fix: Remove Netty as an agent dependency

Netty is currently bundled in the ADOT Java Agent JAR, unnecessarily increasing its size by ~7 MB.

This PR removes Netty from the ADOT Java Agent dependency list by:

1. Explicitly removing the Netty BOM.
2. Upgrading the AWS SDK to 2.33.11, which addresses the Netty security risk.
3. Replacing the inclusion of all AWS SDK packages with only the specific modules required by the ADOT Java Agent.

Tests performed:

Local build: ./gradlew build ✅
Unit tests: ./gradlew test ✅
Smoke/contract tests: ./gradlew appsignals-tests:contract-tests:contractTests ✅

Author: lukeina2z

appsignals-tests/contract-tests/build.gradle.kts

@@ -52,8 +52,8 @@ dependencies {
   testImplementation("org.testcontainers:junit-jupiter")
   testImplementation("io.opentelemetry.contrib:opentelemetry-aws-xray")
   testImplementation("org.testcontainers:localstack")
-  testImplementation("software.amazon.awssdk:s3")
-  testImplementation("software.amazon.awssdk:sts")
+  testImplementation("software.amazon.awssdk:s3:2.33.11")
+  testImplementation("software.amazon.awssdk:sts:2.33.11")
   testImplementation(kotlin("test"))
   implementation(project(":appsignals-tests:images:grpc:grpc-base"))
   testImplementation("org.testcontainers:kafka:1.21.3")

awsagentprovider/build.gradle.kts

@@ -50,7 +50,6 @@ dependencies {
   compileOnly("io.opentelemetry:opentelemetry-exporter-otlp-common")
 
   // For OtlpAwsExporter SigV4 Authentication
-  runtimeOnly("software.amazon.awssdk:sts")
   implementation("software.amazon.awssdk:auth")
   implementation("software.amazon.awssdk:http-auth-aws")
 

dependencyManagement/build.gradle.kts

@@ -40,16 +40,11 @@ val dependencyBoms = listOf(
   "com.google.protobuf:protobuf-bom:3.25.1",
   "com.linecorp.armeria:armeria-bom:1.26.4",
   "io.grpc:grpc-bom:1.59.1",
-  // netty-bom is a fix for CVE-2025-58056 (https://github.com/advisories/GHSA-fghv-69vj-qj49).
-  // Remove once https://github.com/aws/aws-sdk-java-v2/pull/6398 and https://github.com/aws/aws-sdk-java/pull/3192
-  // are both merged and released, and we update the corresponding dependencies.
-  "io.netty:netty-bom:4.1.126.Final",
   "io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha:$otelAlphaVersion",
   "org.apache.logging.log4j:log4j-bom:2.21.1",
   "org.junit:junit-bom:5.10.1",
   "org.springframework.boot:spring-boot-dependencies:2.7.17",
   "org.testcontainers:testcontainers-bom:1.19.3",
-  "software.amazon.awssdk:bom:2.30.17",
 )
 
 val dependencySets = listOf(
@@ -103,6 +98,9 @@ dependencies {
     for (dependency in dependencyLists) {
       api(dependency)
     }
+
+    api("software.amazon.awssdk:auth:2.33.11")
+    api("software.amazon.awssdk:aws-core:2.33.11")
   }
 }
 

sample-apps/spark/build.gradle.kts

@@ -15,8 +15,8 @@ dependencies {
   implementation("com.squareup.okhttp3:okhttp")
   implementation("io.opentelemetry:opentelemetry-api")
   implementation("org.apache.logging.log4j:log4j-core")
-  implementation("software.amazon.awssdk:s3")
-  implementation("software.amazon.awssdk:sts")
+  implementation("software.amazon.awssdk:s3:2.33.11")
+  implementation("software.amazon.awssdk:sts:2.33.11")
 
   runtimeOnly("org.apache.logging.log4j:log4j-slf4j-impl")
 }

sample-apps/springboot/build.gradle.kts

@@ -10,8 +10,8 @@ dependencies {
   implementation("org.springframework.boot:spring-boot-starter-web")
   implementation("org.springframework.boot:spring-boot-starter")
   implementation("com.squareup.okhttp3:okhttp")
-  implementation("software.amazon.awssdk:s3")
-  implementation("software.amazon.awssdk:sts")
+  implementation("software.amazon.awssdk:s3:2.33.11")
+  implementation("software.amazon.awssdk:sts:2.33.11")
   implementation("io.opentelemetry:opentelemetry-api")
 }