Update dependencies (#6499)

* Update dependencies

* Strictly pin slf4j and logback versions

* logback 1.3

* Only use slf4j 2.0.0 internally in the javaagent

* Pre-initialize slf4j provider

* Bump jackson version

* licenses

benchmark-overhead/build.gradle.kts

@@ -24,7 +24,7 @@ dependencies {
   testImplementation("org.jooq:joox:1.6.2")
   testImplementation("com.jayway.jsonpath:json-path:2.6.0")
   testRuntimeOnly("org.junit.jupiter:junit-jupiter-engine:5.9.0")
-  testImplementation("org.slf4j:slf4j-simple:1.7.36")
+  testImplementation("org.slf4j:slf4j-simple:2.0.0")
 }
 
 tasks {

dependencyManagement/build.gradle.kts

@@ -31,13 +31,13 @@ val groovyVersion = "4.0.4"
 // configurations.testRuntimeClasspath.resolutionStrategy.force "com.google.guava:guava:19.0"
 
 val DEPENDENCY_BOMS = listOf(
-  "com.fasterxml.jackson:jackson-bom:2.13.2.20220328",
+  "com.fasterxml.jackson:jackson-bom:2.13.4",
   "com.google.guava:guava-bom:31.1-jre",
   "org.apache.groovy:groovy-bom:${groovyVersion}",
   "io.opentelemetry:opentelemetry-bom:${otelVersion}",
   "io.opentelemetry:opentelemetry-bom-alpha:${otelVersion}-alpha",
-  "org.junit:junit-bom:5.8.2",
-  "org.testcontainers:testcontainers-bom:1.17.1",
+  "org.junit:junit-bom:5.9.0",
+  "org.testcontainers:testcontainers-bom:1.17.3",
 )
 
 val DEPENDENCY_SETS = listOf(
@@ -69,7 +69,7 @@ val DEPENDENCY_SETS = listOf(
   ),
   DependencySet(
     "org.mockito",
-    "4.5.1",
+    "4.7.0",
     listOf("mockito-core", "mockito-junit-jupiter", "mockito-inline")
   ),
   DependencySet(
@@ -87,7 +87,7 @@ val DEPENDENCIES = listOf(
   "com.github.stefanbirkner:system-lambda:1.2.1",
   "com.github.stefanbirkner:system-rules:1.19.0",
   "uk.org.webcompere:system-stubs-jupiter:2.0.1",
-  "com.uber.nullaway:nullaway:0.9.7",
+  "com.uber.nullaway:nullaway:0.9.9",
   "commons-beanutils:commons-beanutils:1.9.4",
   "commons-cli:commons-cli:1.5.0",
   "commons-codec:commons-codec:1.15",

examples/distro/smoke-tests/build.gradle

@@ -10,7 +10,7 @@ dependencies {
   testImplementation("io.opentelemetry.proto:opentelemetry-proto:0.16.0-alpha")
   testImplementation("io.opentelemetry:opentelemetry-api:1.6.0")
 
-  testImplementation("ch.qos.logback:logback-classic:1.2.3")
+  testImplementation("ch.qos.logback:logback-classic:1.2.11")
 }
 
 tasks.test {

examples/extension/build.gradle

@@ -101,14 +101,13 @@ dependencies {
 
   testImplementation("org.junit.jupiter:junit-jupiter-api:5.9.0")
   testRuntimeOnly("org.junit.jupiter:junit-jupiter-engine:5.9.0")
-  testRuntimeOnly("ch.qos.logback:logback-classic:1.2.3")
+  testRuntimeOnly("ch.qos.logback:logback-classic:1.2.11")
 
   //Otel Java instrumentation that we use and extend during integration tests
   otel("io.opentelemetry.javaagent:opentelemetry-javaagent:${versions.opentelemetryJavaagent}")
 
   //TODO remove when start using io.opentelemetry.instrumentation.javaagent-instrumentation plugin
   add("codegen", "io.opentelemetry.javaagent:opentelemetry-javaagent-tooling:${versions.opentelemetryJavaagentAlpha}")
-  add("codegen", "ch.qos.logback:logback-classic:1.2.3")
   add("muzzleBootstrap", "io.opentelemetry.instrumentation:opentelemetry-instrumentation-annotations-support:${versions.opentelemetryJavaagentAlpha}")
   add("muzzleTooling", "io.opentelemetry.javaagent:opentelemetry-javaagent-extension-api:${versions.opentelemetryJavaagentAlpha}")
   add("muzzleTooling", "io.opentelemetry.javaagent:opentelemetry-javaagent-tooling:${versions.opentelemetryJavaagentAlpha}")

instrumentation/logback/logback-appender-1.0/javaagent/build.gradle.kts

@@ -15,7 +15,34 @@ muzzle {
 }
 
 dependencies {
-  library("ch.qos.logback:logback-classic:0.9.16")
+  // pin the version strictly to avoid overriding by dependencyManagement versions
+  compileOnly("ch.qos.logback:logback-classic") {
+    version {
+      strictly("0.9.16")
+    }
+  }
+  compileOnly("org.slf4j:slf4j-api") {
+    version {
+      strictly("1.5.8")
+    }
+  }
+
+  if (findProperty("testLatestDeps") as Boolean) {
+    testImplementation("ch.qos.logback:logback-classic:+")
+  } else {
+    // TODO these versions are actually used during test
+    // currently our tests fail for logback-classic 0.9.16
+    testImplementation("ch.qos.logback:logback-classic") {
+      version {
+        strictly("1.2.11")
+      }
+    }
+    testImplementation("org.slf4j:slf4j-api") {
+      version {
+        strictly("1.7.36")
+      }
+    }
+  }
 
   compileOnly(project(":instrumentation-appender-api-internal"))
   compileOnly(project(":javaagent-bootstrap"))

instrumentation/logback/logback-appender-1.0/library/build.gradle.kts

@@ -6,7 +6,34 @@ dependencies {
   implementation(project(":instrumentation-appender-api-internal"))
   implementation(project(":instrumentation-appender-sdk-internal"))
 
-  library("ch.qos.logback:logback-classic:0.9.16")
+  // pin the version strictly to avoid overriding by dependencyManagement versions
+  compileOnly("ch.qos.logback:logback-classic") {
+    version {
+      strictly("0.9.16")
+    }
+  }
+  compileOnly("org.slf4j:slf4j-api") {
+    version {
+      strictly("1.5.8")
+    }
+  }
+
+  if (findProperty("testLatestDeps") as Boolean) {
+    testImplementation("ch.qos.logback:logback-classic:+")
+  } else {
+    // TODO these versions are actually used during test
+    // currently our tests fail for logback-classic 0.9.16
+    testImplementation("ch.qos.logback:logback-classic") {
+      version {
+        strictly("1.2.11")
+      }
+    }
+    testImplementation("org.slf4j:slf4j-api") {
+      version {
+        strictly("1.7.36")
+      }
+    }
+  }
 
   testImplementation("io.opentelemetry:opentelemetry-sdk-logs")
   testImplementation("io.opentelemetry:opentelemetry-sdk-testing")

instrumentation/logback/logback-mdc-1.0/javaagent/build.gradle.kts

@@ -13,7 +13,32 @@ muzzle {
 dependencies {
   implementation(project(":instrumentation:logback:logback-mdc-1.0:library"))
 
-  library("ch.qos.logback:logback-classic:1.0.0")
+  // pin the version strictly to avoid overriding by dependencyManagement versions
+  compileOnly("ch.qos.logback:logback-classic") {
+    version {
+      strictly("1.0.0")
+    }
+  }
+  compileOnly("org.slf4j:slf4j-api") {
+    version {
+      strictly("1.6.4")
+    }
+  }
+
+  if (findProperty("testLatestDeps") as Boolean) {
+    testImplementation("ch.qos.logback:logback-classic:+")
+  } else {
+    testImplementation("ch.qos.logback:logback-classic") {
+      version {
+        strictly("1.0.0")
+      }
+    }
+    testImplementation("org.slf4j:slf4j-api") {
+      version {
+        strictly("1.6.4")
+      }
+    }
+  }
 
   testImplementation(project(":instrumentation:logback:logback-mdc-1.0:testing"))
 }

instrumentation/logback/logback-mdc-1.0/library/build.gradle.kts

@@ -3,7 +3,32 @@ plugins {
 }
 
 dependencies {
-  library("ch.qos.logback:logback-classic:1.0.0")
+  // pin the version strictly to avoid overriding by dependencyManagement versions
+  compileOnly("ch.qos.logback:logback-classic") {
+    version {
+      strictly("1.0.0")
+    }
+  }
+  compileOnly("org.slf4j:slf4j-api") {
+    version {
+      strictly("1.6.4")
+    }
+  }
+
+  if (findProperty("testLatestDeps") as Boolean) {
+    testImplementation("ch.qos.logback:logback-classic:+")
+  } else {
+    testImplementation("ch.qos.logback:logback-classic") {
+      version {
+        strictly("1.0.0")
+      }
+    }
+    testImplementation("org.slf4j:slf4j-api") {
+      version {
+        strictly("1.6.4")
+      }
+    }
+  }
 
   testImplementation(project(":instrumentation:logback:logback-mdc-1.0:testing"))
 }

javaagent-bootstrap/build.gradle.kts

@@ -5,11 +5,13 @@ plugins {
 
 group = "io.opentelemetry.javaagent"
 
+val agentSlf4jVersion = "2.0.0"
+
 dependencies {
   implementation(project(":instrumentation-api"))
   implementation(project(":instrumentation-appender-api-internal"))
-  implementation("org.slf4j:slf4j-api")
-  implementation("org.slf4j:slf4j-simple")
+  implementation("org.slf4j:slf4j-api:$agentSlf4jVersion")
+  implementation("org.slf4j:slf4j-simple:$agentSlf4jVersion")
 
   testImplementation(project(":testing-common"))
 }

javaagent-tooling/src/main/java/io/opentelemetry/javaagent/tooling/DefaultLoggingCustomizer.java

@@ -5,6 +5,7 @@
 
 package io.opentelemetry.javaagent.tooling;
 
+import java.lang.reflect.InvocationTargetException;
 import java.util.Locale;
 
 final class DefaultLoggingCustomizer implements LoggingCustomizer {
@@ -33,6 +34,21 @@ final class DefaultLoggingCustomizer implements LoggingCustomizer {
       // by default muzzle warnings are turned off
       setSystemPropertyDefault(SIMPLE_LOGGER_PREFIX + "muzzleMatcher", "OFF");
     }
+
+    ClassLoader previous = Thread.currentThread().getContextClassLoader();
+    try {
+      // make sure that slf4j finds the provider in the bootstrap CL
+      Thread.currentThread().setContextClassLoader(null);
+      Class<?> loggerFactory = Class.forName("org.slf4j.LoggerFactory");
+      loggerFactory.getMethod("getILoggerFactory").invoke(null);
+    } catch (ClassNotFoundException
+        | InvocationTargetException
+        | IllegalAccessException
+        | NoSuchMethodException e) {
+      throw new IllegalStateException("Failed to initialize logging", e);
+    } finally {
+      Thread.currentThread().setContextClassLoader(previous);
+    }
   }
 
   @Override

licenses/licenses.md

@@ -1,7 +1,7 @@
 
 #javaagent
 ##Dependency License Report
-_2022-08-12 13:38:10 PDT_
+_2022-09-06 12:21:05 CEST_
 ## Apache License, Version 2.0
 
 **1** **Group:** `com.blogspot.mydailyjava` **Name:** `weak-lock-free` **Version:** `0.18` 
@@ -9,19 +9,19 @@ _2022-08-12 13:38:10 PDT_
 > - **POM Project URL**: [https://github.com/raphw/weak-lock-free](https://github.com/raphw/weak-lock-free)
 > - **POM License**: Apache License, Version 2.0 - [http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0)
 
-**2** **Group:** `com.fasterxml.jackson.core` **Name:** `jackson-core` **Version:** `2.13.2` 
+**2** **Group:** `com.fasterxml.jackson.core` **Name:** `jackson-core` **Version:** `2.13.4` 
 > - **Project URL**: [https://github.com/FasterXML/jackson-core](https://github.com/FasterXML/jackson-core)
 > - **Manifest License**: Apache License, Version 2.0 (Not Packaged)
 > - **POM License**: Apache License, Version 2.0 - [https://www.apache.org/licenses/LICENSE-2.0](https://www.apache.org/licenses/LICENSE-2.0)
-> - **Embedded license files**: [jackson-core-2.13.2.jar/META-INF/LICENSE](jackson-core-2.13.2.jar/META-INF/LICENSE) 
-    - [jackson-core-2.13.2.jar/META-INF/NOTICE](jackson-core-2.13.2.jar/META-INF/NOTICE)
+> - **Embedded license files**: [jackson-core-2.13.4.jar/META-INF/LICENSE](jackson-core-2.13.4.jar/META-INF/LICENSE) 
+    - [jackson-core-2.13.4.jar/META-INF/NOTICE](jackson-core-2.13.4.jar/META-INF/NOTICE)
 
-**3** **Group:** `com.fasterxml.jackson.jr` **Name:** `jackson-jr-objects` **Version:** `2.13.2` 
+**3** **Group:** `com.fasterxml.jackson.jr` **Name:** `jackson-jr-objects` **Version:** `2.13.4` 
 > - **Project URL**: [http://wiki.fasterxml.com/JacksonHome](http://wiki.fasterxml.com/JacksonHome)
 > - **Manifest License**: Apache License, Version 2.0 (Not Packaged)
 > - **POM License**: Apache License, Version 2.0 - [https://www.apache.org/licenses/LICENSE-2.0](https://www.apache.org/licenses/LICENSE-2.0)
-> - **Embedded license files**: [jackson-jr-objects-2.13.2.jar/META-INF/LICENSE](jackson-jr-objects-2.13.2.jar/META-INF/LICENSE) 
-    - [jackson-jr-objects-2.13.2.jar/META-INF/NOTICE](jackson-jr-objects-2.13.2.jar/META-INF/NOTICE)
+> - **Embedded license files**: [jackson-jr-objects-2.13.4.jar/META-INF/LICENSE](jackson-jr-objects-2.13.4.jar/META-INF/LICENSE) 
+    - [jackson-jr-objects-2.13.4.jar/META-INF/NOTICE](jackson-jr-objects-2.13.4.jar/META-INF/NOTICE)
 
 **4** **Group:** `com.googlecode.concurrentlinkedhashmap` **Name:** `concurrentlinkedhashmap-lru` **Version:** `1.4.2` 
 > - **Manifest License**: Apache License, Version 2.0 (Not Packaged)
@@ -201,11 +201,11 @@ _2022-08-12 13:38:10 PDT_
 
 ## MIT License
 
-**44** **Group:** `org.slf4j` **Name:** `slf4j-api` **Version:** `1.7.36` 
+**44** **Group:** `org.slf4j` **Name:** `slf4j-api` **Version:** `2.0.0` 
 > - **POM Project URL**: [http://www.slf4j.org](http://www.slf4j.org)
 > - **POM License**: MIT License - [https://opensource.org/licenses/MIT](https://opensource.org/licenses/MIT)
 
-**45** **Group:** `org.slf4j` **Name:** `slf4j-simple` **Version:** `1.7.36` 
+**45** **Group:** `org.slf4j` **Name:** `slf4j-simple` **Version:** `2.0.0` 
 > - **POM Project URL**: [http://www.slf4j.org](http://www.slf4j.org)
 > - **POM License**: MIT License - [https://opensource.org/licenses/MIT](https://opensource.org/licenses/MIT)