updates docker and library dependencies to the latest version

.github/workflows/security.yml

@@ -3,7 +3,7 @@
 
 # We don't scan documentation-only commits.
 on:  # yamllint disable-line rule:truthy
   workflow_dispatch: # trigger ad-hoc runs of this action
   push:  # non-tagged pushes to master
     branches:
       - master
@@ -24,7 +24,7 @@
 jobs:
   security:
     name: security
-    runs-on: ubuntu-24.04  # newest available distribution, aka numbat
+    runs-on: ubuntu-22.04  # newest available distribution, aka jellyfish
     # skip commits made by the release plugin
     if: "!contains(github.event.head_commit.message, 'maven-release-plugin')"
     steps:
@@ -39,9 +39,6 @@
       - name: Run Trivy vulnerability and secret scanner
         uses: aquasecurity/trivy-action@master
         id: trivy
-        env:  # See https://github.com/aquasecurity/trivy/discussions/7668
-          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
-          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
         with:
           scan-type: 'fs'
           scan-ref: '.'  # scan the entire repository

.mvn/wrapper/maven-wrapper.properties

@@ -14,5 +14,7 @@
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
-distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.6/apache-maven-3.9.6-bin.zip
-wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.2.0/maven-wrapper-3.2.0.jar
+wrapperVersion=3.3.2
+distributionType=bin
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.9/apache-maven-3.9.9-bin.zip
+wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar

benchmarks/pom.xml

@@ -20,13 +20,26 @@
 
   <properties>
     <main.basedir>${project.basedir}/..</main.basedir>
-    <jmh.version>1.27</jmh.version>
+    <jmh.version>1.37</jmh.version>
 
     <maven.compiler.source>17</maven.compiler.source>
     <maven.compiler.target>17</maven.compiler.target>
     <maven.compiler.release>17</maven.compiler.release>
   </properties>
 
+  <!-- Avoid CVEs in armeria deps -->
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-bom</artifactId>
+        <version>${netty.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
   <dependencies>
     <dependency>
       <groupId>${project.groupId}</groupId>

build-bin/docker-compose-zipkin-gcp.yml

@@ -3,14 +3,14 @@ volumes:
   gcp-service-account:
 services:
   extract-service-account:
-    image: ghcr.io/openzipkin/alpine:3.19.1
+    image: ghcr.io/openzipkin/alpine:3.21.2
     volumes:
       - gcp-service-account:/credentials:rw
     command: -c 'echo $GOOGLE_APPLICATION_CREDENTIALS_BASE64 | base64 -d > /credentials/service-account-key.json'
     environment:
       - GOOGLE_APPLICATION_CREDENTIALS_BASE64
   show-service-account:
-    image: ghcr.io/openzipkin/alpine:3.19.1
+    image: ghcr.io/openzipkin/alpine:3.21.2
     volumes:
       - gcp-service-account:/credentials:ro
     # Show that the file exists as a sanity check in logs.

build-bin/maven/maven_unjar

@@ -58,7 +58,7 @@ fi
 
 if ! test -f ${artifact_id}.jar && [ ${is_release} = "true" ]; then
   mvn_get="mvn -q --batch-mode -Denforcer.fail=false \
-  org.apache.maven.plugins:maven-dependency-plugin:3.6.1:get \
+  org.apache.maven.plugins:maven-dependency-plugin:3.8.1:get \
   -Dtransitive=false -DgroupId=${group_id} -DartifactId=${artifact_id} -Dversion=${version}"
 
   if [ -n "${classifier}" ]; then

docker/Dockerfile

@@ -4,14 +4,14 @@
 #
 
 # zipkin version should match zipkin.version in /pom.xml
-ARG zipkin_version=3.4.2
+ARG zipkin_version=3.5.0
 
 # java_version is used during the installation process to build or download the module jar.
 #
 # Use latest version here: https://github.com/orgs/openzipkin/packages/container/package/java
 # This is defined in many places because Docker has no "env" script functionality unless you use
 # docker-compose: When updating, update everywhere.
-ARG java_version=21.0.5_p11
+ARG java_version=21.0.6_p7
 
 # We copy files from the context into a scratch container first to avoid a problem where docker and
 # docker-compose don't share layer hashes https://github.com/docker/compose/issues/883 normally.

module/pom.xml

@@ -25,6 +25,19 @@
     <maven.compiler.release>17</maven.compiler.release>
   </properties>
 
+  <!-- Avoid CVEs in armeria deps -->
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-bom</artifactId>
+        <version>${netty.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
   <dependencies>
     <dependency>
       <groupId>${project.groupId}</groupId>