Forum Discussion
EOL Status of OpenCensus Jars and Request for Migration
During a recent review, we noticed that some of the Android Enterprise dependencies we use — specifically opencensus-api and opencensus-contrib-http-util — have not been updated for several years. --> Last release: 0.31.1 (April 29, 2022)
These libraries are currently required as dependencies for google-http-client.jar, which we use to initialize HTTP clients for API calls.
If we exclude the OpenCensus jars, the application fails at runtime with missing class errors. Therefore, these jars are currently mandatory for successful execution.
However, from a security perspective, our central security team does not allow bundling outdated or unsupported dependencies.
We would appreciate your guidance on the following points:
- Are there any plans to update or refactor google-http-client.jar to remove or upgrade its dependency on the legacy OpenCensus libraries?
- Is there an alternative approach or supported path to use OpenTelemetry (or any other supported telemetry library) in place of OpenCensus for tracing and metrics?
We already raised in following portals and no update received, so posting it here
Any roadmap updates or migration guidance would be extremely helpful.
4 Replies
Hey sharmilashree,
Nice to see you back in the community. I hope you are good.
Thanks for your post - I have had a quick look into the tickets your raised via the Partner Portal, it does look like that team is still speaking with our engineering teams to get more information on this.
I've also responded on the ticket to flag your questions mentioned above, so hopefully we can get a bit more followup.
I'm sure the Partner Portal team will followup with you directly when there is more info, but I'll also keep an eye on it as well.
Thanks and speak soon.
Lizzie
Lizzie It has been over eight months since we raised this case with the AE Partner Escalations team, yet there has been no update or resolution. As highlighted earlier, the AndroidEnterprise JAR currently depends on an end-of-life, deprecated, and security-vulnerable library.
During our recent compliance and security review, both of these JARs were marked as red flags. This poses a serious security and compliance risk, especially for production environments.
We urgently need this dependency to be updated or replaced with a supported and secure version. Delaying this further could lead to non-compliance and potential exposure to critical security vulnerabilities.
We truly appreciate your support and collaboration in helping us resolve this matter promptly.
Hi Lizzie , Hope you're doing good. Any update on this ticket? Would really appreciate any insights
Hello sharmilashree,
Thanks for your patience on this one and I'm sorry that it is taking so long to get back to you. As I say, I can see that the Partner team you have been speaking with has been trying to get an update on this for you.
As this particular area sits outside of AE directly, we've managed to move it to a more suitable team. Hopefully you will receive some more updates on this soon.
As I say, I would recommend continuing to engage with our partner escalations team for any further follow up, as they are the best positioned to help with this.
Hopefully things will speed up now and you get the information you need.
Thanks,
Lizzie
