Bump cxf.brave.version from 5.17.1 to 6.0.3

[dependabot]

Bumps cxf.brave.version from 5.17.1 to 6.0.3.
Updates io.zipkin.brave:brave from 5.17.1 to 6.0.3

Release notes

Sourced from io.zipkin.brave:brave's releases.

Brave 6.0.3 including the following minor changes. Thanks very much to @​reta and @​anuraaga for review support!

• fixes bug that allowed setting local or remote service names to the empty string ("")
• fixed thread safety issue when using Tag.tag
• ports brave-instrumentation-mongodb to work on the new org.mongodb:mongodb-driver-core v5
  • Note: the floor JRE of this instrumentation is now 1.7, where it formerly was 1.6
• changes license headers to SPDX style, as used in zipkin and zipkin-reporter

Full Changelog: https://github.com/openzipkin/brave/compare/6.0.2..6.0.3

Brave 6.0.2 fixes a propagation glitch on kafka streams processors using context.forward(). Tons of thanks to @​frosiere for the help on this! We also changed how dependencies are managed so that less false-positives show up due to our backwards compatability testing. We appreciate your continued use and feedback!

Full Changelog: https://github.com/openzipkin/brave/compare/6.0.1..6.0.2

Brave 6.0.1 simplifies internals of the json encoder and kafka-streams instrumentation. It also fixes a bug where a Tag<Throwable> passed to MutableSpanBytesEncoder.zipkinJsonV2 always used the key "error" even when set to something else. Finally @​reta fixed a flakey JMS integration test which was plaguing our CI builds!

Full Changelog: https://github.com/openzipkin/brave/compare/6.0.0..6.0.1

Brave 6 removes all modules and functions deprecated in Brave 5.x. It no longer has any dependency on io.zipkin.zipkin2:zipkin. Special thanks to @​reta and @​anuraaga for a lot of review support leading to this release!

No more deprecated functions

The final release of Brave 5 with deprecated functions was 5.18.1. Removing these functions was the only way to decouple Brave from zipkin's core library (io.zipkin.zipkin2:zipkin). However, this does not change Brave's floor Java 6 support. We still integration test this via the brave-example repository.

Here's an example of a working Java 6 and Spring 2.5 application, which is 280KB smaller due to use of the lean combination of Brave 6 and Zipkin Reporter 3.x:

# brave 5.18.1
3860    target/brave-example-webmvc25-1.0-SNAPSHOT.war
# brave 6.0.0
3580    target/brave-example-webmvc25-1.0-SNAPSHOT.war

No more io.zipkin.reporter2:zipkin-reporter or io.zipkin.zipkin2:zipkin dependencies

io.zipkin.brave:brave-bom used to manage zipkin-reporter dependencies. Since Brave no longer has dependencies on zipkin, it no longer manages them.

This impact is that users will need to manage their own versions for zipkin-reporter, likely via io.zipkin.reporter2:zipkin-reporter-bom described in the zipkin-reporter README.

To fully remove a zipkin core library dependency from your traced applications, use io.zipkin.reporter2:zipkin-reporter-brave 3.x AsyncZipkinSpanHandler. This is described in the zipkin-reporter README. You can expect currently maintained frameworks to do this on your behalf.

Thanks for your patience with the major upgrade. Things like this allow easier maintenance and a longer life for Brave, particularly as zipkin-server moves ahead with later Java versions.

Full Changelog: https://github.com/openzipkin/brave/compare/5.17.1..5.18.1

Brave 5.18 prepares for Brave 6 by deprecating instrumentation for libraries not released in 1.5-3.5 years including:

• context/rxjava2 - last released Feb 2021
  • replaced by RxJava3, but unlikely this module will be ported as it wasn't used widely.
• instrumentation/dubbo-rpc - (alibaba) last released Dec 2021

... (truncated)

Commits

• 95ae4c2 [maven-release-plugin] prepare release 6.0.3
• 08e8e39 Fixes thread safety issue in Tag.tag (#1434)
• 57f27e2 license: removes copyright year and uses SPDX ID (#1433)
• 170c79f Speeds up dubbo tests, aligns conventions and bumps deps (#1432)
• ef6fbbd Adds support for org.mongodb:mongodb-driver-core v5 (#1431)
• fe3c8b4 fixes bug setting service names to empty (#1428)
• 69e30f3 Adds BaggagePropagation benchmarks for decorate (#1425)
• b7ece7b Consolidates notes on "extra" data (#1424)
• d8dc495 benchmarks: moves dependency scope to test (#1422)
• 5552507 [maven-release-plugin] prepare for next development iteration
• Additional commits viewable in compare view

Updates io.zipkin.brave:brave-instrumentation-http from 5.17.1 to 6.0.3

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[reta]

Covered by https://issues.apache.org/jira/browse/CXF-8969

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.