Bump the root-gradle-deps group with 6 updates

[dependabot]

Bumps the root-gradle-deps group with 6 updates:

Package	From	To
com.google.guava:guava	32.1.3-jre	33.0.0-jre
com.amazonaws:aws-java-sdk-bom	1.12.618	1.12.621
io.zipkin.zipkin2:zipkin	2.25.0	2.25.2
io.zipkin.reporter2:zipkin-sender-okhttp3	2.16.5	2.17.1
io.zipkin.brave:brave	5.16.0	5.17.0
software.amazon.awssdk:s3	2.21.44	2.22.1

Updates com.google.guava:guava from 32.1.3-jre to 33.0.0-jre

Release notes

Sourced from com.google.guava:guava's releases.

33.0.0

Maven

<dependency>
  <groupId>com.google.guava</groupId>
  <artifactId>guava</artifactId>
  <version>33.0.0-jre</version>
  <!-- or, for Android: -->
  <version>33.0.0-android</version>
</dependency>

Jar files

• 33.0.0-jre.jar
• 33.0.0-android.jar

Guava requires one runtime dependency, which you can download here:

• failureaccess-1.0.1.jar

Javadoc

• 33.0.0-jre
• 33.0.0-android

JDiff

• 33.0.0-jre vs. 32.1.3-jre
• 33.0.0-android vs. 32.1.3-android
• 33.0.0-android vs. 33.0.0-jre

Changelog

• This version of guava-android contains some package-private methods whose signature includes the Java 8 Collector API. This is a test to identify any problems before we expose those methods publicly to users. Please report any problems that you encounter. (73dbf7ef26)
• Changed various classes to catch Exception instead of RuntimeException even when only RuntimeException is theoretically possible. This can help code that throws undeclared exceptions, as some bytecode rewriters (e.g., Robolectric) and languages (e.g., Kotlin) do. (c294c23760, 747924e, b2baf48)
• Added an Automatic-Module-Name to failureaccess, Guava's one strong runtime dependency. (280b5d2f60)
• reflect: In guava-android only, removed Invokable.getAnnotatedReturnType() and Parameter.getAnnotatedType(). These methods never worked in an Android VM, and to reflect that, they were born @Deprecated, @Beta, and @DoNotCall. They're now preventing us from rolling out some new Android compatibility testing. This is the only binary-incompatible change in this release, and it should have no effect in practice. Still, we bump the major version number to follow Semantic Versioning. (045cd8428f)
• util.concurrent: Changed our implementations to avoid eagerly initializing loggers during class loading. This can help performance, especially under Android. (4fe1df56bd)

Commits

• See full diff in compare view

Updates com.amazonaws:aws-java-sdk-bom from 1.12.618 to 1.12.621

Changelog

Sourced from com.amazonaws:aws-java-sdk-bom's changelog.

1.12.621 2023-12-18

Amazon Cognito Identity Provider

• Features

  • Amazon Cognito now supports trigger versions that define the fields in the request sent to pre token generation Lambda triggers.

Amazon Elastic Kubernetes Service

• Features

  • Add support for EKS Cluster Access Management.

Amazon QuickSight

• Features

  • A docs-only release to add missing entities to the API reference.

Amazon Route 53 Resolver

• Features

  • Add DOH protocols in resolver endpoints.

1.12.620 2023-12-15

AWS Cloud9

• Features

  • Updated Cloud9 API documentation for AL2023 release

AWS Key Management Service

• Features

  • Documentation updates for AWS Key Management Service

Amazon Connect Cases

• Features

  • Increase number of fields that can be included in CaseEventIncludedData from 50 to 200

Amazon Connect Service

• Features

  • Adds relatedContactId field to StartOutboundVoiceContact API input. Introduces PauseContact API and ResumeContact API for Task contacts. Adds pause duration, number of pauses, timestamps for last paused and resumed events to DescribeContact API response. Adds new Rule type and new Rule action.

Amazon Relational Database Service

• Features

  • Updates Amazon RDS documentation by adding code examples

Amazon SageMaker Service

• Features

  • This release 1) introduces a new API: DeleteCompilationJob , and 2) adds InfraCheckConfig for Create/Describe training job API

1.12.619 2023-12-14

AWS B2B Data Interchange

• Features

  • Documentation updates for AWS B2B Data Interchange

AWS Control Tower

• Features

  • Documentation updates for AWS Control Tower.

... (truncated)

Commits

• 63d0d92 AWS SDK for Java 1.12.621
• 5d37c21 Update GitHub version number to 1.12.621-SNAPSHOT
• 5adcac6 AWS SDK for Java 1.12.620
• 01f4bc6 Update GitHub version number to 1.12.620-SNAPSHOT
• dab46bf AWS SDK for Java 1.12.619
• 9cc6f68 Update GitHub version number to 1.12.619-SNAPSHOT
• See full diff in compare view

Updates io.zipkin.zipkin2:zipkin from 2.25.0 to 2.25.2

Release notes

Sourced from io.zipkin.zipkin2:zipkin's releases.

Zipkin 2.25.2 adds the ppc64le architecture to our production zipkin and zipkin-slim images. It also fixes a couple docker crashes when run on Apple Silicon. Finally, we documented how to run the Elasticsearch Service Depedencies graph job ad-hoc, as it has been frequently asked about.

Special thanks to @​NishikantThorat from Knative for the help progressing ppc64le, as well @​anuraaga for lots of review support.

Full Changelog: openzipkin/zipkin@2.25.1...2.25.2

Zipkin 2.25.1 sets a milestone where a trivy scan of our openzipkin/zipkin:2.25.1 docker image came clear of all vulnerabilities:

$ trivy image openzipkin/zipkin:2.25.1
2023-12-14T21:38:42.716+0700	INFO	Vulnerability scanning is enabled
2023-12-14T21:38:42.717+0700	INFO	Secret scanning is enabled
2023-12-14T21:38:42.717+0700	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-14T21:38:42.717+0700	INFO	Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2023-12-14T21:38:47.299+0700	INFO	Detected OS: alpine
2023-12-14T21:38:47.299+0700	WARN	This OS version is not on the EOL list: alpine 3.19
2023-12-14T21:38:47.299+0700	INFO	Detecting Alpine vulnerabilities...
2023-12-14T21:38:47.301+0700	INFO	Number of language-specific files: 1
2023-12-14T21:38:47.301+0700	INFO	Detecting jar vulnerabilities...
openzipkin/zipkin:2.25.1 (alpine 3.19.0)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

There was a lot of PR review support and again we have @​anuraaga to thank for being so available to keep things moving. We'd also like to thank @​tacigar for progress on renovating the Lens UI, resulting in a significant drop in NPM vulnerabilities as well.

Full Changelog: openzipkin/zipkin@2.25.0...2.25.1

Commits

• 11e3b27 [maven-release-plugin] prepare release 2.25.2
• ced6a9c lens: reduces cves for top-level deps (#3657)
• 6e79b6d docker: documents how to use master version in examples (#3656)
• 8b2b331 ci: test building of javadoc (#3655)
• aed6d92 docker: adds ppc64le architecture to zipkin and zipkin-slim images (#3653)
• c40a50b docker: uses health check in examples and documents dependencies job (#3652)
• e21beed docker: updates Elasticsearch 7.x image to Elastic licensed 7.17.16 (#3654)
• 0092696 cassandra: moves to Apache Driver and fixes Apple Silicon docker crash (#3651)
• a78c162 deps: temporarily update boringssl ahead of netty to fix M1 docker crash (#3650)
• 9244952 [maven-release-plugin] prepare for next development iteration
• Additional commits viewable in compare view

Updates io.zipkin.reporter2:zipkin-sender-okhttp3 from 2.16.5 to 2.17.1

Release notes

Sourced from io.zipkin.reporter2:zipkin-sender-okhttp3's releases.

Zipkin Reporter 2.17.0

Zipkin Reporter v2.17.0 updates default versions of dependencies so that CVE scanners like trivy pass by default. Details below for the interested.

For example, trivy is now clean.

$ trivy -q --skip-files "**/src/it/*/pom.xml" repo https://github.com/openzipkin/zipkin-reporter-java

In order to do this, and based on user demand, we had to change some default practice in our senders (the transport plug-in for sending spans to a zipkin compatible endpoint). Here is a summary of each and how versions are handled.

• activemq-client - Note that the recently released 6.x version is not compatible with 5.x due to package import change from javax.jms to jakarta.jms. Raise an issue if you need a later client as it will require a copy of the entire module to resolve.
• amqp-client (rabbitmq) - The 4.x version is no longer maintained, so we set a 5.x version and test the old one.
• kafka - the kafka-clients driver has not had any known compatibility problems, so we've left it as-is.
• libthrift (scribe) - libthrift (used for the deprecated scribe transport) has never released a 1.0 version, so occasionally causes revlocks. @​zhfeng noticed this in apache camel, as updating past the 4 year old 0.13 was impossible to work around. Luckily versions after that seem compatible with each other.
• okhttp3 - The 3.x version is no longer maintained, so we set a 4.x version and test the old one. Thanks @​evantorrie for explaining why this is important and @​shakuzen for helping in the discussion.

While not end-user affecting, we have also migrated from JUnit 4 to JUnit 5, thanks to OpenRewrite recipes from @​TeamModerne. Also, we use docker images to test all messaging transports. This ensures compatibility with upstream in transparent ways, and also removes classpath conflicts from java-based messaging transports such as ActiveMQ and Kafka.

Thanks a lot to @​anuraaga for copious support work on this release, as well.

Full Changelog: openzipkin/zipkin-reporter-java@2.16.5...2.17.0

Note: To pass Trivy at the moment, we have to skip old versions used only for compatibility testing. There is a discussion about making this default.

Changelog

Sourced from io.zipkin.reporter2:zipkin-sender-okhttp3's changelog.

OpenZipkin Release Process

This repo uses semantic versions. Please keep this in mind when choosing version numbers.

1. Alert others you are releasing

   There should be no commits made to master while the release is in progress (about 10 minutes). Before you start a release, alert others on gitter so that they don't accidentally merge anything. If they do, and the build fails because of that, you'll have to recreate the release tag described below.

2. Push a git tag

   The trigger format is release-MAJOR.MINOR.PATCH, ex git tag release-1.18.1 && git push origin release-1.18.1.

3. Wait for CI

   The release-MAJOR.MINOR.PATCH tag triggers https://github.com/openzipkin/zipkin-reporter-java/blob/master/build-bin/maven/maven_release, which creates commits, MAJOR.MINOR.PATCH tag, and increments the version (maven-release-plugin).

   The MAJOR.MINOR.PATCH tag triggers https://github.com/openzipkin/zipkin-reporter-java/blob/master/build-bin/deploy, which does the following:

   • Publishes jars to https://oss.sonatype.org/content/repositories/releases https://github.com/openzipkin/zipkin-reporter-java/blob/master/build-bin/maven/maven_deploy
     • Later, the same jars synchronize to Maven Central

   Notes:

   • https://search.maven.org/ index will take longer than direct links like https://repo1.maven.org/maven2/io/zipkin

Credentials

The release process uses various credentials. If you notice something failing due to unauthorized, look at the notes in [.github/workflows/deploy.yml] and check the org secrets.

Troubleshooting invalid credentials

If you receive a '401 unauthorized' failure from OSSRH, it is likely SONATYPE_USER or SONATYPE_PASSWORD entries are invalid, or possibly the user associated with them does not have rights to upload.

The least destructive test is to try to publish a snapshot manually. By passing the values CI would use, you can kick off a snapshot from your laptop. This is a good way to validate that your unencrypted credentials are authorized.

Here's an example of a snapshot deploy with specified credentials.

$ export GPG_TTY=$(tty) && GPG_PASSPHRASE=whackamole SONATYPE_USER=adrianmole SONATYPE_PASSWORD=ed6f20bde9123bbb2312b221 build-bin/build-bin/maven/maven_deploy

First release of the year

The license plugin verifies license headers of files include a copyright notice indicating the years a file was affected. This information is taken from git history. There's a once-a-year problem with files that include version numbers (pom.xml).

... (truncated)

Commits

• 692bb3d [maven-release-plugin] prepare release 2.17.1
• a2060be ci: adds action to test javadoc (#230)
• 66060b3 deps: updates to zipkin 2.25.2 (#229)
• 4e886ea build: fixes animal-sniffer phase and runs on all JDKs (#231)
• e635df8 [maven-release-plugin] prepare for next development iteration
• d21c18e [maven-release-plugin] prepare release 2.17.0
• e8f2052 deps: bumps to zipkin 2.25.1 (#227)
• 555bdc4 benchmarks: replace kafka-unit with docker (#226)
• 077737c amqp-client: moves to latest version and tests prior (#225)
• 8e86704 updates integration tests and benchmarks to use log4j (#224)
• Additional commits viewable in compare view

Updates io.zipkin.brave:brave from 5.16.0 to 5.17.0

Changelog

Sourced from io.zipkin.brave:brave's changelog.

OpenZipkin Release Process

This repo uses semantic versions. Please keep this in mind when choosing version numbers.

1. Alert others you are releasing

   There should be no commits made to master while the release is in progress (about 10 minutes). Before you start a release, alert others on gitter so that they don't accidentally merge anything. If they do, and the build fails because of that, you'll have to recreate the release tag described below.

2. Push a git tag

   The trigger format is release-MAJOR.MINOR.PATCH, ex git tag release-1.18.1 && git push origin release-1.18.1.

3. Wait for CI

   The release-MAJOR.MINOR.PATCH tag triggers https://github.com/openzipkin/brave/blob/master/build-bin/maven/maven_release, which creates commits, MAJOR.MINOR.PATCH tag, and increments the version (maven-release-plugin).

   The MAJOR.MINOR.PATCH tag triggers https://github.com/openzipkin/brave/blob/master/build-bin/deploy, which does the following:

   • Publishes jars to https://oss.sonatype.org/content/repositories/releases https://github.com/openzipkin/brave/blob/master/build-bin/maven/maven_deploy
     • Later, the same jars synchronize to Maven Central
   • Publishes Javadoc to https://zipkin.io/brave into a versioned subdirectory

   Notes:

   • https://search.maven.org/ index will take longer than direct links like https://repo1.maven.org/maven2/io/zipkin

Credentials

The release process uses various credentials. If you notice something failing due to unauthorized, look at the notes in [.github/workflows/deploy.yml] and check the org secrets.

Troubleshooting invalid credentials

If you receive a '401 unauthorized' failure from OSSRH, it is likely SONATYPE_USER or SONATYPE_PASSWORD entries are invalid, or possibly the user associated with them does not have rights to upload.

The least destructive test is to try to publish a snapshot manually. By passing the values CI would use, you can kick off a snapshot from your laptop. This is a good way to validate that your unencrypted credentials are authorized.

Here's an example of a snapshot deploy with specified credentials.

$ export GPG_TTY=$(tty) && GPG_PASSPHRASE=whackamole SONATYPE_USER=adrianmole SONATYPE_PASSWORD=ed6f20bde9123bbb2312b221 build-bin/build-bin/maven/maven_deploy

First release of the year

The license plugin verifies license headers of files include a copyright notice indicating the years a file was affected.

... (truncated)

Commits

• d55db97 [maven-release-plugin] prepare release 5.17.0
• 053e743 deps: updates to zipkin-reporter 2.17.1 (#1390)
• 90537d6 build: fixes animal-sniffer phase and runs on all JDKs (#1389)
• 677244a fix compiler
• 2bde4fe [maven-release-plugin] prepare for next development iteration
• c204053 [maven-release-plugin] prepare release 5.17.0
• 20692fe deps: bumps all main versions that compile (#1388)
• b0ad9aa Migrates all tests and fixtures from JUnit 4.x to Jupiter (#1387)
• 902e560 dubbo: updates dependencies to latest versions (#1386)
• eac0ffa build: updates to build and test with LTS JDKs (#1385)
• Additional commits viewable in compare view

Updates software.amazon.awssdk:s3 from 2.21.44 to 2.22.1

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.