Update dependencies to address CVE-2023-3635 (#319)

Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
hyperledger · Dec 4, 2023 · 5507d11 · 5507d11
1 parent 412447c
commit 5507d11
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 8 deletions.
diff --git a/build.gradle b/build.gradle
@@ -42,7 +42,7 @@ subprojects {
     targetCompatibility = 1.8
 
     dependencies {
-        implementation group: 'commons-cli', name: 'commons-cli', version: '1.4'
+        implementation group: 'commons-cli', name: 'commons-cli', version: '1.6.0'
         implementation group: 'commons-logging', name: 'commons-logging', version: '1.2'
         testImplementation group: 'org.junit.jupiter', name: 'junit-jupiter-api', version: '5.3.1'
         testRuntimeOnly group: 'org.junit.jupiter', name: 'junit-jupiter-engine', version: '5.3.1'

diff --git a/fabric-chaincode-shim/build.gradle b/fabric-chaincode-shim/build.gradle
@@ -47,22 +47,24 @@ tasks.withType(org.gradle.api.tasks.testing.Test) {
 
 dependencies {
     implementation 'org.hyperledger.fabric:fabric-protos:0.2.1'
-    implementation 'org.bouncycastle:bcpkix-jdk18on:1.76'
-    implementation 'org.bouncycastle:bcprov-jdk18on:1.76'
+    implementation 'org.bouncycastle:bcpkix-jdk18on:1.77'
+    implementation 'org.bouncycastle:bcprov-jdk18on:1.77'
     implementation 'io.github.classgraph:classgraph:4.8.162'
     implementation 'com.github.everit-org.json-schema:org.everit.json.schema:1.14.2'
     implementation 'org.json:json:20231013'
-    implementation 'com.google.protobuf:protobuf-java-util:3.22.5'
+    implementation 'com.google.protobuf:protobuf-java-util:3.24.4'
 
     // Required if using Java 11+ as no longer bundled in the core libraries
     testImplementation 'javax.xml.bind:jaxb-api:2.3.1'
 
-    implementation platform('io.grpc:grpc-bom:1.57.2')
+    implementation platform('io.grpc:grpc-bom:1.59.0')
     implementation 'io.grpc:grpc-netty-shaded'
     implementation 'io.grpc:grpc-protobuf'
     implementation 'io.grpc:grpc-stub'
 
-    implementation platform("io.opentelemetry:opentelemetry-bom:1.29.0")
+    testImplementation 'io.grpc:grpc-inprocess'
+
+    implementation platform("io.opentelemetry:opentelemetry-bom:1.32.0")
 
     implementation 'io.opentelemetry:opentelemetry-api'
     implementation 'io.opentelemetry.proto:opentelemetry-proto:1.0.0-alpha'
@@ -71,7 +73,7 @@ dependencies {
     implementation 'io.opentelemetry:opentelemetry-sdk-trace'
     implementation 'io.opentelemetry:opentelemetry-exporter-otlp'
     implementation 'io.opentelemetry:opentelemetry-extension-trace-propagators'
-    implementation 'io.opentelemetry.instrumentation:opentelemetry-grpc-1.6:1.29.0-alpha'
+    implementation 'io.opentelemetry.instrumentation:opentelemetry-grpc-1.6:1.32.0-alpha'
 }
 
 dependencyCheck {

diff --git a/...de-shim/src/main/java/org/hyperledger/fabric/traces/impl/OpenTelemetryTracesProvider.java b/...de-shim/src/main/java/org/hyperledger/fabric/traces/impl/OpenTelemetryTracesProvider.java
@@ -13,7 +13,8 @@
 import io.opentelemetry.context.Context;
 import io.opentelemetry.instrumentation.grpc.v1_6.GrpcTelemetry;
 import io.opentelemetry.sdk.autoconfigure.AutoConfiguredOpenTelemetrySdk;
-import io.opentelemetry.semconv.resource.attributes.ResourceAttributes;
+import io.opentelemetry.semconv.ResourceAttributes;
+
 import org.hyperledger.fabric.shim.ChaincodeStub;
 import org.hyperledger.fabric.traces.TracesProvider;