Skip to content

Commit

Permalink
Update dependencies to address CVE-2023-3635
Browse files Browse the repository at this point in the history 
Added explicit dependency on okio-bom to force the transitive okio
dependency to a non-vulnerable version. This can be removed once okhttp
4.12 is eventually published and opentelemetry publishes a version that
depends on it.

Signed-off-by: Mark S. Lewis <[email protected]>
  • Loading branch information
@bestbeforetoday
bestbeforetoday committed Oct 9, 2023
1 parent 9405c4d commit 4334ff5
Showing 1 changed file with 20 additions and 12 deletions.
32 changes: 20 additions & 12 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,11 +28,11 @@
<url>http://github.com/hyperledger/fabric-sdk-java</url>
</scm>
<properties>
<grpc.version>1.57.2</grpc.version>
<protobuf.version>3.22.5</protobuf.version> <!-- Must match version used by grpc-protobuf -->
<grpc.version>1.58.0</grpc.version>
<protobuf.version>3.24.4</protobuf.version> <!-- Must match version used by grpc-protobuf -->
<bouncycastle.version>1.76</bouncycastle.version>
<httpclient.version>4.5.14</httpclient.version>
<javadoc.version>3.5.0</javadoc.version>
<javadoc.version>3.6.0</javadoc.version>
<skipITs>true</skipITs>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<jacoco.version>0.8.10</jacoco.version>
Expand All @@ -54,7 +54,15 @@
<dependency>
<groupId>io.opentelemetry</groupId>
<artifactId>opentelemetry-bom</artifactId>
<version>1.29.0</version>
<version>1.30.1</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<!-- Added only to force the okio dependency to a version where CVE-2023-3635 is resolved -->
<groupId>com.squareup.okio</groupId>
<artifactId>okio-bom</artifactId>
<version>3.6.0</version>
<type>pom</type>
<scope>import</scope>
</dependency>
Expand Down Expand Up @@ -126,7 +134,7 @@
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.13.0</version>
<version>2.14.0</version>
</dependency>

<!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core -->
Expand Down Expand Up @@ -162,12 +170,12 @@
<dependency>
<groupId>com.spotify</groupId>
<artifactId>futures-extra</artifactId>
<version>4.3.1</version>
<version>4.3.3</version>
</dependency>
<dependency>
<groupId>com.google.api</groupId>
<artifactId>api-common</artifactId>
<version>2.15.0</version>
<version>2.18.0</version>
</dependency>

<dependency>
Expand All @@ -179,7 +187,7 @@
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>2.1</version>
<version>2.2</version>
</dependency>

<dependency>
Expand Down Expand Up @@ -222,7 +230,7 @@
<dependency>
<groupId>io.opentelemetry.instrumentation</groupId>
<artifactId>opentelemetry-grpc-1.6</artifactId>
<version>1.29.0-alpha</version>
<version>1.30.0-alpha</version>
</dependency>
<dependency>
<groupId>io.opentelemetry.proto</groupId>
Expand Down Expand Up @@ -584,7 +592,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>3.3.0</version>
<version>3.4.1</version>
<executions>
<execution>
<id>enforce-maven</id>
Expand Down Expand Up @@ -619,7 +627,7 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>8.3.1</version>
<version>8.4.0</version>
<configuration>
<skipProvidedScope>true</skipProvidedScope>
<skipTestScope>true</skipTestScope>
Expand Down Expand Up @@ -695,7 +703,7 @@
<dependency>
<groupId>com.puppycrawl.tools</groupId>
<artifactId>checkstyle</artifactId>
<version>10.12.2</version>
<version>10.12.4</version>
</dependency>
</dependencies>
</plugin>
Expand Down

0 comments on commit 4334ff5

Please sign in to comment.