When Version 3.7.0 Release #4026
Comments
|
The next release will be in January. |
|
I wanted to inquire about the current release process and frequency for this project. Specifically, is there any possibility of increasing the frequency of releases, at least to include versions with dependency upgrades? For instance, the latest release (v3.6.2) was published on October 31, 2024. Since then, more than a month has passed, during which several open vulnerabilities in the dependencies have been identified. Unfortunately, similar situations have occurred with previous versions. Would it be feasible to adopt a more regular release schedule, particularly focusing on delivering patches or minor updates to address vulnerabilities and dependency upgrades? |
|
hi @jgprogram, we have automation to alert us immediately of CVEs reported in all of our dependencies, and we check those CVEs to ensure they aren't exploitable (given that we shade them in to the Java agent). if there is an exploitable vulnerability, we release a patch immediately. if it's not exploitable, we roll it into our monthly release (we do understand that scanners can be quite noisy about these things) our release cadence is monthly (specifically the week after the upstream OpenTelemetry Java agent is released). unfortunately we were under a critical change only advisory for Nov, Dec, and early Jan, and so could not make releases during that time unless there happened to be an exploitable vulnerability. |
|
@trask , does that mean the current latest version (3.6.2) is NOT exploitable to the various high-CVE dependencies identified as dependencies of AppInsights agent? I'm here because I'm trying to shade/shadowjar our own construction of applicationinsights-agent-3.6.2 but with forced upgrades of various transitive dependencies that are vulnerable, apache mina, logback, jetty to name a few. That seemed easier than digging into your source code to figure out if you were vulnerable to the specific logback CVE, repeat for each vulnerability, but even then I'm running into issues with the Spring classloader. Hearing that 3.6.2 ISN'T vulnerable to the numerous (70) vulnerabilities identified by my Checkmarx scanner would absolutely make my week |
|
(I need to clarify one thing above, which is that our threshold for patching immediately are vulnerabilities with CVSS scoring of 7.0 or higher) |
@josephShield we're only seeing these CVEs against 3.6.2: none of which are High can you give us more details about what you're seeing? |
|
Unfortunately Checkmarx's exported output doesn't also include the CVE issue, and yet their UI doesn't also show the source of the transitive dependency. Above is a screenshot of the former, the raw output. Here I've manually compared each identified vulnerability with the respective CVE(s) (in red), at least for the 9.0 and above ones. As you can see (in yellow) there are 50 vulnerabilities of 7.0 and above 
And in copied form for ease of search: Perhaps I'm misreading my Checkmarx output if you're not seeing any of these? |
|
it looks like you may be having same issue as open-telemetry/opentelemetry-java-instrumentation#13000 we should follow suit in this repo and exclude Exclude META-INF/maven from shaded libraries |
Hi there, I just wonder when the version 3.7.0 will release?
I need the fixing vulnerable CVE-2024-47535, and CVE-2024-12798 on my project.
Thankyou
The text was updated successfully, but these errors were encountered: