From a620983fb1a7a62a47ddf933723a3bf925e0586e Mon Sep 17 00:00:00 2001 From: Tyler Benson Date: Mon, 14 Jan 2019 14:46:59 -0500 Subject: [PATCH 1/4] Upgrade jackson to 2.9.8 There is a vulerability in prior versions, per the following CVE: https://nvd.nist.gov/vuln/detail/CVE-2018-1000873 --- gradle/dependencies.gradle | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle index cea3e45c9f..425c3ed9a0 100644 --- a/gradle/dependencies.gradle +++ b/gradle/dependencies.gradle @@ -7,8 +7,7 @@ ext { slf4j : "1.7.25", guava : "20.0", // Last version to support Java 7 - jackson : "2.6.3", // This is a transitive dependency for the tracer. - // Use an old version to not force an upgrade for others using tracer as a dependency. + jackson : "2.9.8", // https://nvd.nist.gov/vuln/detail/CVE-2018-1000873 spock : "1.2-groovy-$spockGroovyVer", groovy : groovyVer, From 95c1c477993e9e5dfcf032963f44aa674f6add04 Mon Sep 17 00:00:00 2001 From: Nikolay Martynov Date: Tue, 15 Jan 2019 14:46:51 -0500 Subject: [PATCH 2/4] Fix JsonSpan boolean conversion problem It looks like with newer Jackson we cannot convert number to boolean anymore. So we have to do this manually. --- .../src/test/groovy/datadog/trace/tracer/JsonSpan.groovy | 8 ++++++-- .../datadog/trace/tracer/writer/AgentClientTest.groovy | 8 ++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/dd-trace/src/test/groovy/datadog/trace/tracer/JsonSpan.groovy b/dd-trace/src/test/groovy/datadog/trace/tracer/JsonSpan.groovy index c6a9948343..4731ba6f82 100644 --- a/dd-trace/src/test/groovy/datadog/trace/tracer/JsonSpan.groovy +++ b/dd-trace/src/test/groovy/datadog/trace/tracer/JsonSpan.groovy @@ -3,11 +3,13 @@ package datadog.trace.tracer import com.fasterxml.jackson.annotation.JsonCreator import com.fasterxml.jackson.annotation.JsonProperty import groovy.transform.EqualsAndHashCode +import groovy.transform.ToString /** * Helper class to parse serialized span to verify serialization logic */ @EqualsAndHashCode +@ToString class JsonSpan { @JsonProperty("trace_id") BigInteger traceId @@ -31,7 +33,9 @@ class JsonSpan { String name @JsonProperty("error") - boolean error + // Somehow MsgPack formatter can not convert number to boolean with newer jackson so we have to do this manually + //@JsonFormat(shape = JsonFormat.Shape.NUMBER) + int error @JsonProperty("meta") Map meta @@ -52,7 +56,7 @@ class JsonSpan { type = span.getType() name = span.getName() - error = span.isErrored() + error = span.isErrored() ? 1 : 0 meta = span.getMeta() } diff --git a/dd-trace/src/test/groovy/datadog/trace/tracer/writer/AgentClientTest.groovy b/dd-trace/src/test/groovy/datadog/trace/tracer/writer/AgentClientTest.groovy index 74c1dcb84b..002b372296 100644 --- a/dd-trace/src/test/groovy/datadog/trace/tracer/writer/AgentClientTest.groovy +++ b/dd-trace/src/test/groovy/datadog/trace/tracer/writer/AgentClientTest.groovy @@ -72,6 +72,7 @@ class AgentClientTest extends Specification { response.getRate("another test") == 0.2d response.getRate("doesn't exist") == null and: "request got expected parameters" + byte[] requestBody = null verify(putRequestedFor(urlEqualTo(AgentClient.TRACES_ENDPOINT)) .withHeader(AgentClient.CONTENT_TYPE, equalTo(AgentClient.MSGPACK)) .withHeader(AgentClient.DATADOG_META_LANG, equalTo("java")) @@ -81,9 +82,12 @@ class AgentClientTest extends Specification { // .withHeader(AgentClient.DATADOG_META_TRACER_VERSION, equalTo("java")) .withHeader(AgentClient.X_DATADOG_TRACE_COUNT, equalTo(Integer.toString(TRACE_COUNT))) .andMatching({ Request request -> - // Note: it is hard to see what's wrong when this fails... is there a better way? - MatchResult.of(objectMapper.readValue(request.getBody(), new TypeReference>>() {}) == traces.collect {it.getSpans().collect {new JsonSpan(it)}}) + requestBody = request.getBody() + MatchResult.of(true) })) + objectMapper.readValue(requestBody, new TypeReference>>() {}) == traces.collect { + it.getSpans().collect { new JsonSpan(it) } + } } def "test send empty list"() { From fe3ebceba93398919fc4ddb4dfa4ac554e1e03fe Mon Sep 17 00:00:00 2001 From: Tyler Benson Date: Wed, 16 Jan 2019 13:27:04 -0500 Subject: [PATCH 3/4] Add jackson smile dep for old ES tests. --- .../elasticsearch-transport-2.gradle | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/dd-java-agent/instrumentation/elasticsearch-transport-2/elasticsearch-transport-2.gradle b/dd-java-agent/instrumentation/elasticsearch-transport-2/elasticsearch-transport-2.gradle index d192c6c28f..4e8aaf10ff 100644 --- a/dd-java-agent/instrumentation/elasticsearch-transport-2/elasticsearch-transport-2.gradle +++ b/dd-java-agent/instrumentation/elasticsearch-transport-2/elasticsearch-transport-2.gradle @@ -44,6 +44,10 @@ dependencies { testCompile group: 'net.java.dev.jna', name: 'jna', version: '4.5.1' testCompile group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.11.0' testCompile group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.11.0' + + testCompile group: 'com.fasterxml.jackson.dataformat', name: 'jackson-dataformat-smile', version: versions.jackson + // ^ is needed because we are using a newer version of jackson that isn't compatible without this. + latestDepTestCompile group: 'org.elasticsearch', name: 'elasticsearch', version: '2.4.6' latestDepTestCompile group: 'org.springframework.data', name: 'spring-data-elasticsearch', version: '2.1.15.RELEASE' From a411f7cc5e6bd032e1d9f9ca9cedb160db1e1493 Mon Sep 17 00:00:00 2001 From: Tyler Benson Date: Wed, 16 Jan 2019 13:46:20 -0500 Subject: [PATCH 4/4] Upgrade jackson-dataformat-msgpack to 0.8.16 --- dd-trace-ot/dd-trace-ot.gradle | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/dd-trace-ot/dd-trace-ot.gradle b/dd-trace-ot/dd-trace-ot.gradle index e59b0678df..966b3cd543 100644 --- a/dd-trace-ot/dd-trace-ot.gradle +++ b/dd-trace-ot/dd-trace-ot.gradle @@ -31,9 +31,7 @@ dependencies { compile deps.jackson compile deps.slf4j - // any higher versions seems to break ES tests with this exception: - // java.lang.NoSuchMethodError: com.fasterxml.jackson.dataformat.smile.SmileGenerator.getOutputContext() - compile group: 'org.msgpack', name: 'jackson-dataformat-msgpack', version: '0.8.14' + compile group: 'org.msgpack', name: 'jackson-dataformat-msgpack', version: '0.8.16' // We have autoservices defined in test subtree, looks like we need this to be able to properly rebuild this testAnnotationProcessor deps.autoservice