Bump owasp suppressions and versions to fix build

Consensys · Jun 19, 2024 · 9551ed4 · 9551ed4
1 parent 2d6763d
commit 9551ed4
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 42 deletions.
diff --git a/gradle/owasp-suppression.xml b/gradle/owasp-suppression.xml
@@ -1,26 +1,19 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <!-- See https://jeremylong.github.io/DependencyCheck/general/suppression.html for examples -->
-    <suppress until="2024-06-16">
+    <suppress until="2024-07-16">
         <notes><![CDATA[
         Suppress CVE-2023-36415 as this should only be applicable on version up to but excluding 1.10.2.
         https://github.com/jeremylong/DependencyCheck/issues/5992
         ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@1\.11\.[1-9]$</packageUrl>
+        <packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@1\.12\.[1-9]$</packageUrl>
         <vulnerabilityName>CVE-2023-36415</vulnerabilityName>
     </suppress>
-    <suppress until="2024-06-16">
+    <suppress until="2024-07-16">
         <notes><![CDATA[
         FP per issue #6100 - CVE-2023-36052 since it is related to Azure-cli not to the azure-core libraries
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.azure/azure*@*.*$</packageUrl>
         <cve>CVE-2023-36052</cve>
     </suppress>
-    <suppress until="2024-06-16">
-        <notes><![CDATA[
-        CVE relates to attach on gRPC servers (not clients) and is dependent on the Netty version used
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*$</packageUrl>
-        <cve>CVE-2023-44487</cve>
-    </suppress>
 </suppressions>
diff --git a/gradle/versions.gradle b/gradle/versions.gradle
@@ -127,11 +127,9 @@ dependencyManagement {
     dependency 'com.github.arteam:simple-json-rpc-server:1.3'
     dependency 'com.github.arteam:simple-json-rpc-client:1.3'
 
-    dependencySet(group: 'com.azure', version: '4.8.0') {
-      entry 'azure-security-keyvault-secrets'
-      entry 'azure-security-keyvault-keys'
-    }
-    dependency 'com.azure:azure-identity:1.11.4'
+    dependency 'com.azure:azure-security-keyvault-secrets:4.8.3'
+    dependency 'com.azure:azure-security-keyvault-keys:4.8.4'
+    dependency 'com.azure:azure-identity:1.12.2'
 
     dependency 'com.zaxxer:HikariCP:5.0.1'
     dependency 'org.postgresql:postgresql:42.7.2'
@@ -144,12 +142,7 @@ dependencyManagement {
 
     dependency 'org.flywaydb:flyway-core:6.1.1'
 
-    dependency 'com.google.cloud:google-cloud-secretmanager:2.41.0'
-    /*
-      org.threeten:threetenbp:1.6.8 //CVE-2024-23082, CVE-2024-23081
-      \--- com.google.cloud:google-cloud-secretmanager:2.41.0
-     */
-    dependency 'org.threeten:threetenbp:1.6.9'
+    dependency 'com.google.cloud:google-cloud-secretmanager:2.45.0'
     dependency 'io.zonky.test.postgres:embedded-postgres-binaries-bom:11.19.0'
     dependency 'io.zonky.test:embedded-postgres:2.0.3'
 
@@ -229,27 +222,6 @@ dependencyManagement {
      */
     dependency 'com.nimbusds:nimbus-jose-jwt:9.37.3'
 
-    // besu 23.10.1 uses grpc 1.53.0 so vulnerable to
-    // CVE-2023-32731, CVE-2023-33953, CVE-2023-44487, CVE-2023-4785
-    dependencySet(group: 'io.grpc', version: '1.59.1') {
-      entry 'grpc-all'
-      entry 'grpc-core'
-      entry 'grpc-netty'
-      entry 'grpc-stub'
-      entry 'grpc-alts'
-      entry 'grpc-api'
-      entry 'grpc-auth'
-      entry 'grpc-context'
-      entry 'grpc-googleapis'
-      entry 'grpc-grpclb'
-      entry 'grpc-inprocess'
-      entry 'grpc-netty-shaded'
-      entry 'grpc-protobuf'
-      entry 'grpc-protobuf-lite'
-      entry 'grpc-services'
-      entry 'grpc-xds'
-    }
-
     // used in tests to assert log message
     dependency 'de.neuland-bfi:assertj-logging-log4j:0.5.0'