Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency check upgrade and supress FP #951

Merged
merged 6 commits into from
Dec 4, 2023
Merged

Dependency check upgrade and supress FP #951

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
4b89c31
upgrade dependency-check and supress FP
gfukushima Nov 30, 2023
d73a47b
indentation
gfukushima Nov 30, 2023
8ce6f15
updagrade dep-check version
gfukushima Dec 3, 2023
76597f4
Add delay to avoid api throttle
gfukushima Dec 4, 2023
7ab4e9f
increase timeout temporarily
gfukushima Dec 4, 2023
3ac9783
update dependecies and supressions
gfukushima Dec 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .circleci/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,8 +186,9 @@ jobs:
destination: distributions
- run:
name: Dependency vulnerability scan
no_output_timeout: 40m
command: |
./gradlew --no-daemon -Dorg.gradle.parallel=false dependencyCheckAggregate
./gradlew --no-daemon -Dorg.gradle.parallel=false dependencyCheckAggregate -DnvdApiDelay=6000
- run:
name: Test
no_output_timeout: 20m
Expand Down
2 changes: 1 addition & 1 deletion build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ buildscript {
}
dependencies {
classpath 'tech.pegasys.internal.license.reporter:license-reporter:1.0.1'
classpath 'org.owasp:dependency-check-gradle:8.4.2'
classpath 'org.owasp:dependency-check-gradle:9.0.2'
}
}

Expand Down
21 changes: 14 additions & 7 deletions gradle/owasp-suppression.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,18 +20,25 @@
<packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@1\.10\.[2-9]$</packageUrl>
<vulnerabilityName>CVE-2023-36415</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
Suppress CVE-2023-35116 as this is not considered a CVE according to discussion in https://github.com/FasterXML/jackson-databind/issues/3972
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
<vulnerabilityName>CVE-2023-35116</vulnerabilityName>
</suppress>
<suppress>
<notes><![CDATA[
Suppress CVE-2023-3782 as Web3Signer doesn't use brotli and the NVD is incorrectly applying against all okhttp packages instead of just brotli one. See discussion in https://github.com/square/okhttp/issues/7738
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.squareup\.okhttp3/.*$</packageUrl>
<cve>CVE-2023-3782</cve>
</suppress>
<suppress until="2024-01-16">
<notes><![CDATA[
FP per issue #6100 - CVE-2023-36052 since it is related to Azure-cli not to the azure-core libraries
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure*@*.*$</packageUrl>
<cve>CVE-2023-36052</cve>
</suppress>
<suppress until="2024-01-16">
<notes><![CDATA[
CVE relates to attach on gRPC servers (not clients) and is dependent on the Netty version used
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*$</packageUrl>
<cve>CVE-2023-44487</cve>
</suppress>
</suppressions>
12 changes: 6 additions & 6 deletions gradle/versions.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@

dependencyManagement {
dependencies {
dependency 'com.fasterxml.jackson.core:jackson-databind:2.15.2'
dependency 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.15.2'
dependency 'com.fasterxml.jackson.core:jackson-databind:2.16.0'
dependency 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.16.0'

dependencySet(group: 'com.google.errorprone', version: '2.21.1') {
entry 'error_prone_annotation'
Expand Down Expand Up @@ -85,8 +85,8 @@ dependencyManagement {
entry 'mockito-junit-jupiter'
}

dependency 'org.hyperledger.besu:plugin-api:23.10.1'
dependency 'org.hyperledger.besu.internal:metrics-core:23.10.1'
dependency 'org.hyperledger.besu:plugin-api:23.10.2'
dependency 'org.hyperledger.besu.internal:metrics-core:23.10.2'

dependency 'org.xipki.iaik:sunpkcs11-wrapper:1.4.10'

Expand Down Expand Up @@ -175,7 +175,7 @@ dependencyManagement {
dependency 'com.squareup.okio:okio:3.4.0'

// addressing CVE-2023-44487
dependencySet(group: 'io.netty', version: '4.1.100.Final') {
dependencySet(group: 'io.netty', version: '4.1.101.Final') {
entry 'netty-all'
entry 'netty-codec-http2'
entry 'netty-handler'
Expand Down Expand Up @@ -217,7 +217,7 @@ dependencyManagement {

// besu 23.10.1 uses grpc 1.53.0 so vulnerable to
// CVE-2023-32731, CVE-2023-33953, CVE-2023-44487, CVE-2023-4785
dependencySet(group: 'io.grpc', version: '1.59.0') {
dependencySet(group: 'io.grpc', version: '1.59.1') {
entry 'grpc-all'
entry 'grpc-core'
entry 'grpc-netty'
Expand Down