From 50964c3c34a9efe28dba9cb8e4f7b72f009c9053 Mon Sep 17 00:00:00 2001
From: Aaron Steinfeld <45047841+aaron-steinfeld@users.noreply.github.com>
Date: Tue, 23 Jan 2024 11:33:35 -0500
Subject: [PATCH] chore: update deps, suppressions (#218)

---
 owasp-suppressions.xml                 | 20 ++++++--------------
 query-service-api/build.gradle.kts     |  9 ++-------
 query-service-client/build.gradle.kts  |  2 +-
 query-service-factory/build.gradle.kts |  2 +-
 query-service-impl/build.gradle.kts    | 14 +++++++-------
 query-service/build.gradle.kts         |  6 +++---
 6 files changed, 20 insertions(+), 33 deletions(-)

diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
index 223fb8ba..1471f126 100644
--- a/owasp-suppressions.xml
+++ b/owasp-suppressions.xml
@@ -18,9 +18,9 @@
     <cve>CVE-2020-13956</cve>
   </suppress>
 
-  <suppress until="2023-11-30Z">
+  <suppress >
     <notes><![CDATA[
-   file name: zookeeper-api-1.3.0.jar
+   Below CVEs impact zookeeper itself, rather than the zookeeper api
    ]]></notes>
     <packageUrl regex="true">^pkg:maven/org\.apache\.helix/zookeeper\-api@.*$</packageUrl>
     <cve>CVE-2016-5017</cve>
@@ -28,19 +28,11 @@
     <cve>CVE-2019-0201</cve>
     <cve>CVE-2023-44981</cve>
   </suppress>
-  <suppress until="2023-11-30Z">
-    <notes><![CDATA[
-     file name: jackson-databind-2.14.2.jar
-     This is currently disputed.
-     ]]></notes>
-    <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
-    <cve>CVE-2023-35116</cve>
-  </suppress>
-  <suppress until="2023-11-30Z">
+  <suppress>
     <notes><![CDATA[
-   file name: netty-handler-4.1.94.Final.jar
+    Fixed from 2.9.0 - awaiting vuln db update
    ]]></notes>
-    <packageUrl regex="true">^pkg:maven/io\.netty/netty.*@.*$</packageUrl>
-    <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
+    <packageUrl regex="true">^pkg:maven/com\.jayway\.jsonpath/json\-path@2.9.0$</packageUrl>
+    <vulnerabilityName>CVE-2023-51074</vulnerabilityName>
   </suppress>
 </suppressions>
diff --git a/query-service-api/build.gradle.kts b/query-service-api/build.gradle.kts
index 7cfe39f2..1cc700f8 100644
--- a/query-service-api/build.gradle.kts
+++ b/query-service-api/build.gradle.kts
@@ -15,7 +15,7 @@ protobuf {
   }
   plugins {
     id("grpc") {
-      artifact = "io.grpc:protoc-gen-grpc-java:1.57.2"
+      artifact = "io.grpc:protoc-gen-grpc-java:1.60.0"
     }
   }
   generateProtoTasks {
@@ -41,15 +41,10 @@ tasks.test {
 }
 
 dependencies {
-  api(platform("io.grpc:grpc-bom:1.57.2"))
+  api(platform("io.grpc:grpc-bom:1.60.0"))
   api("io.grpc:grpc-protobuf")
   api("io.grpc:grpc-stub")
   api("javax.annotation:javax.annotation-api:1.3.2")
-  constraints {
-    implementation("com.google.guava:guava:32.1.2-jre") {
-      because("Multiple vulnerabilities")
-    }
-  }
 
   testImplementation("org.junit.jupiter:junit-jupiter:5.7.1")
   testImplementation("com.google.protobuf:protobuf-java-util:3.22.0")
diff --git a/query-service-client/build.gradle.kts b/query-service-client/build.gradle.kts
index 0db50e1e..7d64b354 100644
--- a/query-service-client/build.gradle.kts
+++ b/query-service-client/build.gradle.kts
@@ -7,7 +7,7 @@ plugins {
 
 dependencies {
   api(project(":query-service-api"))
-  implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.6")
+  implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.13.1")
 
   // Logging
   implementation("org.slf4j:slf4j-api:1.7.32")
diff --git a/query-service-factory/build.gradle.kts b/query-service-factory/build.gradle.kts
index 2c850d46..7a867d1f 100644
--- a/query-service-factory/build.gradle.kts
+++ b/query-service-factory/build.gradle.kts
@@ -3,7 +3,7 @@ plugins {
 }
 
 dependencies {
-  api("org.hypertrace.core.serviceframework:platform-grpc-service-framework:0.1.62")
+  api("org.hypertrace.core.serviceframework:platform-grpc-service-framework:0.1.64")
 
   implementation(project(":query-service-impl"))
   implementation("com.google.inject:guice:5.0.1")
diff --git a/query-service-impl/build.gradle.kts b/query-service-impl/build.gradle.kts
index d341cfd6..ee5f9029 100644
--- a/query-service-impl/build.gradle.kts
+++ b/query-service-impl/build.gradle.kts
@@ -16,9 +16,6 @@ dependencies {
           "in org.jetbrains.kotlin:kotlin-stdlib@1.4.10",
       )
     }
-    implementation("com.fasterxml.jackson.core:jackson-databind:2.14.2") {
-      because("Multiple vulnerabilities")
-    }
     implementation("org.apache.calcite:calcite-core:1.34.0") {
       because("CVE-2022-39135")
     }
@@ -57,12 +54,15 @@ dependencies {
     implementation("org.apache.zookeeper:zookeeper:3.7.2") {
       because("CVE-2023-44981")
     }
+    implementation("com.jayway.jsonpath:json-path:2.9.0") {
+      because("CVE-2023-51074")
+    }
   }
   api(project(":query-service-api"))
   api("com.typesafe:config:1.4.1")
-  implementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.12.6")
-  implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.6")
-  implementation("org.hypertrace.core.grpcutils:grpc-server-rx-utils:0.12.6")
+  implementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.13.1")
+  implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.13.1")
+  implementation("org.hypertrace.core.grpcutils:grpc-server-rx-utils:0.13.1")
   implementation("org.hypertrace.core.attribute.service:attribute-service-api:0.14.26")
   implementation("org.hypertrace.core.attribute.service:attribute-projection-registry:0.14.26")
   implementation("org.hypertrace.core.attribute.service:caching-attribute-service-client:0.14.26")
@@ -74,7 +74,7 @@ dependencies {
   }
   implementation("org.slf4j:slf4j-api:1.7.32")
   implementation("commons-codec:commons-codec:1.15")
-  implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.62")
+  implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.64")
   implementation("com.google.protobuf:protobuf-java-util:3.22.0")
   implementation("com.google.guava:guava:32.1.2-jre")
   implementation("io.reactivex.rxjava3:rxjava:3.0.11")
diff --git a/query-service/build.gradle.kts b/query-service/build.gradle.kts
index d65d8f4d..641bf051 100644
--- a/query-service/build.gradle.kts
+++ b/query-service/build.gradle.kts
@@ -10,8 +10,8 @@ plugins {
 
 dependencies {
   implementation(project(":query-service-factory"))
-  implementation("org.hypertrace.core.grpcutils:grpc-server-utils:0.12.6")
-  implementation("org.hypertrace.core.serviceframework:platform-grpc-service-framework:0.1.62")
+  implementation("org.hypertrace.core.grpcutils:grpc-server-utils:0.13.1")
+  implementation("org.hypertrace.core.serviceframework:platform-grpc-service-framework:0.1.64")
   implementation("org.slf4j:slf4j-api:1.7.32")
   implementation("com.typesafe:config:1.4.1")
 
@@ -22,7 +22,7 @@ dependencies {
   integrationTestImplementation("org.testcontainers:testcontainers:1.16.2")
   integrationTestImplementation("org.testcontainers:junit-jupiter:1.16.2")
   integrationTestImplementation("org.testcontainers:kafka:1.16.2")
-  integrationTestImplementation("org.hypertrace.core.serviceframework:integrationtest-service-framework:0.1.62")
+  integrationTestImplementation("org.hypertrace.core.serviceframework:integrationtest-service-framework:0.1.64")
   integrationTestImplementation("com.github.stefanbirkner:system-lambda:1.2.0")
 
   integrationTestImplementation("org.apache.kafka:kafka-clients:7.2.1-ccs")