Skip to content

Update dependencies to address security vulnerabilities #314

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 7, 2023
Merged

Update dependencies to address security vulnerabilities #314

merged 1 commit into from
Sep 7, 2023

Conversation

bestbeforetoday
Copy link
Member

@bestbeforetoday bestbeforetoday commented Aug 20, 2023
edited
Loading

Also:

  • Update Gradle wrapper version to resolve Gradle bug in handling
    certain dependency JAR files.
  • Update Gradle shadowJar plugin to v7.1.2 (except for bare-gradle contract,
    since builder uses Gradle v5 if no wrapper is provided).
  • Add mergeServiceFiles() to test chaincode shadowJar Gradle tasks to
    resolve an issue with incorrect class versions being loaded from dependencies.
  • Add ServicesResourceTransformer to test chaincode maven-shade-plugin
    Maven plugin configuration to resolve an issue with incorrect class
    versions being loaded from dependencies.
  • Tidy-up integration test contract dependencies.

@bestbeforetoday bestbeforetoday force-pushed the dependencies branch 3 times, most recently from 8674117 to 96d5cd1 Compare August 20, 2023 15:45
@bestbeforetoday bestbeforetoday changed the title Update deps to address CVE-2022-25647, CVE-2023-2976, CVE-2020-8908 Update dependencies to address security vulnerabilities Aug 20, 2023
@bestbeforetoday bestbeforetoday force-pushed the dependencies branch 10 times, most recently from 68bb784 to 9d34364 Compare August 21, 2023 10:36
@bestbeforetoday bestbeforetoday marked this pull request as ready for review August 21, 2023 12:14
@bestbeforetoday bestbeforetoday requested a review from a team as a code owner August 21, 2023 12:14
@bestbeforetoday bestbeforetoday enabled auto-merge (squash) August 21, 2023 12:14
@bestbeforetoday bestbeforetoday force-pushed the dependencies branch 2 times, most recently from 37f9346 to 4d14529 Compare August 22, 2023 10:18
@bestbeforetoday bestbeforetoday marked this pull request as draft August 22, 2023 10:25
auto-merge was automatically disabled August 22, 2023 10:25

Pull request was converted to draft

@bestbeforetoday
Update dependencies to address security vulnerabilities
6dcc86e 
- CVE-2022-25647
- CVE-2023-2976
- CVE-2020-8908

Also:

- Update Gradle wrapper version to resolve Gradle bug in handling
  certain dependency JAR files.
- Update Gradle shadowJar plugin to v7.1.2 (except for bare-bradle contract,
  since builder uses Gradle v5 if no wrapper is provided.
- Add mergeServiceFiles() to test chaincode shadowJar Gradle tasks to
  resolve an issue with incorrect class versions being loaded from dependencies.
- Add ServicesResourceTransformer to test chaincode maven-shade-plugin
  Maven plugin configuration to resolve an issue with incorrect class
  versions being loaded from dependencies.
- Tidy-up integration test contract dependencies

Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 7 Code Smells

No Coverage information No Coverage information
0.3% 0.3% Duplication

@bestbeforetoday bestbeforetoday marked this pull request as ready for review August 22, 2023 13:01
@bestbeforetoday bestbeforetoday enabled auto-merge (squash) August 22, 2023 13:01
@denyeart
Copy link
Contributor

denyeart commented Sep 6, 2023

The changes look fine, but I'm having trouble mapping the PR Description to the code changes:

  • The referenced CVEs are for gson and guava but I don't see these updated in the code, maybe it is a transitive dependency?
  • Why the changes around OpenTelemetry in a dependency cleanup PR?

@bestbeforetoday
Copy link
Member Author

They are largely transitive dependencies, and there is still at least one additional outstanding vulnerability for which updates to the dependencies that pull in those vulnerabilities are not yet available.

The newer version of OpenTelemetry made API changes so code changes had to happen where it was used.

@bestbeforetoday bestbeforetoday merged commit 1148b9d into hyperledger:main Sep 7, 2023
@bestbeforetoday bestbeforetoday deleted the dependencies branch September 7, 2023 13:14
@benjsmi benjsmi mentioned this pull request Sep 22, 2023
Closed
@bestbeforetoday bestbeforetoday mentioned this pull request Sep 23, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@denyeart denyeart denyeart approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bestbeforetoday @denyeart