Update SnakeYAML Dependency Version (#592)
Starting with version 0.16.0, the Java agent is released in two versions:
- jmx_prometheus_javaagent-0.16.0.jar requires Java >= 7.
- jmx_prometheus_javaagent-0.16.0_java6.jar is compatible with Java 6.
Both versions are built from the same source files and have identical functionality. The only difference is the version of the included snakeyaml dependency.
jmx_exporter uses the snakeyaml library to read the YAML configuration file. Snakeyaml 1.23 is the last release to support Java 6. This version is affected by CVE-2017-18640, which can cause snakeyaml to execute arbitrary code if the YAML file comes from an untrusted source.
This vulnerability does not apply in the context of jmx_exporter, because the agent configuration will not come from an untrusted source. However, even if there is no actual security risk, users find it annoying that their automated security scans report a CVE. In order to prevent this we published a version with an updated snakeyaml dependency that requires Java >= 7.
Other Changes
- [BUGFIX] Leverages the interpolated help when the matching rule is cached (fixes #612) (#613)
- [ENHANCEMENT] Automated integration tests of different Java versions using Testcontainers. Docker needs to be installed on a system in order to run
./mvnw verify. - [ENHANCEMENT] Bump logback-classic version (#617)
- [ENHANCEMENT] Update to client_java 0.11.0
- [ENHANCEMENT] added support for
java.util.Optional(the SonarQube maintainers had this weird idea of anOptional<Long>property in an MBean)