From 956c7fb37967009a44e5baad29a4ebc3fc3ca3d6 Mon Sep 17 00:00:00 2001 From: Luke Zhang Date: Fri, 19 Sep 2025 09:58:58 -0700 Subject: [PATCH 1/2] fix: Remove Netty as an agent dependency MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Netty is currently bundled in the ADOT Java Agent JAR, unnecessarily increasing its size by ~7 MB. This PR removes Netty from the ADOT Java Agent dependency list by: 1. Explicitly removing the Netty BOM. 2. Upgrading the AWS SDK to 2.33.11, which addresses the Netty security risk. 3. Replacing the inclusion of all AWS SDK packages with only the specific modules required by the ADOT Java Agent. Tests performed: Local build: ./gradlew build ✅ Unit tests: ./gradlew test ✅ Smoke/contract tests: ./gradlew appsignals-tests:contract-tests:contractTests ✅ --- appsignals-tests/contract-tests/build.gradle.kts | 4 ++-- awsagentprovider/build.gradle.kts | 1 - dependencyManagement/build.gradle.kts | 8 +++----- sample-apps/spark/build.gradle.kts | 4 ++-- sample-apps/springboot/build.gradle.kts | 4 ++-- 5 files changed, 9 insertions(+), 12 deletions(-) diff --git a/appsignals-tests/contract-tests/build.gradle.kts b/appsignals-tests/contract-tests/build.gradle.kts index 0a90f08fb3..11179de989 100644 --- a/appsignals-tests/contract-tests/build.gradle.kts +++ b/appsignals-tests/contract-tests/build.gradle.kts @@ -52,8 +52,8 @@ dependencies { testImplementation("org.testcontainers:junit-jupiter") testImplementation("io.opentelemetry.contrib:opentelemetry-aws-xray") testImplementation("org.testcontainers:localstack") - testImplementation("software.amazon.awssdk:s3") - testImplementation("software.amazon.awssdk:sts") + testImplementation("software.amazon.awssdk:s3:2.33.11") + testImplementation("software.amazon.awssdk:sts:2.33.11") testImplementation(kotlin("test")) implementation(project(":appsignals-tests:images:grpc:grpc-base")) testImplementation("org.testcontainers:kafka:1.21.3") diff --git a/awsagentprovider/build.gradle.kts b/awsagentprovider/build.gradle.kts index 5cc97b14fc..cc31042d26 100644 --- a/awsagentprovider/build.gradle.kts +++ b/awsagentprovider/build.gradle.kts @@ -50,7 +50,6 @@ dependencies { compileOnly("io.opentelemetry:opentelemetry-exporter-otlp-common") // For OtlpAwsExporter SigV4 Authentication - runtimeOnly("software.amazon.awssdk:sts") implementation("software.amazon.awssdk:auth") implementation("software.amazon.awssdk:http-auth-aws") diff --git a/dependencyManagement/build.gradle.kts b/dependencyManagement/build.gradle.kts index d6218a08b2..2b7a64cc20 100644 --- a/dependencyManagement/build.gradle.kts +++ b/dependencyManagement/build.gradle.kts @@ -40,16 +40,11 @@ val dependencyBoms = listOf( "com.google.protobuf:protobuf-bom:3.25.1", "com.linecorp.armeria:armeria-bom:1.26.4", "io.grpc:grpc-bom:1.59.1", - // netty-bom is a fix for CVE-2025-58056 (https://github.com/advisories/GHSA-fghv-69vj-qj49). - // Remove once https://github.com/aws/aws-sdk-java-v2/pull/6398 and https://github.com/aws/aws-sdk-java/pull/3192 - // are both merged and released, and we update the corresponding dependencies. - "io.netty:netty-bom:4.1.126.Final", "io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha:$otelAlphaVersion", "org.apache.logging.log4j:log4j-bom:2.21.1", "org.junit:junit-bom:5.10.1", "org.springframework.boot:spring-boot-dependencies:2.7.17", "org.testcontainers:testcontainers-bom:1.19.3", - "software.amazon.awssdk:bom:2.30.17", ) val dependencySets = listOf( @@ -103,6 +98,9 @@ dependencies { for (dependency in dependencyLists) { api(dependency) } + + api("software.amazon.awssdk:auth:2.33.11") + api("software.amazon.awssdk:aws-core:2.33.11") } } diff --git a/sample-apps/spark/build.gradle.kts b/sample-apps/spark/build.gradle.kts index 1dc88e3192..2e3bdecfea 100644 --- a/sample-apps/spark/build.gradle.kts +++ b/sample-apps/spark/build.gradle.kts @@ -15,8 +15,8 @@ dependencies { implementation("com.squareup.okhttp3:okhttp") implementation("io.opentelemetry:opentelemetry-api") implementation("org.apache.logging.log4j:log4j-core") - implementation("software.amazon.awssdk:s3") - implementation("software.amazon.awssdk:sts") + implementation("software.amazon.awssdk:s3:2.33.11") + implementation("software.amazon.awssdk:sts:2.33.11") runtimeOnly("org.apache.logging.log4j:log4j-slf4j-impl") } diff --git a/sample-apps/springboot/build.gradle.kts b/sample-apps/springboot/build.gradle.kts index 2d4844fcc4..ed10ac1be0 100644 --- a/sample-apps/springboot/build.gradle.kts +++ b/sample-apps/springboot/build.gradle.kts @@ -10,8 +10,8 @@ dependencies { implementation("org.springframework.boot:spring-boot-starter-web") implementation("org.springframework.boot:spring-boot-starter") implementation("com.squareup.okhttp3:okhttp") - implementation("software.amazon.awssdk:s3") - implementation("software.amazon.awssdk:sts") + implementation("software.amazon.awssdk:s3:2.33.11") + implementation("software.amazon.awssdk:sts:2.33.11") implementation("io.opentelemetry:opentelemetry-api") } From 5826379dc98921d89fa1f77f24363e01515e7fc0 Mon Sep 17 00:00:00 2001 From: Luke Zhang Date: Fri, 19 Sep 2025 10:14:53 -0700 Subject: [PATCH 2/2] add changelog. --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4732100a6e..d94e919c38 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,3 +12,7 @@ For any change that affects end users of this package, please add an entry under If your change does not need a CHANGELOG entry, add the "skip changelog" label to your PR. ## Unreleased + +- fix: Remove Netty as an agent dependency + ([#1206](https://github.com/aws-observability/aws-otel-java-instrumentation/pull/1206)) +