Update dependencies to address CVE-2024-7254

Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>

Author: bestbeforetoday

build.gradle

@@ -4,8 +4,10 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-apply plugin: 'idea'
-apply plugin: 'eclipse-wtp'
+plugins {
+    id "com.github.ben-manes.versions" version "0.51.0"
+}
+
 version = '2.5.3'
 
 
@@ -46,18 +48,18 @@ subprojects {
     }
 
     dependencies {
-        implementation 'commons-cli:commons-cli:1.6.0'
-        implementation 'commons-logging:commons-logging:1.2'
-        testImplementation 'org.junit.jupiter:junit-jupiter-api:5.3.1'
-        testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.3.1'
+        implementation 'commons-cli:commons-cli:1.9.0'
+        implementation 'commons-logging:commons-logging:1.3.4'
+        testImplementation 'org.junit.jupiter:junit-jupiter-api:5.11.0'
+        testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.11.0'
 
-        testImplementation 'org.hamcrest:hamcrest-library:1.3'
-        testImplementation 'org.mockito:mockito-core:2.23.0'
-        testImplementation 'com.github.stefanbirkner:system-rules:system-rules-1.17.0'
+        testImplementation 'org.hamcrest:hamcrest-library:3.0'
+        testImplementation 'org.mockito:mockito-core:5.13.0'
+        testImplementation 'com.github.stefanbirkner:system-rules:1.19.0'
 
         testCompileOnly 'junit:junit:4.13.2'
-        testRuntimeOnly 'org.junit.vintage:junit-vintage-engine:5.10.2'
-        testImplementation 'org.assertj:assertj-core:3.9.1'
+        testRuntimeOnly 'org.junit.vintage:junit-vintage-engine:5.11.0'
+        testImplementation 'org.assertj:assertj-core:3.26.3'
     }
 
     test {

examples/fabric-contract-example-as-service/build.gradle

@@ -22,10 +22,10 @@ repositories {
 
 dependencies {
     compile 'org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim:2.5.2'
-    compile 'org.json:json:20231013'
-    testImplementation 'org.junit.jupiter:junit-jupiter:5.4.2'
-    testImplementation 'org.assertj:assertj-core:3.11.1'
-    testImplementation 'org.mockito:mockito-core:2.+'
+    compile 'org.json:json:20240303'
+    testImplementation 'org.junit.jupiter:junit-jupiter:5.11.0'
+    testImplementation 'org.assertj:assertj-core:3.26.3'
+    testImplementation 'org.mockito:mockito-core:5.13.0'
 }
 
 shadowJar {

examples/fabric-contract-example-gradle-kotlin/build.gradle.kts

@@ -15,10 +15,10 @@ version = "0.0.1"
 
 dependencies {
     implementation("org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim:2.5.2")
-    implementation("org.json:json:20231013")
+    implementation("org.json:json:20240303")
     implementation("org.jetbrains.kotlin:kotlin-stdlib-jdk8")
 
-    testImplementation("org.junit.jupiter:junit-jupiter:5.4.2")
+    testImplementation("org.junit.jupiter:junit-jupiter:5.11.0")
     testImplementation("com.nhaarman.mockitokotlin2:mockito-kotlin:2.1.0")
 }
 

examples/fabric-contract-example-gradle/build.gradle

@@ -22,10 +22,10 @@ repositories {
 
 dependencies {
     compile 'org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim:2.5.2'
-    compile 'org.json:json:20231013'
-    testImplementation 'org.junit.jupiter:junit-jupiter:5.4.2'
-    testImplementation 'org.assertj:assertj-core:3.11.1'
-    testImplementation 'org.mockito:mockito-core:2.+'
+    compile 'org.json:json:20240303'
+    testImplementation 'org.junit.jupiter:junit-jupiter:5.11.0'
+    testImplementation 'org.assertj:assertj-core:3.26.3'
+    testImplementation 'org.mockito:mockito-core:5.13.0'
 }
 
 shadowJar {

examples/ledger-api/build.gradle

@@ -22,10 +22,10 @@ repositories {
 
 dependencies {
     compile 'org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim:2.5.2'
-    compile 'org.json:json:20231013'
-    testImplementation 'org.junit.jupiter:junit-jupiter:5.4.2'
-    testImplementation 'org.assertj:assertj-core:3.11.1'
-    testImplementation 'org.mockito:mockito-core:2.+'
+    compile 'org.json:json:20240303'
+    testImplementation 'org.junit.jupiter:junit-jupiter:5.11.0'
+    testImplementation 'org.assertj:assertj-core:3.26.3'
+    testImplementation 'org.mockito:mockito-core:5.13.0'
 }
 
 shadowJar {

fabric-chaincode-docker/build.gradle

@@ -9,9 +9,10 @@ buildscript {
         maven { url "https://oss.sonatype.org/content/repositories/snapshots" }
         maven { url "https://www.jitpack.io" }
         mavenCentral()
+        gradlePluginPortal()
     }
     dependencies {
-        classpath 'com.bmuschko:gradle-docker-plugin:5.1.0'
+        classpath 'com.bmuschko:gradle-docker-plugin:9.4.0'
     }
 }
 
@@ -64,6 +65,6 @@ task copyAllDeps(type: Copy) {
 task buildImage(type: DockerBuildImage) {
     dependsOn copyAllDeps
     inputDir = project.file('Dockerfile').parentFile
-    tags = ['hyperledger/fabric-javaenv', 'hyperledger/fabric-javaenv:2.5', 'hyperledger/fabric-javaenv:amd64-2.5.3', 'hyperledger/fabric-javaenv:amd64-latest']
+    images = ['hyperledger/fabric-javaenv', 'hyperledger/fabric-javaenv:2.5', 'hyperledger/fabric-javaenv:amd64-2.5.3', 'hyperledger/fabric-javaenv:amd64-latest']
 }
 

fabric-chaincode-integration-test/build.gradle

@@ -1,7 +1,7 @@
 dependencies {
     implementation project(':fabric-chaincode-docker')
     implementation project(':fabric-chaincode-shim')
-    implementation 'org.json:json:20231013'
+    implementation 'org.json:json:20240303'
 }
 
 

fabric-chaincode-shim/build.gradle

@@ -3,25 +3,16 @@
  *
  * SPDX-License-Identifier: Apache-2.0
  */
- buildscript {
-    repositories {
-        mavenCentral()
-    }
-    dependencies {
-        classpath 'org.owasp:dependency-check-gradle:8.4.0'
-    }
-}
 
 plugins {
     id 'maven-publish'
     id 'jacoco'
     id 'signing'
     id 'checkstyle'
-    id 'org.cyclonedx.bom' version '1.8.1'
 }
 
 checkstyle {
-    toolVersion '10.12.5'
+    toolVersion '10.18.1'
     configFile file("../ci/checkstyle/checkstyle.xml")
     configProperties = [root_dir: file("..") ]
 }
@@ -54,34 +45,33 @@ tasks.withType(org.gradle.api.tasks.testing.Test) {
 }
 
 dependencies {
+    implementation platform('com.google.protobuf:protobuf-bom:3.25.5')
+    implementation platform('io.grpc:grpc-bom:1.68.0')
+    implementation platform('io.opentelemetry:opentelemetry-bom:1.42.1')
+
     implementation 'org.hyperledger.fabric:fabric-protos:0.3.3'
     implementation 'org.bouncycastle:bcpkix-jdk18on:1.78.1'
     implementation 'org.bouncycastle:bcprov-jdk18on:1.78.1'
-    implementation 'io.github.classgraph:classgraph:4.8.165'
+    implementation 'io.github.classgraph:classgraph:4.8.176'
     implementation 'com.github.everit-org.json-schema:org.everit.json.schema:1.14.4'
     implementation 'org.json:json:20240303'
-    implementation 'com.google.protobuf:protobuf-java-util:3.24.4'
+    implementation 'com.google.protobuf:protobuf-java-util'
 
-    // Required if using Java 11+ as no longer bundled in the core libraries
-    testImplementation 'javax.xml.bind:jaxb-api:2.3.1'
-
-    implementation platform('io.grpc:grpc-bom:1.60.0')
     implementation 'io.grpc:grpc-netty-shaded'
     implementation 'io.grpc:grpc-protobuf'
     implementation 'io.grpc:grpc-stub'
-
     testImplementation 'io.grpc:grpc-inprocess'
-
-    implementation platform("io.opentelemetry:opentelemetry-bom:1.32.0")
+    // Required if using Java 11+ as no longer bundled in the core libraries
+    testImplementation 'javax.xml.bind:jaxb-api:2.3.1'
 
     implementation 'io.opentelemetry:opentelemetry-api'
-    implementation 'io.opentelemetry.proto:opentelemetry-proto:1.0.0-alpha'
+    implementation 'io.opentelemetry.proto:opentelemetry-proto:1.3.2-alpha'
     implementation 'io.opentelemetry:opentelemetry-sdk'
     implementation 'io.opentelemetry:opentelemetry-sdk-extension-autoconfigure'
     implementation 'io.opentelemetry:opentelemetry-sdk-trace'
     implementation 'io.opentelemetry:opentelemetry-exporter-otlp'
     implementation 'io.opentelemetry:opentelemetry-extension-trace-propagators'
-    implementation 'io.opentelemetry.instrumentation:opentelemetry-grpc-1.6:1.32.0-alpha'
+    implementation 'io.opentelemetry.instrumentation:opentelemetry-grpc-1.6:2.8.0-alpha'
 }
 
 sourceSets {

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.6-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.1-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME