Update opentelemetry-grpc-1.6 dependency (#289)

Also update dependency-check suppressions to remove false positives. Signed-off-by: Mark S. Lewis <[email protected]>
hyperledger · Aug 21, 2023 · cedd3a7 · cedd3a7
1 parent 5617abc
commit cedd3a7
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 2 deletions.
diff --git a/dependency-suppressions.xml b/dependency-suppressions.xml
@@ -1,3 +1,17 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress>
+        <notes><![CDATA[
+   Vulnerability in C++ gRPC implementation
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/io\.opentelemetry\.instrumentation/opentelemetry\-grpc\-1\.6@.*$</packageUrl>
+        <cve>CVE-2023-33953</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   Vulnerability in C++ gRPC implementation
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/io\.opentelemetry\.instrumentation/opentelemetry\-grpc\-1\.6@.*$</packageUrl>
+        <cve>CVE-2023-32732</cve>
+    </suppress>
 </suppressions>
diff --git a/pom.xml b/pom.xml
@@ -28,7 +28,7 @@
         <url>http://github.com/hyperledger/fabric-sdk-java</url>
     </scm>
     <properties>
-        <grpc.version>1.57.1</grpc.version>
+        <grpc.version>1.57.2</grpc.version>
         <protobuf.version>3.22.5</protobuf.version> <!-- Must match version used by grpc-protobuf -->
         <bouncycastle.version>1.76</bouncycastle.version>
         <httpclient.version>4.5.14</httpclient.version>
@@ -222,7 +222,7 @@
         <dependency>
             <groupId>io.opentelemetry.instrumentation</groupId>
             <artifactId>opentelemetry-grpc-1.6</artifactId>
-            <version>1.28.0-alpha</version>
+            <version>1.29.0-alpha</version>
         </dependency>
         <dependency>
             <groupId>io.opentelemetry.proto</groupId>