Dependency updates and suppressions (#913)

Consensys · Sep 14, 2023 · b51f5bd · b51f5bd
1 parent b4a725d
commit b51f5bd
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/gradle/owasp-suppression.xml b/gradle/owasp-suppression.xml
@@ -1,6 +1,17 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <!-- See https://jeremylong.github.io/DependencyCheck/general/suppression.html for examples -->
+    <suppress until="2023-11-01">
+        <notes><![CDATA[
+        Temporary suppression, as it's arguably a false positive: https://github.com/netty/netty/issues/8537#issuecomment-1527896917
+        The correct thing to do is ensure hostname verification is enabled: https://codetinkering.com/enable-hostname-verification-netty/
+        This is indeed the case for Azure, which is the netty-handler: https://github.com/Azure/azure-sdk-for-java/issues/18286#issuecomment-947958978
+        The other vulnerable lib is besu-metrics, which might want looking at, will see if this CVE gets flagged in besu first
+        file name: netty-handler-4.1.97.Final.jar
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/io\.netty/netty\-handler@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
+     </suppress>
     <suppress>
         <notes><![CDATA[
         Suppress CVE-2023-35116 as this is not considered a CVE according to discussion in https://github.com/FasterXML/jackson-databind/issues/3972

diff --git a/gradle/versions.gradle b/gradle/versions.gradle
@@ -185,7 +185,7 @@ dependencyManagement {
     dependency 'com.squareup.okio:okio:3.4.0'
 
     // addressing CVE-2022-41881, CVE-2022-41915, CVE-2023-34462
-    dependencySet(group: 'io.netty', version: '4.1.95.Final') {
+    dependencySet(group: 'io.netty', version: '4.1.97.Final') {
       entry 'netty-all'
       entry 'netty-handler'
       entry 'netty-resolver-dns'
@@ -237,5 +237,12 @@ dependencyManagement {
 
     // used in tests to assert log message
     dependency 'de.neuland-bfi:assertj-logging-log4j:0.5.0'
+
+    // addresses CVE-2023-4759
+    /*
+         +--- com.google.errorprone:error_prone_check_api:2.11.0
+          |    +--- io.github.java-diff-utils:java-diff-utils:4.0
+     */
+    dependency 'io.github.java-diff-utils:java-diff-utils:4.12'
   }
 }