Re-add suppression in for false positive CVE-2023-4586 (#933)

Upgrade besu and netty related deps Remove some older dep overrides
Consensys · Oct 27, 2023 · 712dece · 712dece
1 parent 98b698a
commit 712dece
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 28 deletions.
diff --git a/build.gradle b/build.gradle
@@ -25,7 +25,7 @@ buildscript {
   }
   dependencies {
     classpath 'tech.pegasys.internal.license.reporter:license-reporter:1.0.1'
-    classpath 'org.owasp:dependency-check-gradle:8.4.0'
+    classpath 'org.owasp:dependency-check-gradle:8.4.2'
   }
 }
 

diff --git a/gradle/owasp-suppression.xml b/gradle/owasp-suppression.xml
@@ -1,9 +1,21 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <!-- See https://jeremylong.github.io/DependencyCheck/general/suppression.html for examples -->
-    <suppress until="2023-12-16">
+    <suppress until="2024-01-16">
+        <notes><![CDATA[
+        Temporary suppression, as it's arguably a false positive: https://github.com/netty/netty/issues/8537#issuecomment-1527896917
+        The correct thing to do is ensure hostname verification is enabled: https://codetinkering.com/enable-hostname-verification-netty/
+        This is indeed the case for Azure, which is the netty-handler: https://github.com/Azure/azure-sdk-for-java/issues/18286#issuecomment-947958978
+        The other vulnerable lib is besu-metrics, which might want looking at, will see if this CVE gets flagged in besu first
+        file name: netty-handler-4.1.100.Final.jar
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/io\.netty/netty*@*.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
+    </suppress>
+    <suppress until="2024-01-16">
         <notes><![CDATA[
         Suppress CVE-2023-36415 as this should only be applicable on version up to but excluding 1.10.2.
+        https://github.com/jeremylong/DependencyCheck/issues/5992
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@1\.10\.[2-9]$</packageUrl>
         <vulnerabilityName>CVE-2023-36415</vulnerabilityName>

diff --git a/gradle/versions.gradle b/gradle/versions.gradle
@@ -85,8 +85,8 @@ dependencyManagement {
       entry 'mockito-junit-jupiter'
     }
 
-    dependency 'org.hyperledger.besu:plugin-api:23.7.2'
-    dependency 'org.hyperledger.besu.internal:metrics-core:23.7.2'
+    dependency 'org.hyperledger.besu:plugin-api:23.10.1'
+    dependency 'org.hyperledger.besu.internal:metrics-core:23.10.1'
 
     dependency 'org.xipki.iaik:sunpkcs11-wrapper:1.4.10'
 
@@ -126,12 +126,12 @@ dependencyManagement {
     dependency 'com.github.arteam:simple-json-rpc-server:1.3'
     dependency 'com.github.arteam:simple-json-rpc-client:1.3'
 
-    dependencySet(group: 'com.azure', version: '4.7.0') {
+    dependencySet(group: 'com.azure', version: '4.7.1') {
       entry 'azure-security-keyvault-secrets'
       entry 'azure-security-keyvault-keys'
     }
-    dependency 'com.azure:azure-identity:1.10.3'
-    dependency 'com.azure:azure-core-http-netty:1.13.8'
+    dependency 'com.azure:azure-identity:1.10.4'
+    dependency 'com.azure:azure-core-http-netty:1.13.9'
 
     dependency 'com.zaxxer:HikariCP:5.0.1'
     dependency 'org.postgresql:postgresql:42.5.3'
@@ -160,16 +160,6 @@ dependencyManagement {
 
     dependency 'io.rest-assured:rest-assured:4.4.0'
 
-    // explicit declaring to override older versions with vulnerabilities
-    dependencySet(group: 'com.google.protobuf', version: '3.21.12') {
-      /*
-        com.google.protobuf:protobuf-java*:3.11.4 -> 3.19.4 // CVE-2022-3171
-        \--- io.jaegertracing:jaeger-proto:0.7.0
-          \--- org.hyperledger.besu.internal:metrics-core:22.7.6
-      */
-      entry 'protobuf-java'
-      entry 'protobuf-java-util'
-    }
     /*
       com.squareup.okhttp3:logging-interceptor:4.9.0 // CVE-2021-0341
       \--- org.web3j:core:4.9.2
@@ -224,17 +214,9 @@ dependencyManagement {
     dependency 'net.minidev:json-smart:2.4.10'
     dependency 'com.nimbusds:nimbus-jose-jwt:9.31'
 
-    // manually overriding of io.grpc to avoid CVE-2023-32732, we can't update to latest besu metrics-core until
-    // we have Java 17 support in Web3Signer
-    /*
-      +--- org.hyperledger.besu.internal:metrics-core -> 22.10.3
-      |    |    |    |    +--- org.hyperledger.besu:plugin-api:22.10.3
-      |    |    |    |    |    +--- org.apache.commons:commons-lang3:3.12.0
-      |    |    |    |    |    +--- org.apache.tuweni:tuweni-bytes:2.3.1 (*)
-      |    |    |    |    |    \--- org.apache.tuweni:tuweni-units:2.3.1 (*)
-      |    |    |    |    +--- io.grpc:grpc-netty:1.47.0
-     */
-    dependencySet(group: 'io.grpc', version: '1.57.2') {
+    // besu 23.10.1 uses grpc 1.53.0 so vulnerable to
+    // CVE-2023-32731, CVE-2023-33953, CVE-2023-44487, CVE-2023-4785
+    dependencySet(group: 'io.grpc', version: '1.59.0') {
       entry 'grpc-all'
       entry 'grpc-core'
       entry 'grpc-netty'