Add Snyk (#312)

* 🚧 snyk config

* 👷 add snyk CI step

* 🔒 upgrade auto-service, retain annotations only at compile time

* :arrow_up upgrade protpbuf-java-util to resolve guava dependency vulnerability

* 🔒 exclude netty from being available at runtime

* 🔒 exclude apache from being available at runtime

* 🔒 upgrade jetty for tests

* 🔒 exclude apache library from runtime classpath

* 🐛 fix library conifguration for apache httpclient

* 🐛 fix library configuraton for netty-4.1

* 🔒 💩 ignore vulns

* 🐛 fix bug where testRuntimeClasspath was also being considered for dependency scan in CI

* 🔊 add debugging info

* 🔒 exclude vertx from runtime classpath

* 🐛 used named rather than class literal when specifying transformers

* ♻️ refactor library configuration into shared plugin

* ⏪ revert changes to jetty-server version that are not needed

* ♻️ refactor testing-common to use test-fixtures plugin

* 🔥 delete snyk policy

* 🐛 fix projects depending on new test-fixtures project

* ♻️ simplify checked cast of ProjectDependency

* ⬆️ complete uprade of protobuf

* 💡 document the new library configuration

Author: ryandens

.github/workflows/build.yaml

@@ -64,3 +64,20 @@ jobs:
         env:
           JVM_OPTS: -Xmx1g
           TERM: dumb
+
+  snyk-scan:
+    runs-on: ubuntu-20.04
+    steps:
+      # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
+      - name: Check out code
+        uses: actions/[email protected]
+        with:
+          fetch-depth: 0
+          submodules: true
+      - name: Setup snyk
+        uses: snyk/actions/[email protected]
+      - name: Snyk test
+        run: snyk test -d --all-sub-projects --org=hypertrace --severity-threshold=low --configuration-matching="^runtimeClasspath$"
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          GRADLE_OPTS: -Dorg.gradle.workers.max=1

buildSrc/src/main/java/io/opentelemetry/instrumentation/gradle/AutoInstrumentationPlugin.java

@@ -9,6 +9,8 @@
 import java.util.Arrays;
 import org.gradle.api.Plugin;
 import org.gradle.api.Project;
+import org.gradle.api.artifacts.Configuration;
+import org.gradle.api.artifacts.Dependency;
 import org.gradle.api.plugins.JavaLibraryPlugin;
 import org.gradle.api.tasks.Internal;
 import org.gradle.api.tasks.testing.Test;
@@ -24,6 +26,7 @@ public class AutoInstrumentationPlugin implements Plugin<Project> {
   @Override
   public void apply(Project project) {
     project.getPlugins().apply(JavaLibraryPlugin.class);
+    createLibraryConfiguration(project);
     project
         .getTasks()
         .withType(
@@ -40,7 +43,56 @@ public void apply(Project project) {
             });
   }
 
+  /**
+   * Creates a custom dependency configuration called {@code library} inspired by the <a
+   * href="https://github.com/open-telemetry/opentelemetry-java-instrumentation/blob/0b0516bd1a0599c8f536cc6b2151782000681f39/gradle/instrumentation-common.gradle#L8">opentelemetry-java-instrumentation</a>.
+   * Namely, this instructs Gradle to include the classes from the dependency on the {@code
+   * compileClasspath} and the {@code testRuntimeClasspath} but not the {@code runtimeClasspath}.
+   * This makes the scope of the dependency clear to all consumers of this project and gives
+   * stronger guarantees that we won't accidentally include libraries targeted for instrumentation
+   * in the published Hypertrace javaagent JAR.
+   *
+   * <p> Example usage:
+   * <pre>
+   *  dependencies {
+   *    library("org.apache.httpcomponents:httpclient:4.0")
+   *  }
+   * </pre>
+   *
+   * <p> This above snippet is functionally equivalent to:
+   * <pre>
+   *  dependencies {
+   *    compileOnly("org.apache.httpcomponents:httpclient:4.0")
+   *    testImplementation("org.apache.httpcomponents:httpclient:4.0")
+   *  }
+   * </pre>
+   *
+   *
+   * <p>This change was first introduced to help our dependency scanning tool, Snyk, understand
+   * that certain dependencies are not going to be included in the published artifact and therefore
+   * do not represent security vulnerabilities
+   *
+   * @param project to create the configuration in
+   */
+  private void createLibraryConfiguration(Project project) {
+    final Configuration libraryConfiguration = project.getConfigurations()
+        .create("library", files -> {
+          files.setCanBeConsumed(false);
+          files.setCanBeResolved(false);
+        });
+    // here, we manually copy dependencies added with the library configuration and add them to the
+    // testImplementation DependencySet as well. Inspired by https://github.com/open-telemetry/opentelemetry-java-instrumentation/blob/0b0516bd1a0599c8f536cc6b2151782000681f39/gradle/instrumentation-common.gradle#L46
+    libraryConfiguration.getDependencies().whenObjectAdded(
+        dependency -> {
+          final Dependency copy = dependency.copy();
+          project.getConfigurations().named("testImplementation").get().getDependencies().add(copy);
+        }
+    );
+    project.getConfigurations().named("compileOnly").get().extendsFrom(libraryConfiguration);
+  }
+
   private static class InstrumentationTestArgs implements CommandLineArgumentProvider {
+
     private final File bootstrapJar;
 
     @Internal

filter-api/build.gradle.kts

@@ -8,7 +8,7 @@ val versions: Map<String, String> by extra
 dependencies {
    api("io.opentelemetry:opentelemetry-api:${versions["opentelemetry"]}")
    api(project(":javaagent-core"))
-   implementation("com.google.auto.service:auto-service:1.0-rc7")
+   compileOnly("com.google.auto.service:auto-service-annotations:1.0")
    implementation("org.slf4j:slf4j-api:${versions["slf4j"]}")
-   annotationProcessor("com.google.auto.service:auto-service:1.0-rc7")
+   annotationProcessor("com.google.auto.service:auto-service:1.0")
 }

instrumentation/apache-httpasyncclient-4.1/build.gradle.kts

@@ -32,8 +32,7 @@ dependencies {
 
     api("io.opentelemetry.javaagent.instrumentation:opentelemetry-javaagent-apache-httpasyncclient-4.1:${versions["opentelemetry_java_agent"]}")
 
-    implementation("org.apache.httpcomponents:httpasyncclient:4.1")
-
-    testImplementation(project(":testing-common"))
+    library("org.apache.httpcomponents:httpasyncclient:4.1")
+     testImplementation(testFixtures(project(":testing-common")))
 }
 

instrumentation/apache-httpclient-4.0/build.gradle.kts

@@ -42,7 +42,7 @@ dependencies {
     api(project(":instrumentation:java-streams"))
     api("io.opentelemetry.javaagent.instrumentation:opentelemetry-javaagent-apache-httpclient-4.0:${versions["opentelemetry_java_agent"]}")
 
-    implementation("org.apache.httpcomponents:httpclient:4.0")
+    library("org.apache.httpcomponents:httpclient:4.0")
 
-    testImplementation(project(":testing-common"))
+     testImplementation(testFixtures(project(":testing-common")))
 }

instrumentation/build.gradle.kts

@@ -8,8 +8,8 @@ val versions: Map<String, String> by extra
 subprojects {
     dependencies {
         implementation("org.slf4j:slf4j-api:1.7.30")
-        implementation("com.google.auto.service:auto-service:1.0-rc7")
-        annotationProcessor("com.google.auto.service:auto-service:1.0-rc7")
+        compileOnly("com.google.auto.service:auto-service-annotations:1.0")
+        annotationProcessor("com.google.auto.service:auto-service:1.0")
         implementation("net.bytebuddy:byte-buddy:${versions["byte_buddy"]}")
 
         implementation("io.opentelemetry:opentelemetry-api:${versions["opentelemetry"]}")

instrumentation/grpc-1.5/build.gradle.kts

@@ -68,7 +68,7 @@ dependencies {
 
     implementation("javax.annotation:javax.annotation-api:1.3.2")
 
-    testImplementation(project(":testing-common"))
+     testImplementation(testFixtures(project(":testing-common")))
     testImplementation("io.grpc:grpc-core:${grpcVersion}") {
         version {
             strictly(grpcVersion)

instrumentation/java-streams/build.gradle.kts

@@ -20,5 +20,5 @@ afterEvaluate{
 }
 
 dependencies {
-    testImplementation(project(":testing-common"))
+     testImplementation(testFixtures(project(":testing-common")))
 }

instrumentation/jaxrs-client-2.0/build.gradle.kts

@@ -37,7 +37,7 @@ dependencies {
 
     compileOnly("javax.ws.rs:javax.ws.rs-api:2.0.1")
 
-    testImplementation(project(":testing-common"))
+     testImplementation(testFixtures(project(":testing-common")))
     testImplementation("org.glassfish.jersey.core:jersey-client:2.27")
     testImplementation("org.glassfish.jersey.inject:jersey-hk2:2.27")
 }

instrumentation/micronaut-1.0/build.gradle.kts

@@ -11,7 +11,7 @@ dependencies {
     implementation(project(":instrumentation:netty:netty-4.1"))
     implementation("io.opentelemetry.javaagent.instrumentation:opentelemetry-javaagent-netty-4.1:${versions["opentelemetry_java_agent"]}")
 
-    testImplementation(project(":testing-common"))
+    testImplementation(testFixtures(project(":testing-common")))
     testImplementation("io.micronaut.test:micronaut-test-junit5:${micronautTestVersion}")
     testImplementation("io.micronaut:micronaut-http-server-netty:${micronautVersion}")
     testImplementation("io.micronaut:micronaut-runtime:${micronautVersion}")
@@ -27,7 +27,7 @@ for (version in listOf(micronaut2Version)) {
         extendsFrom(configurations.runtimeClasspath.get())
     }
     dependencies {
-        versionedConfiguration(project(":testing-common"))
+        versionedConfiguration(testFixtures(project(":testing-common")))
         versionedConfiguration("io.micronaut.test:micronaut-test-junit5:${micronautTestVersion}")
         versionedConfiguration("io.micronaut:micronaut-http-server-netty:${version}")
         versionedConfiguration("io.micronaut:micronaut-http-client:${version}")