From 6b2c652ea0aa8aa14e7d7113e6d7cbf83ec76230 Mon Sep 17 00:00:00 2001
From: Yashwant <polapragada.yashwant@gmail.com>
Date: Mon, 30 Dec 2024 22:47:29 +0530
Subject: [PATCH] exclude protobuf deps

---
 javaagent/build.gradle.kts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/javaagent/build.gradle.kts b/javaagent/build.gradle.kts
index 076c4126..144f7d0e 100644
--- a/javaagent/build.gradle.kts
+++ b/javaagent/build.gradle.kts
@@ -58,6 +58,9 @@ tasks {
             // exclude because it would be shaded twice and the META-INF/services/ would be io.opentelemetry.javaagent.shaded.io.grpc
             exclude("inst/META-INF/services/io.grpc*")
         }
+        // Fix CVE-2024-7254, opentelemetry-javaagent brings in io.prometheus.metrics which uses deps of high vulnerability protobuf-java version
+        // This was fixed in 2.x.x versions of opentelemetry-javaagent(which needs us to upgrade from 1.33.0)
+        exclude("inst/io/prometheus/metrics/shaded/com_google_protobuf_3_21_7/**")
         exclude("**/module-info.class")
         manifest {
             attributes.put("Implementation-Title", "javaagent")