chore: upgraded hypertrace grpc-utils version (#146)

singhalprerana · web-flow · commit eee261274996 · 2023-10-19T16:21:38.000+05:30
* chore: upgraded hypertrace grpc-utils version

* Updated versions

* Added suppressions
diff --git a/hypertrace-core-graphql-platform/build.gradle.kts b/hypertrace-core-graphql-platform/build.gradle.kts
@@ -13,10 +13,11 @@ dependencies {
   api(platform("com.fasterxml.jackson:jackson-bom:2.15.2"))
   constraints {
 
-    api("org.hypertrace.core.grpcutils:grpc-context-utils:0.12.2")
-    api("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.2")
-    api("org.hypertrace.core.grpcutils:grpc-client-rx-utils:0.12.2")
+    api("org.hypertrace.core.grpcutils:grpc-context-utils:0.12.6")
+    api("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.6")
+    api("org.hypertrace.core.grpcutils:grpc-client-rx-utils:0.12.6")
     api("org.hypertrace.gateway.service:gateway-service-api:0.3.2")
+    api("org.hypertrace.core.serviceframework:platform-http-service-framework:0.1.62")
     api("org.hypertrace.core.attribute.service:caching-attribute-service-client:${attributeServiceVersion}")
     api("org.hypertrace.core.attribute.service:attribute-service-api:${attributeServiceVersion}")
 
diff --git a/hypertrace-core-graphql-service/build.gradle.kts b/hypertrace-core-graphql-service/build.gradle.kts
@@ -8,7 +8,7 @@ plugins {
 dependencies {
   implementation(platform(project(":hypertrace-core-graphql-platform")))
 
-  implementation("org.hypertrace.core.serviceframework:platform-http-service-framework:0.1.52")
+  implementation("org.hypertrace.core.serviceframework:platform-http-service-framework")
   implementation("org.slf4j:slf4j-api")
 
   implementation("com.graphql-java-kickstart:graphql-java-servlet")
diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
@@ -15,7 +15,29 @@
     <packageUrl regex="true">^pkg:maven/io\.github\.graphql\-java/graphql\-java\-annotations@.*$</packageUrl>
     <cpe>cpe:/a:graphql-java:graphql-java</cpe>
   </suppress>
-  <suppress until="2023-07-30Z">
+  <suppress until="2023-11-30Z">
+    <notes><![CDATA[
+  This vulnerability is disputed, with the argument that SSL configuration is the responsibility of the client rather
+  than the transport. The change in default is under consideration for the next major Netty release, revisit then.
+  Regardless, our client (which is what brings in this dependency) enables the concerned feature, hostname verification
+  Ref:
+  https://github.com/grpc/grpc-java/issues/10033
+  https://github.com/netty/netty/issues/8537#issuecomment-1527896917
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.netty/netty.*@.*$</packageUrl>
+    <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
+  </suppress>
+  <suppress until="2023-11-30Z">
+    <notes><![CDATA[
+   This CVE is declared fixed from 9.4.52, but the vuln db is not reflecting that. Suppress that specific version until
+   db is updated.
+   Ref:
+   https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty\-servlets@9.4.53\..*$</packageUrl>
+    <vulnerabilityName>CVE-2023-36479</vulnerabilityName>
+  </suppress>
+  <suppress until="2023-11-30Z">
     <notes><![CDATA[
    file name: jackson-databind-2.15.2.jar
    ]]></notes>
