wu-sheng opened a new pull request, #13915:
URL: https://github.com/apache/skywalking/pull/13915
### Clear test-scope CVE Dependabot alerts (log4j 1.x + Go e2e fixtures)
Follow-up to #13913. Clears ~18 of the remaining open Dependabot alerts, all
in e2e **test fixtures** (no production code).
**log4j 1.x** — `e2e-service-provider` (2 alerts; log4j 1.x is EOL, one CVE
has no patched release):
- Removed `log4j:log4j` 1.2.17 + `apm-toolkit-log4j-1.x` and
`log4j.properties`. The provider already exercises log-to-OAP through
**log4j2** (`apm-toolkit-log4j-2.x`, grpc appender) and **logback** in
parallel, so log-reporting coverage is preserved. The log4j2 loggers now use
the imported `org.apache.logging.log4j.Logger` (no inline FQCN). Dropped the
log4j-1.x `fileLogger` items from the filebeat/fluentd expected files.
**Go fixtures** — `grpc`/`golang.org/x/net`/`x/crypto`/`protobuf` (~16
alerts; the patched releases require Go ≥ 1.23):
- `cases/go/service`: `go 1.24`; x/crypto 0.46, x/net 0.48, grpc 1.79.3,
protobuf 1.36.10; Dockerfile base `-go1.19` → `-go1.24`. `SW_AGENT_GO_COMMIT` →
`19a9fa9` (the skywalking-go commit that ships the go1.24 images; go1.19 images
were dropped). All 5 shared go cases (go/service, profiling/trace/go,
pprof/{mysql,es,banyandb}) build from this one Dockerfile.
- `cases/profiling/ebpf/network`: **migrated off the legacy go2sky SDK to
the skywalking-go toolchain agent** (auto-instruments net/http server+client).
The app exit span is now auto-instrumented (`GET:/provider`, `GoHttpClient`,
layer `Http`, peer `proxy`, http tags, spanid 1/parent 0) —
`expected/skywalking-trace.yml` updated, derived from the skywalking-go
net/http plugin. The eBPF sampled-record name (`skywalking-<path>`) is
network-derived and unchanged, so the verify query and the 4xx/5xx expectations
are untouched.
**Not in this PR (separate follow-ups):**
- `okhttp` 3.14.9 in `oap-server-bom` — the only **production**-scope alert;
pulled transitively by the Kubernetes client, so the real fix is a k8s-client
bump.
- `protobuf` in `airflow/mock/requirements-replay.txt` — needs an
`opentelemetry-proto` bump too (it pins `protobuf<5`).
### Validation
- Java provider compiles; the fat jar bundles only log4j2 (`log4j-api/core`
+ `apm-toolkit-log4j-2.x`), zero log4j 1.x.
- Both Go fixtures build locally with the `skywalking-go -toolexec` agent
(go1.24 + grpc 1.79.3).
- The `ebpf/network` trace assertion is derived from the skywalking-go
plugin code; end-to-end behavior is validated by the kind/rover **eBPF e2e in
CI** (not locally runnable).
- [ ] Update the [`CHANGES`
log](https://github.com/apache/skywalking/blob/master/docs/en/changes/changes.md)
— N/A, test-fixture/CI only (not user-facing).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]