dependabot[bot] opened a new pull request, #4224: URL: https://github.com/apache/servicecomb-java-chassis/pull/4224
Bumps [io.zipkin.zipkin2:zipkin](https://github.com/openzipkin/zipkin) from 2.26.0 to 3.0.5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/openzipkin/zipkin/releases";>io.zipkin.zipkin2:zipkin's releases</a>.</em></p> <blockquote> <p>Zipkin 3.0.5 cleans up CVEs and supports Eureka authentication. We also allow those testing with Cassandra to disable SSL hostname verification. While this is a point version, quite a lot of work went into this. Please thank volunteers involved on <a href="https://app.gitter.im/#/room/#openzipkin_zipkin:gitter.im";>gitter</a> or otherwise!</p> <h2>Dependency updates</h2> <p>Most notably, this updates our docker image to use JRE 21.0.2_p13, and all recent java libraries. We audited the UI and were able to fix all CVEs identified by <a href="https://www.aquasec.com/products/trivy/";>Trivy</a> and used at runtime, with special thanks to <a href="https://github.com/anuraaga";><code>@anuraaga</code></a> on this. We also test with latest Elasticsearch 8.12.0, now. This was trickier than usual due to a JRE compatibility issue <a href="https://github.com/reta";><code>@reta</code></a> <a href="https://redirect.github.com/elastic/elasticsearch/pull/104347";>discovered</a> a workaround for, and will be resolved when ES 8.12.1 is out. Rag and Andriy made themselves available and are the reason this release is all polished.</p> <h2>Eureka authentication</h2> <p><a href="https://github.com/openzipkin/zipkin/releases/tag/2.27.0";>Zipkin 2.27</a> added Eureka discovery support, but we missed a spot. Eureka <a href="https://redirect.github.com/Netflix/eureka/pull/765/files";>supports BASIC authentication</a> via user info embedded in the service url. e.g. <code>http://user:password@localhost:8761/eureka/v2</code>. This is also handled the same way in <a href="https://cloud.spring.io/spring-cloud-netflix/multi/multi__service_discovery_eureka_clients.html#_authenticating_with_the_eureka_server";>spring-cloud-netflix</a>. By also allowing url-embedded credentials, folks can use the same properties with zipkin as they do elsewhere.</p> <p>To achieve this, and test it fully, we updated the following:</p> <ul> <li>Our test eureka server image, <a href="https://github.com/openzipkin/zipkin/tree/3.0.5/docker/test-images/zipkin-eureka";>ghcr.io/openzipkin/zipkin-eureka</a>, to require authentication via <code>EUREKA_USERNAME</code> and <code>EUREKA_PASSWORD</code></li> <li>Our test armeria client image, <a href="https://github.com/openzipkin/brave-example/tree/master/armeria";>ghcr.io/openzipkin/brave-example:armeria</a>, to pass embedded credentials when looking up zipkin via <code>EUREKA_SERVICE_URL</code></li> <li>Our main code (applicable to all zipkin packaging) to use embedded credentials when registering via <code>EUREKA_SERVICE_URL</code></li> <li>Our <a href="https://github.com/openzipkin/zipkin/blob/3.0.5/docker/examples/docker-compose-eureka.yml#L27-L30";>docker-compose example</a> to suggest how you can try the whole thing integrated.</li> </ul> <p>Thanks for your patience with supporting this option, we hope you can tell that doing it right was a lot of work, and why we didn't just "wing it" earlier!</p> <h2>Disabling Cassandra hostname verification</h2> <p>Cassandra includes a setting for disabling hostname validation when using SSL, which is helpful for self-signed certificates. Thanks to <a href="https://github.com/priyavivek2307";><code>@priyavivek2307</code></a> and <a href="https://github.com/ankit-gautam23";><code>@ankit-gautam23</code></a> for review, you can disable this now, by setting the env <code>CASSANDRA_SSL_HOSTNAME_VALIDATION=false</code></p> <p><strong>Full Changelog</strong>: <a href="https://github.com/openzipkin/zipkin/compare/3.0.4..3.0.5";>https://github.com/openzipkin/zipkin/compare/3.0.4..3.0.5</a></p> <p>Zipkin 3.0.4 fixes a packaging bug which caused the UI to not load. Thanks <a href="https://github.com/jinyulei0710";><code>@jinyulei0710</code></a> for reporting!</p> <p>Zipkin 3.0.3 updates its self-tracing to use the latest zipkin-reporter 3.2.1. It also enhances the <a href="https://github.com/openzipkin/zipkin/tree/master/docker/examples#eureka";>Eureka example</a> to include client tracing with <a href="https://armeria.dev/docs/client-service-discovery/";>Armeria services</a> support.</p> <p>Zipkin 3.0.2 removes a log warning from console output.</p> <p>You may also be interested in the <a href="https://formulae.brew.sh/formula/zipkin";>new homebrew formula</a>. On mac or linux, you can now try zipkin via <code>brew install zipkin</code></p> <p>Zipkin 3.0 updates to Spring Boot 3 and floor JRE 17. The core library <a href="https://central.sonatype.com/search?q=io.zipkin.zipkin2:zipkin";>io.zipkin.zipkin2:zipkin</a> now targets Java 8. This is a major version change for these reasons.</p> <p>Apart from raising the server's Java target to 17, actual changes for Spring Boot 3 were a breeze. Upgrade breeze is not by accident, rather thanks to conscious thinking by the <a href="https://twitter.com/springboot";>Spring Boot</a> team. Please thank them for the good work!</p> <h3>On Java version changes</h3> <p>Recent releases of Zipkin use JRE 21 in docker images, as that's the latest LTS. The server now requires JRE 17 because that's the minimal Java target allowed by Spring Boot 3. <a href="https://bugs.openjdk.org/browse/JDK-8206440";>JDK 17 no longer supports compilation below Java 8,</a> which impacted our version range. The next notes cover impacts on the core library.</p> <p><a href="https://central.sonatype.com/search?q=io.zipkin.zipkin2:zipkin";>io.zipkin.zipkin2:zipkin</a> now targets Java 8, formerly Java 6. Libraries who need to retain Java 6 or old Android versions should stay on 2.x or move to latest <a href="https://github.com/openzipkin/zipkin-reporter-java/tree/master/brave";>zipkin-reporter-brave</a> which still supports Java 6. This should not impact many because known libraries that depend on zipkin require Java 8 or later.</p> <p>Again, <a href="https://github.com/openzipkin/zipkin-reporter-java/releases/tag/3.1.1";>Zipkin Reporter 3</a> and <a href="https://github.com/openzipkin/brave/releases/tag/6.0.0";>Brave 6</a> no longer have a strict dependency on <code>io.zipkin.zipkin2:zipkin</code> so, still support Java 6.</p> <h3>Notable updates</h3> <p>As this is a major version update, we updated all server extensions we maintain, including:</p> <ul> <li><a href="https://github.com/openzipkin/zipkin-aws";>zipkin-aws</a> (docker <a href="https://hub.docker.com/r/openzipkin/zipkin-aws";>openzipkin/zipkin-aws</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/openzipkin/zipkin/commit/6c1857e49315a4fbae83cb3a56e7fab8cdb5fe4c";><code>6c1857e</code></a> [maven-release-plugin] prepare release 3.0.5</li> <li><a href="https://github.com/openzipkin/zipkin/commit/56d68ccd258cb85749986afe019ed8ceb47f4848";><code>56d68cc</code></a> deps: fixes to easy lens CVEs (<a href="https://redirect.github.com/openzipkin/zipkin/issues/3705";>#3705</a>)</li> <li><a href="https://github.com/openzipkin/zipkin/commit/f18696efc4538dd413e96017be70ec273a15b267";><code>f18696e</code></a> deps: bumps to latest library versions, notably slf4j (<a href="https://redirect.github.com/openzipkin/zipkin/issues/3704";>#3704</a>)</li> <li><a href="https://github.com/openzipkin/zipkin/commit/183faf76eb7a19f16f07f02d94a36599ce4c6aa0";><code>183faf7</code></a> docker: updates notably to JRE 21.0.2_p13 (<a href="https://redirect.github.com/openzipkin/zipkin/issues/3702";>#3702</a>)</li> <li><a href="https://github.com/openzipkin/zipkin/commit/899170cd4099ca38e8d3433aef8121e1d4f06566";><code>899170c</code></a> cassandra: adds CASSANDRA_SSL_HOSTNAME_VALIDATION (<a href="https://redirect.github.com/openzipkin/zipkin/issues/3701";>#3701</a>)</li> <li><a href="https://github.com/openzipkin/zipkin/commit/41b4a37ee948b521b69a242a79eadd9ed7c6da64";><code>41b4a37</code></a> eureka: supports credentials in EUREKA_SERVICE_URL (<a href="https://redirect.github.com/openzipkin/zipkin/issues/3700";>#3700</a>)</li> <li><a href="https://github.com/openzipkin/zipkin/commit/10e0458dab733301702a808f1cfbae7e80195e6f";><code>10e0458</code></a> docker: changes to direct auth filter in zipkin-eureka test image (<a href="https://redirect.github.com/openzipkin/zipkin/issues/3699";>#3699</a>)</li> <li><a href="https://github.com/openzipkin/zipkin/commit/5ff651fe43e5416787b57895849bb26f61403b40";><code>5ff651f</code></a> docker: require auth for Eureka on EUREKA_USERNAME (<a href="https://redirect.github.com/openzipkin/zipkin/issues/3698";>#3698</a>)</li> <li><a href="https://github.com/openzipkin/zipkin/commit/13e46f82657713fea268708bd083f497eb9122cc";><code>13e46f8</code></a> [maven-release-plugin] prepare for next development iteration</li> <li><a href="https://github.com/openzipkin/zipkin/commit/1b89798901c27526beda4efd4d9e86c26ba6e326";><code>1b89798</code></a> [maven-release-plugin] prepare release 3.0.4</li> <li>Additional commits viewable in <a href="https://github.com/openzipkin/zipkin/compare/2.26.0...3.0.5";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
