CVE-2024-7254 for protobuf-java-3.23.4.jar which is from io.opentelemetry.proto:opentelemetry-proto:jar:1.3.2-alpha:runtime

[patpatpat123]

Hello team,

First of all, since this is my first post here, just wanted to say thank you for this cool project.
I would like to reach out to report an issue.
We are using a springboot like java project, and even with the latest as of this writing (3.4.0-RC1) it seems there is an issue.

Our company runs regular daily scans (sonarqube, black duck, owasp dependency check, etc) and there is something that keeps being flagged:

[INFO] +- io.micrometer:micrometer-registry-otlp:jar:1.14.0-RC1:compile
[INFO] |  \- io.opentelemetry.proto:opentelemetry-proto:jar:1.3.2-alpha:runtime
[INFO] |     \- com.google.protobuf:protobuf-java:jar:3.23.4:runtime

[WARNING] 
One or more dependencies were identified with known vulnerabilities in project:
protobuf-java-3.23.4.jar (pkg:maven/com.google.protobuf/protobuf-java@3.23.4, cpe:2.3:a:google:protobuf-java:3.23.4:*:*:*:*:*:*:*, cpe:2.3:a:protobuf:protobuf:3.23.4:*:*:*:*:*:*:*) : CVE-2024-7254
See the dependency-check report for more details.

Could you please help get the correct dependency to fix this vulnerability?

Thank you for your help

[Kielek]

@patpatpat123, please check #16

@breedx-splk, FYI

[arminru]

@Kielek should we transfer this issue to https://github.com/open-telemetry/opentelemetry-proto-java?

[Kielek]

@arminru, I think that it is good idea.
I have pinged @breedx-splk once more time.

[breedx-splk]

@patpatpat123 we have been using 4.28.2 for a couple months (see here)...but our release is a couple months out of date. The next release should resolve this.

I'll ping the maintainers to see if we can cut a release soon.

[breedx-splk]

@patpatpat123 It looks like this repo is not so much intended for 3rd party use, but is instead mostly used for testing within the otel java components themselves. As such, we can't guarantee a release date or schedule.

If you need a new build of the proto bindings, it shouldn't be too much effort to build them yourself from the original .proto definitions.

[Kielek]

@breedx-splk, could you please document it in readme?
We have received requests in .NET that we should create production-ready packages. One of the reason was that the Java has it.

[trask]

@Kielek are you looking for something more than this?

opentelemetry-proto-java/README.md

Lines 57 to 68 in 835072e

	## Support
	The generated java bindings published from this repository are provided as-is.
	For generic documentation on how to use protobuf bindings,
	see [gRPC documentation](https://grpc.io/docs/languages/java/generated-code/)
	and [protobuf java documentation](https://protobuf.dev/reference/java/java-generated/).
	We have no intention of eventually publishing stable artifacts. If you need guarantees,
	please generate your own bindings,
	consulting [grpc codegen](https://grpc.io/docs/languages/java/generated-code/#codegen) and
	possibly [build.gradle.kts](build.gradle.kts)

[patpatpat123]

Thank you guys for transferring this ticket to the correct repo. Hope this will make things move forward

[Kielek]

@trask, I missed it somehow. Thanks for highlighting it.

[breedx-splk]

Given #20, I'm going to close this. Please reopen if this discussion needs to continue. Thanks!

[patpatpat123]

Hello team, sorry for the ping, but I do not understand, sorry about that.

The CVE is still relevant.

And here is the dependency chain of the CVE:

[INFO] +- io.micrometer:micrometer-registry-otlp:jar:1.14.0-RC1:compile
[INFO] |  \- io.opentelemetry.proto:opentelemetry-proto:jar:1.3.2-alpha:runtime
[INFO] |     \- com.google.protobuf:protobuf-java:jar:3.23.4:runtime

May I ask what was actually fixed?

Do we have a new version of io.opentelemetry.proto:opentelemetry-proto:jar which is pulling something safer than com.google.protobuf:protobuf-java:jar:3.23.4:runtime ?

Thank you

[trask]

hi @patpatpat123, unfortunately it looks like this artifact io.micrometer:micrometer-registry-otlp didn't follow our guidance:

We have no intention of eventually publishing stable artifacts. If you need guarantees, please generate your own bindings, consulting grpc codegen and possibly build.gradle.kts

[GFriedrich]

hi @trask,
are you aware that this library is actually even used by OpenTelemetry itself e.g. via this repository: https://github.com/open-telemetry/opentelemetry-collector-contrib
Are the maintainers over there aware of your decision here?

[trask]

hi @GFriedrich, can you provide link to where it's used? I couldn't find it: https://github.com/search?q=repo%3Aopen-telemetry%2Fopentelemetry-collector-contrib+io.opentelemetry.proto&type=code

[GFriedrich]

@trask sorry, that was my mistake - it was the wrong contrib repository.
This is the right one: https://github.com/open-telemetry/opentelemetry-java-contrib

[trask]

1.4.0 has been released

please note that this artifact is still marked -alpha and our recommendation is not to use it in production since we can't guarantee binary compatibility of the codegen classes across releases

we haven't yet decided what to do about the two (alpha) -java-contrib modules that are using it today