Dependency check upgrade and supress FP (#951)

* upgrade dependency-check and supress FP * indentation * updagrade dep-check version * Add delay to avoid api throttle * increase timeout temporarily * update dependecies and supressions
Consensys · Dec 4, 2023 · c4189fd · c4189fd
1 parent 692feea
commit c4189fd
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 15 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -186,8 +186,9 @@ jobs:
           destination: distributions
       - run:
           name: Dependency vulnerability scan
+          no_output_timeout: 40m
           command: |
-            ./gradlew --no-daemon -Dorg.gradle.parallel=false dependencyCheckAggregate
+            ./gradlew --no-daemon -Dorg.gradle.parallel=false dependencyCheckAggregate -DnvdApiDelay=6000
       - run:
           name: Test
           no_output_timeout: 20m

diff --git a/build.gradle b/build.gradle
@@ -25,7 +25,7 @@ buildscript {
   }
   dependencies {
     classpath 'tech.pegasys.internal.license.reporter:license-reporter:1.0.1'
-    classpath 'org.owasp:dependency-check-gradle:8.4.2'
+    classpath 'org.owasp:dependency-check-gradle:9.0.2'
   }
 }
 

diff --git a/gradle/owasp-suppression.xml b/gradle/owasp-suppression.xml
@@ -20,18 +20,25 @@
         <packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@1\.10\.[2-9]$</packageUrl>
         <vulnerabilityName>CVE-2023-36415</vulnerabilityName>
     </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Suppress CVE-2023-35116 as this is not considered a CVE according to discussion in https://github.com/FasterXML/jackson-databind/issues/3972
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
-        <vulnerabilityName>CVE-2023-35116</vulnerabilityName>
-    </suppress>
     <suppress>
         <notes><![CDATA[
         Suppress CVE-2023-3782 as Web3Signer doesn't use brotli and the NVD is incorrectly applying against all okhttp packages instead of just brotli one. See discussion in https://github.com/square/okhttp/issues/7738
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.squareup\.okhttp3/.*$</packageUrl>
         <cve>CVE-2023-3782</cve>
     </suppress>
+    <suppress until="2024-01-16">
+        <notes><![CDATA[
+        FP per issue #6100 - CVE-2023-36052 since it is related to Azure-cli not to the azure-core libraries
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.azure/azure*@*.*$</packageUrl>
+        <cve>CVE-2023-36052</cve>
+    </suppress>
+    <suppress until="2024-01-16">
+        <notes><![CDATA[
+        CVE relates to attach on gRPC servers (not clients) and is dependent on the Netty version used
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*$</packageUrl>
+        <cve>CVE-2023-44487</cve>
+    </suppress>
 </suppressions>
diff --git a/gradle/versions.gradle b/gradle/versions.gradle
@@ -13,8 +13,8 @@
 
 dependencyManagement {
   dependencies {
-    dependency 'com.fasterxml.jackson.core:jackson-databind:2.15.2'
-    dependency 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.15.2'
+    dependency 'com.fasterxml.jackson.core:jackson-databind:2.16.0'
+    dependency 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.16.0'
 
     dependencySet(group: 'com.google.errorprone', version: '2.21.1') {
       entry 'error_prone_annotation'
@@ -85,8 +85,8 @@ dependencyManagement {
       entry 'mockito-junit-jupiter'
     }
 
-    dependency 'org.hyperledger.besu:plugin-api:23.10.1'
-    dependency 'org.hyperledger.besu.internal:metrics-core:23.10.1'
+    dependency 'org.hyperledger.besu:plugin-api:23.10.2'
+    dependency 'org.hyperledger.besu.internal:metrics-core:23.10.2'
 
     dependency 'org.xipki.iaik:sunpkcs11-wrapper:1.4.10'
 
@@ -175,7 +175,7 @@ dependencyManagement {
     dependency 'com.squareup.okio:okio:3.4.0'
 
     // addressing CVE-2023-44487
-    dependencySet(group: 'io.netty', version: '4.1.100.Final') {
+    dependencySet(group: 'io.netty', version: '4.1.101.Final') {
       entry 'netty-all'
       entry 'netty-codec-http2'
       entry 'netty-handler'
@@ -217,7 +217,7 @@ dependencyManagement {
 
     // besu 23.10.1 uses grpc 1.53.0 so vulnerable to
     // CVE-2023-32731, CVE-2023-33953, CVE-2023-44487, CVE-2023-4785
-    dependencySet(group: 'io.grpc', version: '1.59.0') {
+    dependencySet(group: 'io.grpc', version: '1.59.1') {
       entry 'grpc-all'
       entry 'grpc-core'
       entry 'grpc-netty'