Skip to content
This repository has been archived by the owner on Apr 5, 2024. It is now read-only.

Commit

Permalink
Dependency check upgrade and suppress FP
Browse files Browse the repository at this point in the history
  • Loading branch information
@jframe
jframe committed Dec 6, 2023
1 parent df7d959 commit f3ed92e
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 5 deletions.
3 changes: 2 additions & 1 deletion .circleci/config.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,8 +111,9 @@ jobs:
./gradlew --no-daemon --parallel build
- run:
name: Dependency vulnerability scan
no_output_timeout: 40m
command: |
./gradlew --no-daemon -Dorg.gradle.parallel=false dependencyCheckAggregate
./gradlew --no-daemon -Dorg.gradle.parallel=false dependencyCheckAggregate -DnvdApiDelay=6000
- run:
name: Test
no_output_timeout: 20m
Expand Down
2 changes: 1 addition & 1 deletion build.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ buildscript {
dependencies {
// custom license-reporter used by com.github.jk1.dependency-license-report plugin
classpath 'tech.pegasys.internal.license.reporter:license-reporter:1.0.1'
classpath 'org.owasp:dependency-check-gradle:8.4.2'
classpath 'org.owasp:dependency-check-gradle:9.0.2'
}
}

Expand Down
14 changes: 14 additions & 0 deletions gradle/owasp-suppression.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,4 +37,18 @@
]]></notes>
<cve>CVE-2020-8908</cve>
</suppress>
<suppress until="2024-01-16">
<notes><![CDATA[
FP per issue #6100 - CVE-2023-36052 since it is related to Azure-cli not to the azure-core libraries
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.azure/azure*@*.*$</packageUrl>
<cve>CVE-2023-36052</cve>
</suppress>
<suppress until="2024-01-16">
<notes><![CDATA[
CVE relates to attach on gRPC servers (not clients) and is dependent on the Netty version used
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*$</packageUrl>
<cve>CVE-2023-44487</cve>
</suppress>
</suppressions>
6 changes: 3 additions & 3 deletions gradle/versions.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ dependencyManagement {
dependency "org.hyperledger.besu.internal:metrics-core:${besuVersion}"

// explicit declaring to override transitive dependencies with vulnerabilities
dependency 'com.fasterxml.jackson.core:jackson-databind:2.15.2'
dependency 'com.fasterxml.jackson.core:jackson-databind:2.16.0'
dependencySet(group: 'com.google.protobuf', version: '3.21.12') {
/*
com.google.protobuf:protobuf-java:3.11.4 -> 3.21.9 // CVE-2022-3509
Expand All @@ -112,7 +112,7 @@ dependencyManagement {
entry 'protobuf-java'
entry 'protobuf-java-util'
}
dependencySet(group: 'io.grpc', version: '1.59.0') {
dependencySet(group: 'io.grpc', version: '1.59.1') {
entry 'grpc-api'
entry 'grpc-context'
entry 'grpc-core'
Expand All @@ -128,7 +128,7 @@ dependencyManagement {
entry 'kotlin-stdlib-jdk8'
}
// addressing CVE-2023-44487
dependencySet(group: 'io.netty', version: '4.1.100.Final') {
dependencySet(group: 'io.netty', version: '4.1.101.Final') {
entry 'netty-all'
entry 'netty-codec-http2'
entry 'netty-handler-proxy'
Expand Down

0 comments on commit f3ed92e

Please sign in to comment.