From 0f2d653c5d8d8f58400c51c39928bf3fb2c43f9b Mon Sep 17 00:00:00 2001
From: Jason Frame <jason.frame@consensys.net>
Date: Mon, 19 Jun 2023 12:18:03 +1000
Subject: [PATCH] Update libraries (#809)

---
 gradle/owasp-suppression.xml | 10 +++-------
 gradle/versions.gradle       | 23 ++++++++++++++++++++---
 2 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/gradle/owasp-suppression.xml b/gradle/owasp-suppression.xml
index d998169f0..86f8f27e0 100644
--- a/gradle/owasp-suppression.xml
+++ b/gradle/owasp-suppression.xml
@@ -1,15 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <!-- See https://jeremylong.github.io/DependencyCheck/general/suppression.html for examples -->
-
     <suppress>
         <notes><![CDATA[
-        Suppress false positive for CVE-2020-8908 as it is only applicable for versions up to 30.0. We use 31.1.
-            Our code does not use com.google.common.io.Files.createTempDir() as well.
-            - https://nvd.nist.gov/vuln/detail/cve-2020-8908
-            - https://github.com/jeremylong/DependencyCheck/issues/5526
-            - https://github.com/google/guava/issues/4011
+        Suppress CVE-2023-35116 as this is not considered a CVE according to discussion in https://github.com/FasterXML/jackson-databind/issues/3972
         ]]></notes>
-        <cve>CVE-2020-8908</cve>
+        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-35116</vulnerabilityName>
     </suppress>
 </suppressions>
diff --git a/gradle/versions.gradle b/gradle/versions.gradle
index 331d50e32..491dbc98d 100644
--- a/gradle/versions.gradle
+++ b/gradle/versions.gradle
@@ -13,8 +13,8 @@
 
 dependencyManagement {
   dependencies {
-    dependency 'com.fasterxml.jackson.core:jackson-databind:2.15.0-rc3'
-    dependency 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.15.0-rc3'
+    dependency 'com.fasterxml.jackson.core:jackson-databind:2.15.2'
+    dependency 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.15.2'
 
     dependencySet(group: 'com.google.errorprone', version: '2.17.0') {
       entry 'error_prone_annotation'
@@ -25,7 +25,7 @@ dependencyManagement {
 
     dependency 'tech.pegasys.tools.epchecks:errorprone-checks:1.1.1'
 
-    dependency 'com.google.guava:guava:31.1-jre'
+    dependency 'com.google.guava:guava:32.0.1-jre'
 
     dependency 'commons-cli:commons-cli:1.5.0'
     dependency 'commons-io:commons-io:2.11.0'
@@ -197,5 +197,22 @@ dependencyManagement {
 
     dependency 'net.minidev:json-smart:2.4.10'
     dependency 'com.nimbusds:nimbus-jose-jwt:9.31'
+
+    // manually overriding of io.grpc to avoid CVE-2023-32732, we can't update to latest besu metrics-core until
+    // we have Java 17 support in Web3Signer
+    /*
+      +--- org.hyperledger.besu.internal:metrics-core -> 22.10.3
+      |    |    |    |    +--- org.hyperledger.besu:plugin-api:22.10.3
+      |    |    |    |    |    +--- org.apache.commons:commons-lang3:3.12.0
+      |    |    |    |    |    +--- org.apache.tuweni:tuweni-bytes:2.3.1 (*)
+      |    |    |    |    |    \--- org.apache.tuweni:tuweni-units:2.3.1 (*)
+      |    |    |    |    +--- io.grpc:grpc-netty:1.47.0
+     */
+    dependencySet(group: 'io.grpc', version: '1.56.0') {
+      entry 'grpc-all'
+      entry 'grpc-core'
+      entry 'grpc-netty'
+      entry 'grpc-stub'
+    }
   }
 }