Exclude netty-codec-http from statsd module

We do not use HTTP in the statsd module, but netty-codec-http is brought in as a transitive dependency from reactor-netty-core. Our usage of reactor-netty-core works without this dependency. To reduce the amount of false positive reports we have to deal with, and to reduce the produced JAR size, we can exclude this unneeded dependency. Resolves gh-2929
micrometer-metrics · Dec 22, 2021 · 92e1881 · 92e1881
1 parent 514b4b9
commit 92e1881
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/implementations/micrometer-registry-statsd/build.gradle b/implementations/micrometer-registry-statsd/build.gradle
@@ -6,7 +6,10 @@ dependencies {
     api project(':micrometer-core')
 
     implementation 'io.projectreactor:reactor-core'
-    implementation 'io.projectreactor.netty:reactor-netty-core'
+    implementation('io.projectreactor.netty:reactor-netty-core') {
+        // We do not use HTTP modules; exclude to avoid false positive CVE reports
+        exclude module: 'netty-codec-http'
+    }
 
     testImplementation project(':micrometer-test')
     testImplementation 'io.projectreactor:reactor-test'

diff --git a/implementations/micrometer-registry-statsd/gradle.lockfile b/implementations/micrometer-registry-statsd/gradle.lockfile