Dependency opencensus is no longer maintained

[rogierslag]

This library has an ultimate dependency on a version of grpc-context (1.27.2), which is vulnerable to several CVEs.

• https://nvd.nist.gov/vuln/detail/CVE-2023-33953
• https://nvd.nist.gov/vuln/detail/CVE-2023-4785
• https://nvd.nist.gov/vuln/detail/CVE-2023-32732

The exact dependency chain is as follows:

[INFO] com.google.http-client:google-http-client:jar:1.42.3:compile
[INFO] +- io.opencensus:opencensus-api:jar:0.31.1:compile
[INFO] |  \- io.grpc:grpc-context:jar:1.27.2:compile
[INFO] \- io.opencensus:opencensus-contrib-http-util:jar:0.31.1:compile

The vulnerable library is ultimately included through opensensus, but that repository has been archived on Github, and the code is since unmaintained. The vulnerable version of grpc is defined here.

As the library is unmaintained, no new versions are pushed as part of #1290

[suztomo]

This library shouldn't touch gRPC. I'll try to exclude the dependency.

[suztomo]

It was already handled in googleapis/google-api-java-client#2416.

There's no io.grpc:grpc-context:jar:1.27.2 any more in the dependency tree https://gist.github.com/suztomo/4c19cd63ec5ac031d3951ecfa0fed87d.