spring-beans: uses version with CVEs only via invoker

context/log4j12/pom.xml

@@ -29,7 +29,6 @@
     <!-- Matches Export-Package in bnd.bnd -->
     <module.name>brave.context.log4j12</module.name>
 
-    <log4j12.version>1.2.17</log4j12.version>
     <main.basedir>${project.basedir}/../..</main.basedir>
   </properties>
 

context/log4j12/src/it/log4j12/src/test/resources/log4j.properties

@@ -1,17 +1,3 @@
-#
-# Copyright 2013-2024 The OpenZipkin Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
-# in compliance with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software distributed under the License
-# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
-# or implied. See the License for the specific language governing permissions and limitations under
-# the License.
-#
-
 log4j.rootLogger=INFO, console
 log4j.appender.console=org.apache.log4j.ConsoleAppender
 log4j.appender.console.layout=org.apache.log4j.PatternLayout

instrumentation/spring-web/pom.xml

@@ -41,6 +41,7 @@
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-web</artifactId>
+      <!-- TODO: revlocked at spring 5. We may need a new module for v6 -->
       <version>${spring5.version}</version>
       <scope>provided</scope>
     </dependency>
@@ -109,7 +110,7 @@
             <DynamicDependency>
               <groupId>org.springframework</groupId>
               <artifactId>spring-web</artifactId>
-              <version>${spring.version}</version>
+              <version>${spring3.version}</version>
               <repositoryType>MAIN</repositoryType>
               <type>jar</type>
             </DynamicDependency>

instrumentation/spring-web/src/it/spring3/pom.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-    Copyright 2013-2023 The OpenZipkin Authors
+    Copyright 2013-2024 The OpenZipkin Authors
 
     Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
     in compliance with the License. You may obtain a copy of the License at
@@ -36,7 +36,7 @@
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-web</artifactId>
-      <version>@spring.version@</version>
+      <version>@spring3.version@</version>
       <scope>provided</scope>
     </dependency>
 

instrumentation/spring-webmvc/pom.xml

@@ -68,9 +68,48 @@
 
   <build>
     <plugins>
+      <!-- Test org.springframework:spring-beans dep via invoker -->
       <plugin>
         <artifactId>maven-invoker-plugin</artifactId>
       </plugin>
+      <plugin>
+        <groupId>de.qaware.maven</groupId>
+        <artifactId>go-offline-maven-plugin</artifactId>
+        <executions>
+          <execution>
+            <phase>package</phase>
+            <goals>
+              <goal>resolve-dependencies</goal>
+            </goals>
+          </execution>
+        </executions>
+        <configuration>
+          <!-- Add dependencies specific to invoker tests so that they cache on go-offline -->
+          <dynamicDependencies>
+            <DynamicDependency>
+              <groupId>org.eclipse.jetty</groupId>
+              <artifactId>jetty-servlet</artifactId>
+              <version>${jetty-servlet25.version}</version>
+              <repositoryType>MAIN</repositoryType>
+              <type>jar</type>
+            </DynamicDependency>
+            <DynamicDependency>
+              <groupId>org.springframework</groupId>
+              <artifactId>spring-webmvc</artifactId>
+              <version>${spring25.version}</version>
+              <repositoryType>MAIN</repositoryType>
+              <type>jar</type>
+            </DynamicDependency>
+            <DynamicDependency>
+              <groupId>org.springframework</groupId>
+              <artifactId>spring-webmvc</artifactId>
+              <version>${spring3.version}</version>
+              <repositoryType>MAIN</repositoryType>
+              <type>jar</type>
+            </DynamicDependency>
+          </dynamicDependencies>
+        </configuration>
+      </plugin>
     </plugins>
   </build>
 

instrumentation/spring-webmvc/src/it/servlet25/pom.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-    Copyright 2013-2023 The OpenZipkin Authors
+    Copyright 2013-2024 The OpenZipkin Authors
 
     Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
     in compliance with the License. You may obtain a copy of the License at
@@ -40,7 +40,7 @@
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-webmvc</artifactId>
-      <version>@spring.version@</version>
+      <version>@spring3.version@</version>
       <scope>provided</scope>
     </dependency>
 

instrumentation/spring-webmvc/src/it/spring25/pom.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-    Copyright 2013-2023 The OpenZipkin Authors
+    Copyright 2013-2024 The OpenZipkin Authors
 
     Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
     in compliance with the License. You may obtain a copy of the License at
@@ -40,7 +40,7 @@
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-webmvc</artifactId>
-      <version>2.5.6</version>
+      <version>@spring25.version@</version>
       <scope>provided</scope>
     </dependency>
 

pom.xml

@@ -87,9 +87,13 @@
     <!-- to test @Inject annotations. Note 7.x is for jakarta annotations! -->
     <guice.version>6.0.0</guice.version>
 
+    <!-- Note: Spring 6 is JDK 17 bytecode, so we can't update to it until we
+         stop supporting Java 6 compilation target, or change our release to
+         use multiple tool chains. -->
+    <spring5.version>5.3.32</spring5.version>
     <!-- Ensure older versions of spring still work -->
-    <spring5.version>5.3.31</spring5.version>
-    <spring.version>3.2.18.RELEASE</spring.version>
+    <spring25.version>2.5.6</spring25.version>
+    <spring3.version>3.2.18.RELEASE</spring3.version>
 
     <!-- Apis used, but not in Jetty 7.6* imply duplication in servlet25 test fixtures -->
     <jetty.version>9.4.53.v20231009</jetty.version>
@@ -103,12 +107,14 @@
     <kafka.version>3.6.1</kafka.version>
     <activemq.version>5.18.3</activemq.version>
     <activemq.artemis.version>2.31.2</activemq.artemis.version>
-    <!-- TODO: reflection drift after this version -->
+    <!-- TODO: reflection drift after this version. Make changes as necessary
+         and add an invoker test that 2.3.6 still works. -->
     <spring-rabbit.version>2.3.6</spring-rabbit.version>
 
     <!-- TODO: update and fix drift or remove the FinagleContextInteropTest -->
     <finagle.version>20.12.0</finagle.version>
-    <log4j.version>2.22.1</log4j.version>
+    <log4j.version>2.23.0</log4j.version>
+    <log4j12.version>1.2.17</log4j12.version>
     <okhttp.version>4.12.0</okhttp.version>
     <httpclient.version>4.5.14</httpclient.version>
 
@@ -123,9 +129,9 @@
     <httpasyncclient.version>4.1.5</httpasyncclient.version>
 
     <!-- Test only dependencies -->
-    <junit-jupiter.version>5.10.1</junit-jupiter.version>
-    <assertj.version>3.25.1</assertj.version>
-    <mockito.version>5.8.0</mockito.version>
+    <junit-jupiter.version>5.10.2</junit-jupiter.version>
+    <assertj.version>3.25.3</assertj.version>
+    <mockito.version>5.10.0</mockito.version>
     <jersey.version>2.41</jersey.version>
     <testcontainers.version>1.19.3</testcontainers.version>
 
@@ -501,6 +507,7 @@
           <excludes>
             <exclude>**/jetty-logging.properties</exclude>
             <exclude>**/log4j2.properties</exclude>
+            <exclude>**/log4j.properties</exclude>
             <exclude>.editorconfig</exclude>
             <exclude>.gitattributes</exclude>
             <exclude>.gitignore</exclude>

spring-beans/pom.xml

@@ -54,10 +54,11 @@
       <artifactId>brave-instrumentation-rpc</artifactId>
       <version>${project.version}</version>
     </dependency>
+    <!-- Use latest spring dep to avoid CVE warnings in main -->
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-beans</artifactId>
-      <version>2.5.6</version>
+      <version>${spring5.version}</version>
       <scope>provided</scope>
     </dependency>
     <dependency>
@@ -68,6 +69,46 @@
     </dependency>
   </dependencies>
 
+  <build>
+    <plugins>
+      <!-- Test org.springframework:spring-beans dep via invoker -->
+      <plugin>
+        <artifactId>maven-invoker-plugin</artifactId>
+      </plugin>
+      <plugin>
+        <groupId>de.qaware.maven</groupId>
+        <artifactId>go-offline-maven-plugin</artifactId>
+        <executions>
+          <execution>
+            <phase>package</phase>
+            <goals>
+              <goal>resolve-dependencies</goal>
+            </goals>
+          </execution>
+        </executions>
+        <configuration>
+          <!-- Add dependencies specific to invoker tests so that they cache on go-offline -->
+          <dynamicDependencies>
+            <DynamicDependency>
+              <groupId>log4j</groupId>
+              <artifactId>log4j</artifactId>
+              <version>${log4j12.version}</version>
+              <repositoryType>MAIN</repositoryType>
+              <type>jar</type>
+            </DynamicDependency>
+            <DynamicDependency>
+              <groupId>org.springframework</groupId>
+              <artifactId>spring-beans</artifactId>
+              <version>${spring25.version}</version>
+              <repositoryType>MAIN</repositoryType>
+              <type>jar</type>
+            </DynamicDependency>
+          </dynamicDependencies>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+
   <profiles>
     <profile>
       <id>release</id>

spring-beans/src/it/spring25/README.md

@@ -0,0 +1,2 @@
+# spring25
+This tests that the brave.spring.beans package does not rely on Spring 3+ APIs.

spring-beans/src/it/spring25/pom.xml

@@ -0,0 +1,105 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright 2013-2024 The OpenZipkin Authors
+
+    Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+    in compliance with the License. You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software distributed under the License
+    is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+    or implied. See the License for the specific language governing permissions and limitations under
+    the License.
+
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>@project.groupId@</groupId>
+  <artifactId>spring25</artifactId>
+  <version>@project.version@</version>
+  <name>spring25</name>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <project.build.resourceEncoding>UTF-8</project.build.resourceEncoding>
+
+    <maven.compiler.source>1.8</maven.compiler.source>
+    <maven.compiler.target>1.8</maven.compiler.target>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>${project.groupId}</groupId>
+      <artifactId>brave-spring-beans</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-beans</artifactId>
+      <version>@spring25.version@</version>
+      <scope>provided</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>${project.groupId}</groupId>
+      <artifactId>brave-tests</artifactId>
+      <version>${project.version}</version>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter</artifactId>
+      <version>@junit-jupiter.version@</version>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.assertj</groupId>
+      <artifactId>assertj-core</artifactId>
+      <version>@assertj.version@</version>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-junit-jupiter</artifactId>
+      <version>@mockito.version@</version>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>${project.groupId}</groupId>
+      <artifactId>brave-context-log4j12</artifactId>
+      <version>${project.version}</version>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>log4j</groupId>
+      <artifactId>log4j</artifactId>
+      <version>@log4j12.version@</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <testSourceDirectory>@project.build.testSourceDirectory@</testSourceDirectory>
+    <plugins>
+      <plugin>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <version>@maven-surefire-plugin.version@</version>
+        <configuration>
+          <!-- This helps with mistakes, e.g. testSourceDirectory is wrong -->
+          <failIfNoTests>true</failIfNoTests>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>

spring-beans/src/it/spring25/src/test/resources/log4j.properties

@@ -0,0 +1,5 @@
+log4j.rootLogger=WARN, console
+log4j.appender.console=org.apache.log4j.ConsoleAppender
+log4j.appender.console.layout=org.apache.log4j.PatternLayout
+log4j.appender.console.layout.ConversionPattern=[%d{dd MMM yyyy HH:mm:ss,SSS}] - %m%n
+