A process for exposing JMX Beans via HTTP for Prometheus consumption
This release includes performance enhancements and new MBean attribute filtering.
As always, the jmx_exporter binaries are available on Maven Central:
[FEATURE] Added HTTPServer threads configuration (https://github.com/prometheus/jmx_exporter/pull/837)
[FEATURE] Refactored outdated terms (https://github.com/prometheus/jmx_exporter/pull/852)
[FEATURE] Added code to skip RuntimeMXBean attributes SystemProperties, ClassPath, BootClassPath, and LibraryPath (https://github.com/prometheus/jmx_exporter/pull/859)
[FEATURE] Added MBean attribute exclusion filtering (https://github.com/prometheus/jmx_exporter/pull/870)
[FEATURE] Enabled auto object name attribute filtering by default (https://github.com/prometheus/jmx_exporter/pull/871)
This release adds the long awaited support for HTTPS and Basic auth! See README.md for details.
BREAKING: We dropped Java 6 support. jmx_exporter now requires Java 8 or higher.
As always, the jmx_exporter binaries are available on Maven central:
[BREAKING] Removed support for Java 6. New baseline is Java 8 [ENHANCEMENT] HTTP Basic authentication (https://github.com/prometheus/jmx_exporter/pull/801) [ENHANCEMENT] HTTPS support (https://github.com/prometheus/jmx_exporter/pull/812) [ENHANCEMENT] Add support for JMX TabularData that uses a CompositeData key (https://github.com/prometheus/jmx_exporter/pull/814) Thanks @adamretter!!! [ENHANCEMENT] MetricsAssertion support for multiple labels (https://github.com/prometheus/jmx_exporter/pull/815)
This release updates the snakeyaml dependency from 1.32 to 2.0, because version 1.32 is vulnerable to CVE-2022-1471.
Note that jmx_exporter uses snakeyaml only to parse its config file. That means unless you have untrusted 3rd parties write your jmx_exporter config the CVE does not apply. However, if you have automated security scanners complaining about the vulnerable snakeyaml version this update will help.
As always, the jmx_exporter binaries are available on Maven central:
Fixes and enhancements included in this release:
[BUGFIX] Fix jmx_exporter_build_info metric #768. Thanks @dhoard.
[BUGFIX] Fix the Debian package build #752, #650. Thanks @ozon2 and @Skunnyk.
[ENHANCEMENT] Improve performance of duplicate sample lookup #719. Thanks @amuraru.
[BUGFIX] Bump Snakeyaml dependency version to 2.0 to fix CVE-2022-1471 #777, #767. Thanks @dhoard and @ppatierno.
Minor release updating the snakeyaml dependency from 1.31 to 1.32, because version 1.31 is vulnerable to CVE-2022-38752.
Note that jmx_exporter uses snakeyaml only to parse its config file. That means unless you have untrusted 3rd parties write your jmx_exporter config the CVE does not apply. However, if you have automated security scanners complaining about the vulnerable snakeyaml version this update will help.
As always, the jmx_exporter binaries are available on Maven central:
Sounds like a deja vu? Yes, we had the same on 10 September when we updated snakeyaml from 1.30 to 1.31 because of CVE-2022-25857.
Minor release updating the snakeyaml dependency from 1.30 to 1.31, because version 1.30 is vulnerable to CVE-2022-25857.
Note that jmx_exporter uses snakeyaml only to parse its config file. That means unless you have untrusted 3rd parties write your jmx_exporter config the CVE does not apply. However, if you have automated security scanners complaining about the vulnerable snakeyaml version this update will help.
As always, the jmx_exporter binaries are available on Maven central:
With the last release we started releasing two versions of the Java agent:
Both versions are built from the same code and differ only in the versions of the bundled dependencies.
With this release, we take a similar approach for the standalone HTTP server:
Again, both versions are built from the same code and differ only in the versions of the bundled dependencies.
Note that the standalone HTTP server release was previously named jmx_prometheus_httpserver-<version>-jar-with-dependencies.jar. With this release, we renamed it to jmx_prometheus_httpserver-<version>.jar.
Other changes:
- characters in the hostname (#643, thanks @guignome for reporting).SslScraper (#699, thanks @michaelsembwever)Release 0.16.1 ships in two versions:
Both versions are built from the same source files and have identical functionality. The only difference is the version of the included snakeyaml dependency. See the 0.16.0 release notes for more details.
Change:
[BUGFIX] Remove misleading meta data from the Java 7+ binary that makes the Trivy security scanner wrongly report CVE-2017-18640 (the metadata references snakeyaml 1.23 even though that version is not included in the binary). See #618.
Starting with version 0.16.0, the Java agent is released in two versions:
Both versions are built from the same source files and have identical functionality. The only difference is the version of the included snakeyaml dependency.
jmx_exporter uses the snakeyaml library to read the YAML configuration file. Snakeyaml 1.23 is the last release to support Java 6. This version is affected by CVE-2017-18640, which can cause snakeyaml to execute arbitrary code if the YAML file comes from an untrusted source.
This vulnerability does not apply in the context of jmx_exporter, because the agent configuration will not come from an untrusted source. However, even if there is no actual security risk, users find it annoying that their automated security scans report a CVE. In order to prevent this we published a version with an updated snakeyaml dependency that requires Java >= 7.
./mvnw verify.java.util.Optional (the SonarQube maintainers had this weird idea of an Optional<Long> property in an MBean)[CHANGE/ENHANCEMENT] Update to client_java 0.10.0 to add OpenMetrics support. Any COUNTER type samples will have _total added as a suffix if it isn't already present. If you do not want this, use the default type of UNKNOWN. (#321)
[ENHANCEMENT] Added a safety check to deal with incorrect implementations of javax.management.Attribute (#542)
[FEATURE] Allow caching regular expression matching in rules (#518)