outdated versions which don't get bumped by renovator, strange licenses

[cforce]

Component(s)

No response

What happened?

There are years old versions and currennt available

This Markdown list contains all the oudated Go packages and their corresponding versions in a table format.
Why are those not bumped by renovator?

# List of Go Packages and Versions

| Package | Version |
|---------|---------|
| `golang/text` | v0.16.0 |
| `hashicorp/go-msgpack` | v0.5.5 |
| `pty` | v1.1.5 |
| `go-flowrate` | 20140419-snapshot-cca7078d |
| `opencontainers/runtime-spec` | v1.0.2 |
| `spf13/cobra` | v1.8.1 |
| `go-openapi/loads` | v0.21.5 |
| `gorilla/websocket` | v1.5.1 |
| `jonboulle/clockwork` | v0.4.0 |
| `Sirupsen/logrus` | v1.9.3 |
| `mailru/easyjson` | v0.7.7 |
| `golang-github-ghodss-yaml-dev` | v1.0.0 |
| `jsoniter-go` | v1.1.12 |
| `modern-go/concurrent` | 20180305-snapshot-bacd9c7e |
| `jstemmer/go-junit-report` | v0.9.1 |
| `google-cloud-go` | v0.114.0 |
| `svgo` | 20211024-snapshot-1546f124 |
| `tv42/httpunix` | 20150427-snapshot-b75d8614 |
| `matttproud-golang_protobuf_extensions` | v1.0.1 |
| `alecthomas-kingpin` | v2.2.6 |
| `google-cloud-go/pubsub` | v1.3.1 |
| `mergo` | v0.3.16 |
| `GoCLI` | v1.1.0 |
| `errcheck` | v1.5.0-alpha |
| `purell` | v1.1.1 |
| `go-autorest` | v14.2.0 |
| `creack/pty` | v1.1.9 |
| `circonus-labs/circonusllhist` | v0.1.3 |
| `golang-github-ryanuber-columnize` | 20180625-snapshot-9b3edd62 |
| `logfmt` | 20140226-snapshot-b84e30ac |
| `martian` | v2.1.0 |
| `mergo` | v1.0.0 |
| `BurntSushi/toml` | v0.3.1 |
| `golang.org/x/sync` | v0.7.0 |
| `GolangProtobuf` | v1.5.4 |
| `DataDog/datadog-go` | v3.2.0 |
| `glfw` | 20200222-snapshot-6f7a984d |
| `xgb` | 20160522-snapshot-27f12275 |
| `go-ansiterm` | 20210617-snapshot-d185dfc1 |
| `julienschmidt/httprouter` | v1.3.0 |
| `pborman/getopt` | 20170112-snapshot-7148bc3a |
| `go-systemd` | v22.5.0 |
| `go-flags` | 20181107-snapshot-5de817a9 |
| `golang/freetype` | 20180316-snapshot-e2365dfd |
| `GolangProtobuf` | v1.34.2 |
| `gregjones/httpcache` | 20180514-snapshot-9cad4c34 |
| `mapstructure` | 20231216-snapshot-8508981c |
| `Azure/azure-sdk-for-go` | v2.0.0-beta |
| `btree` | v1.0.1 |
| `google/renameio` | v0.1.0 |
| `dominikh/go-tools` | v0.0.1-2020.1.4 |
| `armon/go-radix` | v1.0.0 |
| `go-autorest/autorest/mocks` | v0.4.1 |
| `mitchellh/go-testing-interface` | v1.14.1 |
| `gopkg.in/v1/fsnotify` | v1.4.7 |
| `google-cloud-go/datastore` | v1.1.0 |
| `go-autorest/autorest/date` | v0.3.0 |
| `groupcache` | 20210331-snapshot-41bb18bf |
| `golang-stats` | v0.7.0 |
| `cenkalti/backoff` | v4.3.0 |
| `kr/pretty` | v0.3.1 |
| `go-restful` | v2.9.5 |
| `armon/circbuf` | 20150827-snapshot-bbbad097 |
| `diskv` | v2.0.1 |
| `googleapis/gnostic` | v0.4.1 |
| `golang/mock` | v1.4.4 |
| `OpenCensus` | v0.4.1 |
| `golang/glog` | v1.2.1 |
| `glfw` | 20190408-snapshot-e6da0acd |
| `govalidator` | 20230301-snapshot-a9d515a0 |
| `NYTimes/gziphandler` | 20170623-snapshot-56545f4a |
| `go-autorest/autorest` | v0.11.12 |
| `jsonreference` | v0.20.4 |
| `bgentry/speakeasy` | v0.1.0 |
| `pkg/browser` | 20240102-snapshot-5ac0b6a4 |
| `google-cloud-go/bigquery` | v1.8.0 |
| `blackfriday` | v1.6.0 |
| `google-cloud-go/storage` | v1.10.0 |
| `hpcloud-tail` | v1.0.0 |
| `kolo/xmlrpc` | 20220921-snapshot-a4b6fa1d |
| `circonus-labs/circonus-gometrics` | v2.3.1 |
| `godebug` | v1.1.0 |
| `alecthomas/template` | 20190718-snapshot-fb15b899 |
| `onsi/ginkgo` | v1.11.0 |
| `dmitri.shuralyov.com/gpu/mtl` | 20190408-snapshot-666a9877 |
| `sean-/seed` | 20170313-snapshot-e2103e2c |
| `evanphx/json-patch` | v5.6.0 |
| `strfmt` | v0.23.0 |
| `go-tomb/tomb` | 20150422-snapshot-dd632973 |
| `stretchr/objx` | v0.5.2 |
| `go-restful` | v3.11.0 |
| `go-autorest/autorest/adal` | v0.9.5 |
| `pkg/errors` | v0.9.1 |
| `go-autorest/tracing` | v0.6.0 |
| `oklog/ulid` | v1.3.1 |

Llicense violates strong copy left

• go_mod/go.opentelemetry.io/collector:otelcol/v0.106.1/gonum.org/v1/gonum:v0.15.0/github.com/golang/freetype:e2365dfdc4a05e4b8299a783240d4a7d5a65d4e4

Code is not maintained an license is "uncommon"

• go_mod/go.opentelemetry.io/collector:exporter/loggingexporter/v0.106.1/github.com/prometheus/common:v0.55.0/gopkg.in/alecthomas/kingpin.v2:v2.2.6

Collector version

0.106.1

Environment information

Environment

OS: (e.g., "Ubuntu 20.04")
Compiler(if manually compiled): (e.g., "go 14.2")

OpenTelemetry Collector configuration

extensions:
  zpages:
    endpoint: "127.0.0.1:55679"

  health_check:
    endpoint: "127.0.0.1:8081"

  pprof:
    endpoint: "127.0.0.1:1777"
    block_profile_fraction: 3
    mutex_profile_fraction: 5

receivers:
  prometheus/otelcol:
    config:
      scrape_configs:
        - job_name: 'otelcol'
          scrape_interval: 10s
          static_configs:
            - targets: ['localhost:8888']
  podman_stats:
    endpoint: unix://run/podman/podman.sock
    timeout: 10s
    collection_interval: 30s    
  hostmetrics:
    collection_interval: 30s
    normalizeProcessCPUUtilization: true
    scrapers:
      cpu:
        metrics:
          system.cpu.frequency:
            enabled: true
          system.cpu.logical.count:
            enabled: true
          system.cpu.physical.count:
            enabled: true
          system.cpu.utilization:
            enabled: true
      load:
      paging:
        metrics:
          system.paging.utilization:
            enabled: true
      filesystem:
        metrics:
          system.filesystem.utilization:
            enabled: true
      network:
        metrics:
          system.network.conntrack.count:
            enabled: true
          system.network.conntrack.max:
              enabled: true
      memory:
        metrics:
          system.linux.memory.available:
            enabled: true
          system.memory.limit:
            enabled: true
          system.memory.utilization:
            enabled: true
      processes:
      process:
        metrics:
          process.threads:
            enabled: true
          process.signals_pending:
            enabled: true
          process.paging.faults:
            enabled: true
          process.memory.utilization:
            enabled: true
          process.open_file_descriptors:
            enabled: true
          process.handles:
            enabled: true
          process.disk.operations:
            enabled: true
          process.context_switches:
            enabled: true  
          process.cpu.utilization:
            enabled: true
        mute_process_name_error: true
        mute_process_exe_error: true
        mute_process_io_error: true
        mute_process_user_error: true
        mute_process_cgroup_error: true
    resource_attributes:
      process.cgroup: true
  hostmetrics/disk:
    collection_interval: 3m
    scrapers:
      disk: 
  otlp:
    protocols:
      grpc:
        endpoint: "${env:HOST_IP}:4317"
        #endpoint: "127.0.0.1:4317"

processors:
  resourcedetection/env:
    detectors: [env, system]
    timeout: 15s
    override: true
  batch:
    # Datadog APM Intake limit is 3.2MB. Let's make sure the batches do not go over that.
    send_batch_max_size: 8192 # (default = 8192): Maximum batch size of spans to be sent to the backend. The default value is 8192 spans.
    send_batch_size: 512 # (default = 512): Maximum number of spans to process in a batch. The default value is 512 spans.
    timeout: 10s # (default = 5s): Maximum time to wait until the batch is sent. The default value is 5s.
  memory_limiter:
    check_interval: 5s
    limit_mib: 150
  attributes:
    actions:
      - key: tags
        value:
          - 'env:dev'
        action: upsert
  resource:
    attributes:
      - key: env
        value: 'dev'
        action: insert
      - key: geo
        action: insert
      - key: region
        action: insert
exporters:
  # logging:
  #   verbosity: detailed
  otlphttp:
    endpoint: http://127.0.0.1:9081/otlp-http

service:
  telemetry:
    metrics:
      address: 'localhost:8888'
    logs:
      level: 'info'
    traces:
      propagators:
        - "b3"
        - "tracecontext"
  extensions: [zpages, health_check, pprof]
  pipelines:
    metrics:
      receivers: [otlp, podman_stats, prometheus/otelcol]
      processors: [memory_limiter, batch, attributes, resource, resourcedetection/env]
      exporters: [otlphttp]
    traces:
      receivers: [otlp]
      processors: [memory_limiter, batch, attributes, resource]
      exporters: [otlphttp]
    logs:
      receivers: [otlp]
      processors: [memory_limiter, batch, attributes, resource]
      exporters: [otlphttp]

Log output

No response

Additional context

No response

[mx-psi]

This Markdown list contains all the oudated Go packages and their corresponding versions in a table format.
Why are those not bumped by renovator?

I think there are some examples of dependencies listed on that table that are on the latest version, for example spf13/cobra latest version is v1.8.1 and this is the version we use. Could you trim it down to only the outdated dependencies?

Code is not maintained an license is "uncommon"

I am not sure I understand what you posted, but assuming you are talking about https://github.com/alecthomas/kingpin, this dependency seems to have an MIT license (I would say this is a very common license, and it is OSI approved) and has at least monthly activity. Are you talking about a different dependency?

License violates strong copy left

Again, making a guess here but it seems you are talking about github.com/golang/freetype. This one is interesting, the license is not OSI-approved, nothing on the license seems concerning to me but I am not a lawyer. If this is a concern, we can try and reach out to the CNCF so that they help us clarify this

[cforce]

Cobra is a a lucky pick .. but i found a lot with have much newer version listed there .
Using snapshots or releases from 2015-2019 ..also feel a bit wired. I thought it is worth mentioning and wonder that those deps are needed or no updates are there which would define the project as dead

go_mod/go.opentelemetry.io/collector:otelcol/v0.106.1/gonum.org/v1/gonum:v0.15.0/git.sr.ht/~sbinet/gg:v0.5.0
Unknown license - >https://git.sr.ht/~sbinet/gg

go-restful v2.9.5 https://github.com/emicklei/go-restful

[mx-psi]

but i found a lot with have much newer version listed there .

Could you list those ones so we can investigate?

Unknown license - >git.sr.ht/~sbinet/gg

I think this is a MIT license, isn't it? https://git.sr.ht/~sbinet/gg/tree/main/item/LICENSE.md

go-restful v2.9.5 emicklei/go-restful

Same here: https://github.com/emicklei/go-restful/blob/v3/LICENSE and we use the latest version

opentelemetry-collector-contrib/cmd/otelcontribcol/go.mod

Line 462 in d46a7c3

github.com/emicklei/go-restful/v3 v3.11.0 // indirect

[cforce]

Could you list those ones so we can investigate?

I will need more time to run again over it and i am leaving to vacaction soon

I think this is a MIT license, isn't it? https://git.sr.ht/~sbinet/gg/tree/main/item/LICENSE.md

hard to say - its not clear i would say and therefore a risk
https://git.sr.ht/~sbinet/gg/tree/main/item/LICENSE.md

go-restful v2.9.5

Is it really latest? Last commit on this version is 5 years old.
The releases page not useful https://github.com/emicklei/go-restful/releases
but tags shows a lot newer https://github.com/emicklei/go-restful/tree/v3.12.1
Also v2.9.5 might be affected by https://cwe.mitre.org/data/definitions/285.html and https://cwe.mitre.org/data/definitions/625.html and others https://github.com/emicklei/go-restful/issues?q=is%3Aissue+vuln

[mx-psi]

hard to say - its not clear i would say and therefore a risk
git.sr.ht/~sbinet/gg/tree/main/item/LICENSE.md

You can compare with the go-restful one, the text is exactly the same (edit: save for the explicit mention to "MIT license" and the copyright header)

Is it really latest? Last commit on this version is 5 years old.

v2.9.5 is not the latest, but we are using v3.11.0 in all modules, not v2.9.5: https://github.com/search?q=repo%3Aopen-telemetry%2Fopentelemetry-collector-contrib+go-restful&type=code&p=2

As you can see from this search https://github.com/search?q=repo%3Aopen-telemetry%2Fopentelemetry-collector-contrib+go-restful%2Fv2&type=code we are not using v2 anywhere.

[cforce]

i will close this and come up with a new one

[cforce]

@mx-psi Is it intended to accept weak copy left licenses like https://github.com/hashicorp/go-version/blob/main/LICENSE.
Its spread in many components https://github.com/search?q=repo%3Aopen-telemetry%2Fopentelemetry-collector-contrib%20github.com%2Fhashicorp%2Fgo-version&type=code

[mx-psi]

@cforce This is an OSI-approved license, the dependency was specifically allow-listed by the CNCF as you can see here

[github-actions]

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.