io.grpc
             exclude("inst/META-INF/services/io.grpc*")
         }
+        // Fix CVE-2024-7254, opentelemetry-javaagent brings in io.prometheus.metrics which uses deps of high vulnerability protobuf-java version
+        // This was fixed in 2.x.x versions of opentelemetry-javaagent(which needs us to upgrade from 1.33.0)
+        // TODO: Remove this exclusion after otel-javaagent upgrade which has CVE-2024-7254 fix
+        exclude("inst/io/prometheus/metrics/shaded/com_google_protobuf_3_21_7/**")
         exclude("**/module-info.class")
         manifest {
             attributes.put("Implementation-Title", "javaagent")
