This pr gives classes defined in agent and extension class loaders all
permissions. Injected helper classes are also defined with all
permissions. Agent startup is altered so that we won't call methods that
require permission before we are able to get those permissions.
This pr does not attempt to address issues where agent code could allow
user code to circumvent security manager e.g.
https://github.com/open-telemetry/opentelemetry-java-instrumentation/blob/main/javaagent-bootstrap/src/main/java/io/opentelemetry/javaagent/bootstrap/InstrumentationHolder.java
gives access to `Instrumentation` that could be used to redefine classes
and remove security checks. Also this pr does not address failed
permission checks that could arise from user code calling agent code.
When user code, that does not have privileges, calls agent code, that
has the privileges, and agent code performs a sensitive operation then
permission check would fail because it is performed for all calling
classes, including the user classes. To fix this agent code should uses
`AccessController.doPrivileged` which basically means that, hey I have
done all the checks, run this call with my privileges and ignore the
privileges of my callers.
Bumps [io.grpc:grpc-bom](https://github.com/grpc/grpc-java) from 1.53.0
to 1.54.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e988f84d14"><code>e988f84</code></a>
Bump version to 1.54.0</li>
<li><a
href="abdb6980ec"><code>abdb698</code></a>
Update README etc to reference 1.54.0</li>
<li><a
href="61ec299352"><code>61ec299</code></a>
Remove sleep from Observability Interop Test binary now that its done in
clos...</li>
<li><a
href="9f26b7dd08"><code>9f26b7d</code></a>
gcp-o11y: add default custom tag for metrics exporter</li>
<li><a
href="fefa2d9b16"><code>fefa2d9</code></a>
examples: add gcp-observability examples (v1.54.x backport) (<a
href="https://redirect.github.com/grpc/grpc-java/issues/9987">#9987</a>)</li>
<li><a
href="882a27bcb6"><code>882a27b</code></a>
gcp-o11y: add sleep in Observability close()</li>
<li><a
href="2e41c9a5cb"><code>2e41c9a</code></a>
disable recording real-time metrics using in gcp-o11y</li>
<li><a
href="132bf3e573"><code>132bf3e</code></a>
interop-testing: Do not System.exit(0) from interop client</li>
<li><a
href="85ce900dfc"><code>85ce900</code></a>
gcp-observability, census: add trace information to logs (<a
href="https://redirect.github.com/grpc/grpc-java/issues/9963">#9963</a>)</li>
<li><a
href="bb39ca3ec9"><code>bb39ca3</code></a>
gcp-observability: Update logging fields for GA and use custom
BatchingSettin...</li>
<li>Additional commits viewable in <a
href="https://github.com/grpc/grpc-java/compare/v1.53.0...v1.54.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
You can trigger a rebase of this PR by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps io.quarkus from 2.16.4.Final to 2.16.5.Final.
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
You can trigger a rebase of this PR by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[io.quarkus.platform:quarkus-bom](https://github.com/quarkusio/quarkus-platform)
from 2.16.4.Final to 2.16.5.Final.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="a50db2af02"><code>a50db2a</code></a>
[maven-release-plugin] prepare release 2.16.5.Final</li>
<li><a
href="cf4efaeb14"><code>cf4efae</code></a>
Merge pull request <a
href="https://redirect.github.com/quarkusio/quarkus-platform/issues/793">#793</a>
from gsmet/quarkus-2.16.5</li>
<li><a
href="3510fd1737"><code>3510fd1</code></a>
Upgrade to Quarkus 2.16.5.Final</li>
<li><a
href="92d3885bd3"><code>92d3885</code></a>
Merge pull request <a
href="https://redirect.github.com/quarkusio/quarkus-platform/issues/784">#784</a>
from aloubyansky/2.16-sbom</li>
<li><a
href="181d0015a3"><code>181d001</code></a>
Refactor depsToBuild profile to sbom and generate SBOMs with appropriate
file...</li>
<li><a
href="44fcf9fd36"><code>44fcf9f</code></a>
Merge pull request <a
href="https://redirect.github.com/quarkusio/quarkus-platform/issues/779">#779</a>
from kie-ci/drools_kogito_optaplanner_1.35_8.35</li>
<li><a
href="b6783c3b01"><code>b6783c3</code></a>
[maven-release-plugin] prepare for next development iteration</li>
<li><a
href="d5e2c03f55"><code>d5e2c03</code></a>
Bump up kogito to 1.35.0.Final</li>
<li>See full diff in <a
href="https://github.com/quarkusio/quarkus-platform/compare/2.16.4.Final...2.16.5.Final">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
You can trigger a rebase of this PR by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Add application name to spring boot smoke test app so that it could be
used for testing spring boot service name auto detection. Also fixes
logging dependencies.
Bumps com.google.protobuf:protobuf-java-util from 3.22.0 to 3.22.2.
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
You can trigger a rebase of this PR by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[io.quarkus.platform:quarkus-bom](https://github.com/quarkusio/quarkus-platform)
from 2.16.3.Final to 2.16.4.Final.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="4d34799461"><code>4d34799</code></a>
[maven-release-plugin] prepare release 2.16.4.Final</li>
<li><a
href="96101cf3a3"><code>96101cf</code></a>
Merge pull request <a
href="https://github-redirect.dependabot.com/quarkusio/quarkus-platform/issues/778">#778</a>
from metacosm/2.16</li>
<li><a
href="50bae2c2ed"><code>50bae2c</code></a>
Update to Quarkus 2.16.4.Final</li>
<li><a
href="3ddee572e2"><code>3ddee57</code></a>
Update QOSDK to 5.1.1, skipping failing tests for now</li>
<li><a
href="e241821a11"><code>e241821</code></a>
Update QOSDK to 5.1.0</li>
<li><a
href="00b4468063"><code>00b4468</code></a>
Merge pull request <a
href="https://github-redirect.dependabot.com/quarkusio/quarkus-platform/issues/775">#775</a>
from Naros/debezium-2.1.2-upgrade-2.16</li>
<li><a
href="e4a62d3077"><code>e4a62d3</code></a>
Upgrade to Debezium 2.1.2.Final</li>
<li><a
href="6a7cd63b3e"><code>6a7cd63</code></a>
Merge pull request <a
href="https://github-redirect.dependabot.com/quarkusio/quarkus-platform/issues/774">#774</a>
from loicmathieu/gcp-1-4-0</li>
<li><a
href="05b61d3147"><code>05b61d3</code></a>
Upgrade to Google Cloud Services 1.4</li>
<li><a
href="03ed71ad15"><code>03ed71a</code></a>
[maven-release-plugin] prepare for next development iteration</li>
<li>See full diff in <a
href="https://github.com/quarkusio/quarkus-platform/compare/2.16.3.Final...2.16.4.Final">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
You can trigger a rebase of this PR by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps io.quarkus from 2.16.3.Final to 2.16.4.Final.
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
You can trigger a rebase of this PR by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
dependabot[bot]
Trask Stalnaker
Lauri Tulmin
Mateusz Rzeszutek
Felix Wong