Upgrades various dependencies

* Centralizes all versions in gradle.properties
* add guava as a direct dependency as it is used in the source code
* uses version of Spring boot where ever possible

build.gradle

@@ -1,15 +1,16 @@
 plugins {
-    id "org.springframework.boot" version "${springboot_version}"
-    id "com.palantir.docker" version "0.21.0"
-    id "org.cyclonedx.bom" version "1.7.2"
+    id "org.springframework.boot" version "${springBootVersion}"
+    id "com.palantir.docker" version "${palantirDockerVersion}"
+    id "org.cyclonedx.bom" version "${cyclonedxBomVersion}"
+    id "io.spring.dependency-management" version "${springDependencyManangementVersion}"
+    id "org.owasp.dependencycheck" version "${owaspDependencyCheckVersion}"
 }
 
 repositories {
     mavenCentral()
 }
 
 apply plugin: "java"
-apply plugin: "io.spring.dependency-management"
 apply plugin: "jacoco"
 
 group = "rocks.inspectit.ocelot"
@@ -113,6 +114,8 @@ dependencies {
             "org.springframework.boot:spring-boot-starter-validation",
             "org.springframework.boot:spring-boot-starter-security",
 
+            "org.yaml:snakeyaml:${snakeYamlVersion}",
+
             // pin Prometheus client to 0.6.0 to prevent auto prefixing counter metrics with "_total"
             // see: https://github.com/prometheus/client_java/issues/640, https://github.com/prometheus/client_java/pull/653
             "io.prometheus:simpleclient:${prometheusClientVersion}",
@@ -123,62 +126,58 @@ dependencies {
             "io.opencensus:opencensus-impl:${openCensusVersion}",
             "io.opencensus:opencensus-exporter-stats-prometheus:${openCensusVersion}",
 
-            "io.grpc:grpc-netty-shaded:1.36.1",
-            "io.grpc:grpc-protobuf:1.36.1",
-            "io.grpc:grpc-stub:1.36.1",
+            "io.grpc:grpc-netty-shaded:${grpcVersion}",
+            "io.grpc:grpc-protobuf:${grpcVersion}",
+            "io.grpc:grpc-stub:${grpcVersion}",
             platform("io.opentelemetry:opentelemetry-bom-alpha:${openTelemetryAlphaVersion}"),
-            "io.opentelemetry:opentelemetry-proto",
             "io.opentelemetry:opentelemetry-semconv",
             platform("io.opentelemetry:opentelemetry-bom:${openTelemetryVersion}"),
             "io.opentelemetry:opentelemetry-exporter-otlp",
             "io.opentelemetry:opentelemetry-exporter-jaeger",
             "io.opentelemetry:opentelemetry-exporter-jaeger-thrift",
             "io.opentelemetry:opentelemetry-sdk",
+            "io.opentelemetry:opentelemetry-proto:${openTelemetryProtoVersion}",
 
-            "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.12.5",
+            "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml",
 
-            "com.google.protobuf:protobuf-java:3.15.7",
-            "com.google.protobuf:protobuf-java-util:3.15.7",
+            "com.google.protobuf:protobuf-java:${protobufVersion}",
+            "com.google.protobuf:protobuf-java-util:${protobufVersion}",
 
-            "com.maxmind.geoip2:geoip2:2.12.0",
-            "commons-net:commons-net:3.3",
-            "org.apache.commons:commons-lang3:3.+",
-            "org.apache.commons:commons-math3:3.6.1",
-            "commons-io:commons-io:2.11.0",
-            "org.influxdb:influxdb-java:2.15",
-            "rocks.inspectit:opencensus-influxdb-exporter:1.2",
+            "com.google.guava:guava:${guavaVersion}",
 
+            "com.maxmind.geoip2:geoip2:${geoip2Version}",
+            "commons-net:commons-net:${commonsNetVersion}",
+            "org.apache.commons:commons-lang3",
+            "org.apache.commons:commons-math3:${commonsMath3Version}",
+            "commons-io:commons-io:${commonsIoVersion}",
+            "org.influxdb:influxdb-java:${influxdbJavaVersion}",
+            "rocks.inspectit:opencensus-influxdb-exporter:${opencensusInfluxdbExporterVersion}",
     )
 
     compileOnly "org.projectlombok:lombok:${lombokVersion}"
     annotationProcessor "org.projectlombok:lombok:${lombokVersion}"
 
     testImplementation(
-            //project(":inspectit-ocelot-config"),
             "org.springframework.boot:spring-boot-starter-test",
             "io.opencensus:opencensus-impl:${openCensusVersion}",
-            "org.apache.httpcomponents:httpclient:4.5.6",
-            "commons-io:commons-io:2.11.0",
-            "org.mockito:mockito-core:${mockitoVersion}",
-            "org.junit.jupiter:junit-jupiter-api:5.7.2",
-            "org.awaitility:awaitility:3.1.5",
-            "org.mockito:mockito-junit-jupiter:2.23.0",
-            "org.testcontainers:testcontainers:1.15.2",
-            "org.testcontainers:junit-jupiter:1.15.2",
+            "org.apache.httpcomponents:httpclient",
+            "org.mockito:mockito-core",
+            "org.junit.jupiter:junit-jupiter-api",
+            "org.awaitility:awaitility",
+            "org.mockito:mockito-junit-jupiter",
 
             // ServerExtension
-            "com.linecorp.armeria:armeria-junit5:1.14.1",
-            "com.linecorp.armeria:armeria-grpc-protocol:1.14.1",
+            "com.linecorp.armeria:armeria-junit5:${armeriaVersion}",
+            "com.linecorp.armeria:armeria-grpc-protocol:${armeriaVersion}",
 
-            "io.opentelemetry:opentelemetry-semconv:1.20.0-alpha",
+            "io.opentelemetry:opentelemetry-semconv:${openTelemetryAlphaVersion}",
 
             // for docker test containers
-            "org.testcontainers:testcontainers:1.16.3",
-            "org.testcontainers:junit-jupiter:1.16.3",
-
+            "org.testcontainers:testcontainers:${testContainersVersion}",
+            "org.testcontainers:junit-jupiter:${testContainersVersion}"
     )
 
-    testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:5.7.2"
+    testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine"
 }
 
 task copyServerJar(type: Copy) {

gradle.properties

@@ -1,25 +1,45 @@
 # The boomerang version to ship with the EUM server
 boomerangVersion=1.737.0
-
 # The open-telemetry-boomerang version to ship with the EUM server
-boomerangOpenTelemetryPluginVersion=0.25.0-5
-
-# cannot use higher version due to a conflict with swagger2 and spring boot 2.6 - see https://stackoverflow.com/a/70503395/2478009
-springboot_version=2.5.6
-
-# overrides the default logback version used by spring boot
-logback.version=1.2.10
-
-
+boomerangOpenTelemetryPluginVersion=0.25.0-6
+# 2.7 is the latest release line which runs on Java 8
+springBootVersion=2.7.10
+# We do not really use snakeyaml directly. We overwrite the version of
+# spring due to a security report
+# For 1.33 CVE-2022-1471 is still identified. Since EUM-Server
+# does not read yaml from untrusted sources, it is not affected.
+# We cannot use 2.0 because EUM-Server actually parses a YAML file via Jackson.
+# Jackson uses SnakeYaml and cannot deal with version 2.0
+snakeYamlVersion=1.33
 # Ensure to adapt the netty version (inspectit-ocelot-core/build.gradle) when changing the OpenCensus version
-openCensusVersion=0.28.3
-
+openCensusVersion=0.31.1
 # pin Prometheus client to 0.6.0 to prevent auto prefixing counter metrics with "_total"
 # see: https://github.com/prometheus/client_java/issues/640, https://github.com/prometheus/client_java/pull/653
 prometheusClientVersion = 0.6.0
-
-mockitoVersion=4.1.0
-lombokVersion=1.18.22
-
-openTelemetryVersion=1.20.0
-openTelemetryAlphaVersion=1.1.0-alpha
+lombokVersion=1.18.26
+openTelemetryVersion=1.24.0
+openTelemetryAlphaVersion=1.24.0-alpha
+openTelemetryProtoVersion=1.7.1-alpha
+grpcVersion=1.53.0
+protobufVersion=3.22.2
+guavaVersion=31.1-jre
+# there are newer version, but they are not compatible with Java 8
+geoip2Version=2.16.1
+commonsNetVersion=3.9.0
+commonsMath3Version=3.6.1
+commonsIoVersion=2.11.0
+influxdbJavaVersion=2.23
+opencensusInfluxdbExporterVersion=1.2
+armeriaVersion=1.22.1
+testContainersVersion=1.17.6
+
+### gradle plugin versions
+### Check for newer version at https://plugins.gradle.org/
+# io.spring.dependency-management
+springDependencyManangementVersion=1.1.0
+# org.owasp.dependencycheck
+owaspDependencyCheckVersion=8.0.2
+# org.cyclonedx.bom
+cyclonedxBomVersion=1.7.3
+# com.palantir.docker
+palantirDockerVersion=0.34.0

src/main/java/io/opentelemetry/opencensusshim/internal/metrics/MetricAdapter.java

@@ -237,8 +237,10 @@ static Collection<HistogramPointData> convertHistogramPoints(Metric censusMetric
                                                         endTimestamp,
                                                         attributes,
                                                         distribution.getSum(),
-                                                        null,
-                                                        null,
+                                                    false,
+                                                        -1,
+                                                        false,
+                                                    -1,
                                                         mapBoundaries(distribution.getBucketOptions()),
                                                         mapCounts(distribution.getBuckets()),
                                                         mapExemplars(distribution.getBuckets())),

src/test/java/rocks/inspectit/oce/eum/server/exporters/ExporterIntTestBaseWithOtelCollector.java

@@ -211,9 +211,9 @@ protected void awaitMetricsExported(String metricName, double value, ViewDefinit
                                         .getMetricsList()
                                         .stream()
                                         .filter(metric -> metric.getName().equalsIgnoreCase(metricName))
-                                        .anyMatch(metric -> (aggregation == ViewDefinitionSettings.Aggregation.LAST_VALUE ? metric.getDoubleGauge()
-                                                .getDataPointsList() : metric.getDoubleSum()
-                                                .getDataPointsList()).stream().anyMatch(d -> d.getValue() == value)))));
+                                        .anyMatch(metric -> (aggregation == ViewDefinitionSettings.Aggregation.LAST_VALUE ? metric.getGauge()
+                                                .getDataPointsList() : metric.getSum()
+                                                .getDataPointsList()).stream().anyMatch(d -> d.getAsDouble() == value)))));
     }
 
     /**
@@ -230,10 +230,10 @@ protected void assertMetric(double value, boolean expected) {
                                 .stream()
                                 .anyMatch(iml -> iml.getMetricsList()
                                         .stream()
-                                        .anyMatch(metric -> metric.getDoubleSum()
+                                        .anyMatch(metric -> metric.getSum()
                                                 .getDataPointsList()
                                                 .stream()
-                                                .anyMatch(d -> expected ? d.getValue() == value : d.getValue() != value))))));
+                                                .anyMatch(d -> expected ? d.getAsDouble() == value : d.getAsDouble() != value)))))).isTrue();
     }
 
     /**

src/test/java/rocks/inspectit/oce/eum/server/metrics/BeaconMetricManagerTest.java

@@ -1,6 +1,5 @@
 package rocks.inspectit.oce.eum.server.metrics;
 
-import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import io.opencensus.stats.StatsRecorder;
 import io.opencensus.stats.ViewManager;
@@ -47,7 +46,7 @@ public class BeaconMetricManagerTest {
     ViewManager viewManager;
 
     @Spy
-    List<BeaconRecorder> beaconRecorders = ImmutableList.of(mock(BeaconRecorder.class));
+    List<BeaconRecorder> beaconRecorders = new ArrayList<>(Arrays.asList(mock(BeaconRecorder.class)));
 
     private final Set<String> registeredTags = new HashSet<>(Arrays.asList("first", "second", "third"));