-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace the OpenTelemetry protobuf library #5658
Comments
Thank you for the issue! It seems CVE-2024-7254 is about parsing (untrusted) data. I don't think Micrometer is affected since it does not parse any protobuf payload (deserializing), it does the opposite, it produces protobuf payload (serializing). From security scanners perspective, this seems like a false-positive to me. It also worth to mention that other than being affected or not, from Micrometer's perspective, this should not be a CVE since users should be able to upgrade the protobuf dependency ( We need to discuss internally how to handle the new
and as you mentioned, we should be able to simply generate the code from the proto specs using grpc codegen. Unfortunately, this is not as simple as it sounds. I asked around the OTel Slack, it seems that:
Please feel free to share if you have any idea/comment/question/etc. |
Hello team, Just wanted to highlight something the developers of the library are saying:
I am afraid there is a gap between two teams here. On one hand (proto java team) say the library is not ready for production use On the other hand (micrometer team) might not know about this (recent) information. If this is the case, is there a way to replace this library with something more "production ready"? Please let us know, as OTLP is a widely used library. Thank you and good day! |
Hey @jonatan-ivanov, thanks for getting back! From an external point of view I see two options:
In any case thanks so much for looking into this 🙏 |
@patpatpat123 @GFriedrich
This is mostly an OTel decision. I think a binary distribution (jar in case of Java) of the OTLP spec should be available for everyone. I already started a discussion with otel-java folks, let's see where this will go. |
@jonatan-ivanov I don't think this is a fair statement. The artifact version is (and has always been) tagged with |
Hey @trask, there are a lot of things going on in the comments, could you please let me know which statement is not fair so that I can correct it? If I need to guess you mean the one about production use ("not intended for production use")? I think I should have written "eventual production use"(?). I edited it and added a note about the OTel test usage to make it clearer, but that's what I meant (since that was changed in the commits I linked) not the Right now, the repo says there is no intention of eventually publishing stable artifacts. To me this means that it is not just not indented for production use yet but ever. I think this is a completely different topic than the |
I believe this is where the Wanted to say something else though: A big motivator in opentelemetry for its proto solution was actually increased performance directly serializing the intermediate storage classes to proto vs. having to memory-map/convert to the generated classes and then serialize. That is:
If micrometer is able to optimise using the same technique, it might be beneficial to everyone. I'm a bit overloaded, but could explain the basics on how this works if Micrometer wanted to create serialize-only templates from proto descriptions, a simplification of otel's code here: https://github.com/open-telemetry/opentelemetry-java/blob/main/buildSrc/src/main/kotlin/io/opentelemetry/gradle/ProtoFieldsWireHandler.kt |
Hey @jonatan-ivanov , Thank you for following up on this. I think the micrometer OTLP community would benefit from that. |
Any reason why micrometer can't just use Micrometer could provide a mapping to the This would allow micrometer to leverage the high performance, hand-rolled serialization we use internally in The only argument I can think of to use |
@jsuereth Ah, I see, by saying "there was no sign that this artifact should not be used", what I meant here was no sign that it should not be used at all (other than OTel test suits). To me this is a different topic than the Thank you for the details about proto and the offer to help. As a short term solution, it seems there will be another release of proto-java that contains the CVE fix since it seems there will be some changes in the proto specs. |
@jack-berg |
Yup good points @jonatan-ivanov. There seems to be a tradeoff:
From a dependency size standpoint, we have:
|
Please describe the feature request.
Get rid of the OpenTelemetry protobuf library as it is not intended for public use.
Rationale
Recently #5493 was opened to express that some vulnerable protobuf version is used. The ticket was closed though, because the protobuf version is coming from the OpenTelemetry protobuf library. Now though, the OpenTelemetry maintainers decided that this library is not intended for public use (see open-telemetry/opentelemetry-proto-java#20). Therefore I guess the only option here is to get rid of this library and generating the files for protobuf by yourselves.
The text was updated successfully, but these errors were encountered: