From 4b89c3130caa024fc82f6cc1b745cafc799a3a5d Mon Sep 17 00:00:00 2001 From: Gabriel Fukushima Date: Thu, 30 Nov 2023 11:08:02 +1000 Subject: [PATCH 1/6] upgrade dependency-check and supress FP --- build.gradle | 2 +- gradle/owasp-suppression.xml | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 2737a095b..0f963580b 100644 --- a/build.gradle +++ b/build.gradle @@ -25,7 +25,7 @@ buildscript { } dependencies { classpath 'tech.pegasys.internal.license.reporter:license-reporter:1.0.1' - classpath 'org.owasp:dependency-check-gradle:8.4.2' + classpath 'org.owasp:dependency-check-gradle:9.0.1' } } diff --git a/gradle/owasp-suppression.xml b/gradle/owasp-suppression.xml index 0ef47a82e..257226203 100644 --- a/gradle/owasp-suppression.xml +++ b/gradle/owasp-suppression.xml @@ -34,4 +34,11 @@ ^pkg:maven/com\.squareup\.okhttp3/.*$ CVE-2023-3782 + + + ^pkg:maven/com\.azure/azure-core@.*$ + CVE-2023-36052 + From d73a47bab20afede8d5f876fa764d11cf0a3c622 Mon Sep 17 00:00:00 2001 From: Gabriel Fukushima Date: Thu, 30 Nov 2023 11:13:54 +1000 Subject: [PATCH 2/6] indentation --- gradle/owasp-suppression.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gradle/owasp-suppression.xml b/gradle/owasp-suppression.xml index 257226203..16fb09dea 100644 --- a/gradle/owasp-suppression.xml +++ b/gradle/owasp-suppression.xml @@ -36,8 +36,8 @@ + FP per issue #6100 - CVE-2023-36052 since it is related to Azure-cli not to the azure-core libraries + ]]> ^pkg:maven/com\.azure/azure-core@.*$ CVE-2023-36052 From 8ce6f1554a43310260437f746f8a933286b257b7 Mon Sep 17 00:00:00 2001 From: Gabriel Fukushima Date: Mon, 4 Dec 2023 08:51:14 +1000 Subject: [PATCH 3/6] updagrade dep-check version --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 0f963580b..c36984c40 100644 --- a/build.gradle +++ b/build.gradle @@ -25,7 +25,7 @@ buildscript { } dependencies { classpath 'tech.pegasys.internal.license.reporter:license-reporter:1.0.1' - classpath 'org.owasp:dependency-check-gradle:9.0.1' + classpath 'org.owasp:dependency-check-gradle:9.0.2' } } From 76597f4e8e2d1e3f85d8358397ab83f060f8f336 Mon Sep 17 00:00:00 2001 From: Gabriel Fukushima Date: Mon, 4 Dec 2023 10:13:46 +1000 Subject: [PATCH 4/6] Add delay to avoid api throttle --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index b94096bf0..366d16209 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -187,7 +187,7 @@ jobs: - run: name: Dependency vulnerability scan command: | - ./gradlew --no-daemon -Dorg.gradle.parallel=false dependencyCheckAggregate + ./gradlew --no-daemon -Dorg.gradle.parallel=false dependencyCheckAggregate -DnvdApiDelay=6000 - run: name: Test no_output_timeout: 20m From 7ab4e9fc077ca32880db6ef5ef0bfd752a48486c Mon Sep 17 00:00:00 2001 From: Gabriel Fukushima Date: Mon, 4 Dec 2023 13:20:11 +1000 Subject: [PATCH 5/6] increase timeout temporarily --- .circleci/config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index 366d16209..81046d534 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -186,6 +186,7 @@ jobs: destination: distributions - run: name: Dependency vulnerability scan + no_output_timeout: 40m command: | ./gradlew --no-daemon -Dorg.gradle.parallel=false dependencyCheckAggregate -DnvdApiDelay=6000 - run: From 3ac9783e70143b51548c0abeae690f848c4a3c04 Mon Sep 17 00:00:00 2001 From: Gabriel Fukushima Date: Mon, 4 Dec 2023 14:23:16 +1000 Subject: [PATCH 6/6] update dependecies and supressions --- gradle/owasp-suppression.xml | 16 ++++++++-------- gradle/versions.gradle | 12 ++++++------ 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/gradle/owasp-suppression.xml b/gradle/owasp-suppression.xml index 16fb09dea..8ef642f96 100644 --- a/gradle/owasp-suppression.xml +++ b/gradle/owasp-suppression.xml @@ -20,13 +20,6 @@ ^pkg:maven/com\.azure/azure\-identity@1\.10\.[2-9]$ CVE-2023-36415 - - - ^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$ - CVE-2023-35116 - - ^pkg:maven/com\.azure/azure-core@.*$ + ^pkg:maven/com\.azure/azure*@*.*$ CVE-2023-36052 + + + ^pkg:maven/io\.grpc/grpc\-.*$ + CVE-2023-44487 + diff --git a/gradle/versions.gradle b/gradle/versions.gradle index 46c56daab..5f30d5da2 100644 --- a/gradle/versions.gradle +++ b/gradle/versions.gradle @@ -13,8 +13,8 @@ dependencyManagement { dependencies { - dependency 'com.fasterxml.jackson.core:jackson-databind:2.15.2' - dependency 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.15.2' + dependency 'com.fasterxml.jackson.core:jackson-databind:2.16.0' + dependency 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.16.0' dependencySet(group: 'com.google.errorprone', version: '2.21.1') { entry 'error_prone_annotation' @@ -85,8 +85,8 @@ dependencyManagement { entry 'mockito-junit-jupiter' } - dependency 'org.hyperledger.besu:plugin-api:23.10.1' - dependency 'org.hyperledger.besu.internal:metrics-core:23.10.1' + dependency 'org.hyperledger.besu:plugin-api:23.10.2' + dependency 'org.hyperledger.besu.internal:metrics-core:23.10.2' dependency 'org.xipki.iaik:sunpkcs11-wrapper:1.4.10' @@ -175,7 +175,7 @@ dependencyManagement { dependency 'com.squareup.okio:okio:3.4.0' // addressing CVE-2023-44487 - dependencySet(group: 'io.netty', version: '4.1.100.Final') { + dependencySet(group: 'io.netty', version: '4.1.101.Final') { entry 'netty-all' entry 'netty-codec-http2' entry 'netty-handler' @@ -217,7 +217,7 @@ dependencyManagement { // besu 23.10.1 uses grpc 1.53.0 so vulnerable to // CVE-2023-32731, CVE-2023-33953, CVE-2023-44487, CVE-2023-4785 - dependencySet(group: 'io.grpc', version: '1.59.0') { + dependencySet(group: 'io.grpc', version: '1.59.1') { entry 'grpc-all' entry 'grpc-core' entry 'grpc-netty'