Merge branch 'develop' into update-from-template-merged

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -15,9 +15,9 @@ body:
     attributes:
       label: "Checklist"
       options:
-        - label: "I am able to reproduce the bug with the [latest version](https://github.com/xdev-software/template-placeholder/releases/latest)"
+        - label: "I am able to reproduce the bug with the [latest version](https://github.com/xdev-software/prometheus-metrics-exposition-formats-no-protobuf/releases/latest)"
           required: true
-        - label: "I made sure that there are *no existing issues* - [open](https://github.com/xdev-software/template-placeholder/issues) or [closed](https://github.com/xdev-software/template-placeholder/issues?q=is%3Aissue+is%3Aclosed) - which I could contribute my information to."
+        - label: "I made sure that there are *no existing issues* - [open](https://github.com/xdev-software/prometheus-metrics-exposition-formats-no-protobuf/issues) or [closed](https://github.com/xdev-software/prometheus-metrics-exposition-formats-no-protobuf/issues?q=is%3Aissue+is%3Aclosed) - which I could contribute my information to."
           required: true
         - label: "I have taken the time to fill in all the required details. I understand that the bug report will be dismissed otherwise."
           required: true

.github/ISSUE_TEMPLATE/enhancement.yml

@@ -13,7 +13,7 @@ body:
     attributes:
       label: "Checklist"
       options:
-        - label: "I made sure that there are *no existing issues* - [open](https://github.com/xdev-software/template-placeholder/issues) or [closed](https://github.com/xdev-software/template-placeholder/issues?q=is%3Aissue+is%3Aclosed) - which I could contribute my information to."
+        - label: "I made sure that there are *no existing issues* - [open](https://github.com/xdev-software/prometheus-metrics-exposition-formats-no-protobuf/issues) or [closed](https://github.com/xdev-software/prometheus-metrics-exposition-formats-no-protobuf/issues?q=is%3Aissue+is%3Aclosed) - which I could contribute my information to."
           required: true
         - label: "I have taken the time to fill in all the required details. I understand that the feature request will be dismissed otherwise."
           required: true

.github/ISSUE_TEMPLATE/question.yml

@@ -12,7 +12,7 @@ body:
     attributes:
       label: "Checklist"
       options:
-        - label: "I made sure that there are *no existing issues* - [open](https://github.com/xdev-software/template-placeholder/issues) or [closed](https://github.com/xdev-software/template-placeholder/issues?q=is%3Aissue+is%3Aclosed) - which I could contribute my information to."
+        - label: "I made sure that there are *no existing issues* - [open](https://github.com/xdev-software/prometheus-metrics-exposition-formats-no-protobuf/issues) or [closed](https://github.com/xdev-software/prometheus-metrics-exposition-formats-no-protobuf/issues?q=is%3Aissue+is%3Aclosed) - which I could contribute my information to."
           required: true
         - label: "I have taken the time to fill in all the required details. I understand that the question will be dismissed otherwise."
           required: true

.run/Run Demo.run.xml

@@ -1,7 +1,7 @@
 <component name="ProjectRunConfigurationManager">
   <configuration default="false" name="Run Demo" type="Application" factoryName="Application">
     <option name="MAIN_CLASS_NAME" value="software.xdev.Application" />
-    <module name="template-placeholder-demo" />
+    <module name="prometheus-metrics-exposition-formats-no-protobuf-demo" />
     <option name="WORKING_DIRECTORY" value="$MODULE_DIR$" />
     <extension name="coverage">
       <pattern>

CHANGELOG.md

@@ -0,0 +1,14 @@
+# 3.0.0
+* In theory the library is [no longer required](https://prometheus.github.io/client_java/exporters/formats/#exclude-protobuf-exposition-format), however [there are still some problems with how the changes have been implemented upstream](https://github.com/xdev-software/prometheus-metrics-exposition-formats-no-protobuf/issues/27).
+  * Library now completely removes protobuf functionality
+    * ``PrometheusProtobufWriter`` is no longer loaded in the first place
+  * Removed shading once again
+
+# 2.0.0
+* Make exclusion work in ``prometheus-metrics-exposition-formats`` 1.3.2+ #3
+   * ``prometheus-metrics-exposition-formats`` is now directly included using shading
+   * All protobuf code is removed during shading
+   * This is a workaround until https://github.com/prometheus/client_java/pull/1190 is merged
+
+# 1.0.0
+_Initial release_

CONTRIBUTING.md

@@ -34,10 +34,10 @@ You should have the following things installed:
   * Ensure that the JDK/Java-Version is correct
 
 
-## Releasing [![Build](https://img.shields.io/github/actions/workflow/status/xdev-software/template-placeholder/release.yml?branch=master)](https://github.com/xdev-software/template-placeholder/actions/workflows/release.yml)
+## Releasing [![Build](https://img.shields.io/github/actions/workflow/status/xdev-software/prometheus-metrics-exposition-formats-no-protobuf/release.yml?branch=master)](https://github.com/xdev-software/prometheus-metrics-exposition-formats-no-protobuf/actions/workflows/release.yml)
 
 Before releasing:
-* Consider doing a [test-deployment](https://github.com/xdev-software/template-placeholder/actions/workflows/test-deploy.yml?query=branch%3Adevelop) before actually releasing.
+* Consider doing a [test-deployment](https://github.com/xdev-software/prometheus-metrics-exposition-formats-no-protobuf/actions/workflows/test-deploy.yml?query=branch%3Adevelop) before actually releasing.
 * Check the [changelog](CHANGELOG.md)
 
 If the ``develop`` is ready for release, create a pull request to the ``master``-Branch and merge the changes

README.md

@@ -1,12 +1,70 @@
-[![Latest version](https://img.shields.io/maven-central/v/software.xdev/template-placeholder?logo=apache%20maven)](https://mvnrepository.com/artifact/software.xdev/template-placeholder)
-[![Build](https://img.shields.io/github/actions/workflow/status/xdev-software/template-placeholder/check-build.yml?branch=develop)](https://github.com/xdev-software/template-placeholder/actions/workflows/check-build.yml?query=branch%3Adevelop)
-[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=xdev-software_template-placeholder&metric=alert_status)](https://sonarcloud.io/dashboard?id=xdev-software_template-placeholder)
+[![Latest version](https://img.shields.io/maven-central/v/software.xdev/prometheus-metrics-exposition-formats-no-protobuf?logo=apache%20maven)](https://mvnrepository.com/artifact/software.xdev/prometheus-metrics-exposition-formats-no-protobuf)
+[![Build](https://img.shields.io/github/actions/workflow/status/xdev-software/prometheus-metrics-exposition-formats-no-protobuf/check-build.yml?branch=develop)](https://github.com/xdev-software/prometheus-metrics-exposition-formats-no-protobuf/actions/workflows/check-build.yml?query=branch%3Adevelop)
+[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=xdev-software_prometheus-metrics-exposition-formats-no-protobuf&metric=alert_status)](https://sonarcloud.io/dashboard?id=xdev-software_prometheus-metrics-exposition-formats-no-protobuf)
 
-# template-placeholder
+# prometheus-metrics-exposition-formats-no-protobuf
 
+Reconfigures [prometheus-metrics-exposition-formats](https://github.com/prometheus/client_java) to remove [protobuf](https://github.com/protocolbuffers/protobuf).
+
+This module is designed to integrate with [Spring Boot Actuator (Prometheus)](https://docs.spring.io/spring-boot/api/rest/actuator/prometheus.html) or similar services.
+
+### Why remove Protobuf?
+
+1. [Prometheus Protobuf format is obsolete/experimental](https://github.com/prometheus/docs/blob/main/content/docs/instrumenting/exposition_formats.md#protobuf-format), the chance that it's used is near 0
+2. The additional library can result in additional attack vectors. For example in [CVE-2024-7254](https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8)
+    * If the dependency is [reshaded](https://maven.apache.org/plugins/maven-shade-plugin/) it may not be detected by vulnerability scanners (as is the case in ``io.prometheus:prometheus-metrics-exposition-formats <= 1.3.1``)
+3. The protobuf dependency is huge (around 10x bigger) in comparison to the other libraries
+
+_See also [prometheus/client_java#1173](https://github.com/prometheus/client_java/issues/1173)_
 
 ## Installation
-[Installation guide for the latest release](https://github.com/xdev-software/template-placeholder/releases/latest#Installation)
+[Installation guide for the latest release](https://github.com/xdev-software/prometheus-metrics-exposition-formats-no-protobuf/releases/latest#Installation)
+
+### Compatibility with ``io.prometheus:prometheus-metrics-exposition-formats``
+
+| ``io.prometheus:prometheus-metrics-exposition-formats`` version | ``prometheus-metrics-exposition-formats-no-protobuf`` version |
+| --- | --- |
+| 1.3.4+ | [``3`` (optional)](./CHANGELOG.md#300) |
+| 1.3.2+ | ``2`` |
+| < 1.3.2 | ``1`` |
+
+### Spring Boot Actuator
+
+```xml
+<dependencyManagement>
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-dependencies</artifactId>
+            <version>...</version>
+            <type>pom</type>
+            <scope>import</scope>
+        </dependency>
+    </dependencies>
+</dependencyManagement>
+
+<dependencies>
+    <dependency>
+        <groupId>software.xdev</groupId>
+        <artifactId>prometheus-metrics-exposition-formats-no-protobuf</artifactId>
+        <version>...</version>
+        <scope>runtime</scope>
+    </dependency>
+
+    <dependency>
+        <groupId>io.micrometer</groupId>
+        <artifactId>micrometer-registry-prometheus</artifactId>
+        <exclusions>
+            <!-- Exclude default module so that dependency is properly removed -->
+            <exclusion>
+                <groupId>io.prometheus</groupId>
+                <artifactId>prometheus-metrics-exposition-formats</artifactId>
+            </exclusion>
+        </exclusions>
+        <scope>runtime</scope>
+    </dependency>
+</dependencies>
+```
 
 ## Support
 If you need support as soon as possible and you can't wait for any pull request, feel free to use [our support](https://xdev.software/en/services/support).
@@ -15,4 +73,4 @@ If you need support as soon as possible and you can't wait for any pull request,
 See the [contributing guide](./CONTRIBUTING.md) for detailed instructions on how to get started with our project.
 
 ## Dependencies and Licenses
-View the [license of the current project](LICENSE) or the [summary including all dependencies](https://xdev-software.github.io/template-placeholder/dependencies)
+View the [license of the current project](LICENSE) or the [summary including all dependencies](https://xdev-software.github.io/prometheus-metrics-exposition-formats-no-protobuf/dependencies)

SECURITY.md

@@ -2,4 +2,4 @@
 
 ## Reporting a Vulnerability
 
-Please report a security vulnerability [on GitHub Security Advisories](https://github.com/xdev-software/template-placeholder/security/advisories/new).
+Please report a security vulnerability [on GitHub Security Advisories](https://github.com/xdev-software/prometheus-metrics-exposition-formats-no-protobuf/security/advisories/new).

pom.xml

@@ -5,8 +5,8 @@
 	<modelVersion>4.0.0</modelVersion>
 
 	<groupId>software.xdev</groupId>
-	<artifactId>template-placeholder-root</artifactId>
-	<version>1.0.0-SNAPSHOT</version>
+	<artifactId>prometheus-metrics-exposition-formats-no-protobuf-root</artifactId>
+	<version>3.0.1-SNAPSHOT</version>
 	<packaging>pom</packaging>
 
 	<organization>
@@ -15,8 +15,8 @@
 	</organization>
 
 	<modules>
-		<module>template-placeholder</module>
-		<module>template-placeholder-demo</module>
+		<module>prometheus-metrics-exposition-formats-no-protobuf</module>
+		<module>prometheus-metrics-exposition-formats-no-protobuf-demo</module>
 	</modules>
 
 	<properties>

prometheus-metrics-exposition-formats-no-protobuf-demo/pom.xml

@@ -0,0 +1,111 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+	<parent>
+		<groupId>software.xdev</groupId>
+		<artifactId>prometheus-metrics-exposition-formats-no-protobuf-root</artifactId>
+		<version>3.0.1-SNAPSHOT</version>
+	</parent>
+
+	<artifactId>prometheus-metrics-exposition-formats-no-protobuf-demo</artifactId>
+	<version>3.0.1-SNAPSHOT</version>
+	<packaging>jar</packaging>
+
+	<organization>
+		<name>XDEV Software</name>
+		<url>https://xdev.software</url>
+	</organization>
+
+	<properties>
+		<javaVersion>17</javaVersion>
+		<maven.compiler.release>${javaVersion}</maven.compiler.release>
+
+		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+
+		<mainClass>software.xdev.Application</mainClass>
+
+		<org.springframework.boot.version>3.4.1</org.springframework.boot.version>
+	</properties>
+
+	<dependencyManagement>
+		<dependencies>
+			<dependency>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-dependencies</artifactId>
+				<version>${org.springframework.boot.version}</version>
+				<type>pom</type>
+				<scope>import</scope>
+			</dependency>
+		</dependencies>
+	</dependencyManagement>
+
+	<dependencies>
+		<dependency>
+			<groupId>software.xdev</groupId>
+			<artifactId>prometheus-metrics-exposition-formats-no-protobuf</artifactId>
+			<version>${project.version}</version>
+			<scope>runtime</scope>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-actuator</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>io.micrometer</groupId>
+			<artifactId>micrometer-registry-prometheus</artifactId>
+			<exclusions>
+				<!-- Exclude default module so that dependency is properly removed -->
+				<exclusion>
+					<groupId>io.prometheus</groupId>
+					<artifactId>prometheus-metrics-exposition-formats</artifactId>
+				</exclusion>
+			</exclusions>
+			<scope>runtime</scope>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<finalName>${project.artifactId}</finalName>
+
+		<plugins>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-compiler-plugin</artifactId>
+				<version>3.13.0</version>
+				<configuration>
+					<release>${maven.compiler.release}</release>
+					<compilerArgs>
+						<arg>-proc:none</arg>
+					</compilerArgs>
+				</configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+				<version>${org.springframework.boot.version}</version>
+				<configuration>
+					<mainClass>${mainClass}</mainClass>
+				</configuration>
+				<executions>
+					<execution>
+						<id>repackage</id>
+						<goals>
+							<goal>repackage</goal>
+						</goals>
+						<phase>package</phase>
+					</execution>
+				</executions>
+			</plugin>
+		</plugins>
+	</build>
+</project>

prometheus-metrics-exposition-formats-no-protobuf-demo/src/main/java/software/xdev/Application.java

@@ -0,0 +1,15 @@
+package software.xdev;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+
+@SuppressWarnings("checkstyle:HideUtilityClassConstructor")
+@SpringBootApplication
+public class Application
+{
+	public static void main(final String[] args)
+	{
+		SpringApplication.run(Application.class, args);
+	}
+}

prometheus-metrics-exposition-formats-no-protobuf-demo/src/main/java/software/xdev/controllers/RootController.java

@@ -0,0 +1,23 @@
+package software.xdev.controllers;
+
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+
+@RestController
+@RequestMapping("/")
+public class RootController
+{
+	@GetMapping
+	public String respond()
+	{
+		return """
+			<html>
+			<body>
+			Go to <a href="/actuator/prometheus">Prometheus metrics</a>
+			</body>
+			</html>
+			""";
+	}
+}

prometheus-metrics-exposition-formats-no-protobuf-demo/src/main/resources/application.yml

@@ -0,0 +1,14 @@
+management:
+  endpoints:
+    web:
+      exposure:
+        include: "*"
+        # Env is potentially security sensitive so better hide it
+        exclude: "env"
+  endpoint:
+    health:
+      show-details: "when-authorized"
+  health:
+    # Kubernetes probes
+    probes:
+      enabled: true