Update dependencies to address CVE-2024-7254 (#353)

Also the following dependency changes:

- Remove obsolete JUnit 4.
- Replace com.github.stefanbirkner:system-rules with
  uk.org.webcompere:system-stubs-jupiter since the former appears not to
  work correctly with JUnit 5.
- Update versions following v2.5.3 release.

Signed-off-by: Mark S. Lewis <[email protected]>

Author: bestbeforetoday

Diff for: build.gradle

@@ -4,9 +4,11 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-apply plugin: 'idea'
-apply plugin: 'eclipse-wtp'
-version = '2.5.3'
+plugins {
+    id "com.github.ben-manes.versions" version "0.51.0"
+}
+
+version = '2.5.4'
 
 
 // If the nightly property is set, then this is the scheduled main 
@@ -46,18 +48,16 @@ subprojects {
     }
 
     dependencies {
-        implementation 'commons-cli:commons-cli:1.6.0'
-        implementation 'commons-logging:commons-logging:1.2'
-        testImplementation 'org.junit.jupiter:junit-jupiter-api:5.3.1'
-        testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.3.1'
-
-        testImplementation 'org.hamcrest:hamcrest-library:1.3'
-        testImplementation 'org.mockito:mockito-core:2.23.0'
-        testImplementation 'com.github.stefanbirkner:system-rules:system-rules-1.17.0'
-
-        testCompileOnly 'junit:junit:4.13.2'
-        testRuntimeOnly 'org.junit.vintage:junit-vintage-engine:5.10.2'
-        testImplementation 'org.assertj:assertj-core:3.9.1'
+        implementation 'commons-cli:commons-cli:1.9.0'
+        implementation 'commons-logging:commons-logging:1.3.4'
+        testImplementation 'org.junit.jupiter:junit-jupiter-api:5.11.0'
+        testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.11.0'
+
+        testImplementation 'org.hamcrest:hamcrest-library:3.0'
+        testImplementation 'org.mockito:mockito-core:5.13.0'
+        testImplementation 'uk.org.webcompere:system-stubs-jupiter:2.1.6'
+
+        testImplementation 'org.assertj:assertj-core:3.26.3'
     }
 
     test {

Diff for: examples/fabric-contract-example-as-service/build.gradle

@@ -22,10 +22,10 @@ repositories {
 
 dependencies {
     compile 'org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim:2.5.2'
-    compile 'org.json:json:20231013'
-    testImplementation 'org.junit.jupiter:junit-jupiter:5.4.2'
-    testImplementation 'org.assertj:assertj-core:3.11.1'
-    testImplementation 'org.mockito:mockito-core:2.+'
+    compile 'org.json:json:20240303'
+    testImplementation 'org.junit.jupiter:junit-jupiter:5.11.0'
+    testImplementation 'org.assertj:assertj-core:3.26.3'
+    testImplementation 'org.mockito:mockito-core:5.13.0'
 }
 
 shadowJar {

Diff for: examples/fabric-contract-example-gradle-kotlin/build.gradle.kts

@@ -15,10 +15,10 @@ version = "0.0.1"
 
 dependencies {
     implementation("org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim:2.5.2")
-    implementation("org.json:json:20231013")
+    implementation("org.json:json:20240303")
     implementation("org.jetbrains.kotlin:kotlin-stdlib-jdk8")
 
-    testImplementation("org.junit.jupiter:junit-jupiter:5.4.2")
+    testImplementation("org.junit.jupiter:junit-jupiter:5.11.0")
     testImplementation("com.nhaarman.mockitokotlin2:mockito-kotlin:2.1.0")
 }
 

Diff for: examples/fabric-contract-example-gradle/build.gradle

@@ -22,10 +22,10 @@ repositories {
 
 dependencies {
     compile 'org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim:2.5.2'
-    compile 'org.json:json:20231013'
-    testImplementation 'org.junit.jupiter:junit-jupiter:5.4.2'
-    testImplementation 'org.assertj:assertj-core:3.11.1'
-    testImplementation 'org.mockito:mockito-core:2.+'
+    compile 'org.json:json:20240303'
+    testImplementation 'org.junit.jupiter:junit-jupiter:5.11.0'
+    testImplementation 'org.assertj:assertj-core:3.26.3'
+    testImplementation 'org.mockito:mockito-core:5.13.0'
 }
 
 shadowJar {

Diff for: examples/ledger-api/build.gradle

@@ -22,10 +22,10 @@ repositories {
 
 dependencies {
     compile 'org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim:2.5.2'
-    compile 'org.json:json:20231013'
-    testImplementation 'org.junit.jupiter:junit-jupiter:5.4.2'
-    testImplementation 'org.assertj:assertj-core:3.11.1'
-    testImplementation 'org.mockito:mockito-core:2.+'
+    compile 'org.json:json:20240303'
+    testImplementation 'org.junit.jupiter:junit-jupiter:5.11.0'
+    testImplementation 'org.assertj:assertj-core:3.26.3'
+    testImplementation 'org.mockito:mockito-core:5.13.0'
 }
 
 shadowJar {

Diff for: fabric-chaincode-docker/build.gradle

@@ -9,9 +9,10 @@ buildscript {
         maven { url "https://oss.sonatype.org/content/repositories/snapshots" }
         maven { url "https://www.jitpack.io" }
         mavenCentral()
+        gradlePluginPortal()
     }
     dependencies {
-        classpath 'com.bmuschko:gradle-docker-plugin:5.1.0'
+        classpath 'com.bmuschko:gradle-docker-plugin:9.4.0'
     }
 }
 
@@ -64,6 +65,6 @@ task copyAllDeps(type: Copy) {
 task buildImage(type: DockerBuildImage) {
     dependsOn copyAllDeps
     inputDir = project.file('Dockerfile').parentFile
-    tags = ['hyperledger/fabric-javaenv', 'hyperledger/fabric-javaenv:2.5', 'hyperledger/fabric-javaenv:amd64-2.5.3', 'hyperledger/fabric-javaenv:amd64-latest']
+    images = ['hyperledger/fabric-javaenv', 'hyperledger/fabric-javaenv:2.5', 'hyperledger/fabric-javaenv:amd64-2.5.4', 'hyperledger/fabric-javaenv:amd64-latest']
 }
 

Diff for: fabric-chaincode-integration-test/build.gradle

@@ -1,7 +1,7 @@
 dependencies {
     implementation project(':fabric-chaincode-docker')
     implementation project(':fabric-chaincode-shim')
-    implementation 'org.json:json:20231013'
+    implementation 'org.json:json:20240303'
 }
 
 

Diff for: fabric-chaincode-integration-test/src/contracts/bare-gradle/build.gradle

@@ -19,7 +19,7 @@ repositories {
 }
 
 dependencies {
-    implementation 'org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim:2.5.3'
+    implementation 'org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim:2.5.4'
     implementation 'org.hyperledger.fabric:fabric-protos:0.3.3'
 }
 

Diff for: fabric-chaincode-integration-test/src/contracts/bare-maven/pom.xml

@@ -12,7 +12,7 @@
 		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
 
 		<!-- fabric-chaincode-java -->
-		<fabric-chaincode-java.version>2.5.3</fabric-chaincode-java.version>
+		<fabric-chaincode-java.version>2.5.4</fabric-chaincode-java.version>
 
 	</properties>
 

Diff for: fabric-chaincode-integration-test/src/contracts/fabric-ledger-api/build.gradle

@@ -25,7 +25,7 @@ repositories {
 }
 
 dependencies {
-    implementation 'org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim:2.5.3'
+    implementation 'org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim:2.5.4'
     implementation 'org.hyperledger.fabric:fabric-protos:0.3.3'
 }
 

Diff for: fabric-chaincode-integration-test/src/contracts/fabric-shim-api/build.gradle

@@ -25,7 +25,7 @@ repositories {
 }
 
 dependencies {
-    implementation 'org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim:2.5.3'
+    implementation 'org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim:2.5.4'
     implementation 'org.hyperledger.fabric:fabric-protos:0.3.3'
     implementation 'commons-logging:commons-logging:1.2'
     implementation 'com.google.code.gson:gson:2.10.1'

Diff for: fabric-chaincode-integration-test/src/contracts/wrapper-maven/pom.xml

@@ -12,7 +12,7 @@
 		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
 
 		<!-- fabric-chaincode-java -->
-		<fabric-chaincode-java.version>2.5.3</fabric-chaincode-java.version>
+		<fabric-chaincode-java.version>2.5.4</fabric-chaincode-java.version>
 
 	</properties>
 

Diff for: fabric-chaincode-integration-test/src/test/java/org/hyperleder/fabric/shim/integration/contractinstall/ContractInstallTest.java

@@ -4,21 +4,22 @@
 SPDX-License-Identifier: Apache-2.0
 */
 package org.hyperleder.fabric.shim.integration.contractinstall;
+
 import static org.hamcrest.core.StringContains.containsString;
-import static org.junit.Assert.assertThat;
+import static org.hamcrest.MatcherAssert.assertThat;
 
 import org.hyperleder.fabric.shim.integration.util.FabricState;
 import org.hyperleder.fabric.shim.integration.util.InvokeHelper;
-import org.junit.BeforeClass;
-import org.junit.Test;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
 
 /**
  * Basic Java Chaincode Test
  *
  */
 public class ContractInstallTest {
 
-   @BeforeClass
+   @BeforeAll
     public static void setUp() throws Exception {
         FabricState.getState().start();
 

Diff for: fabric-chaincode-integration-test/src/test/java/org/hyperleder/fabric/shim/integration/ledgertests/LedgerIntegrationTest.java

@@ -5,20 +5,20 @@
 */
 package org.hyperleder.fabric.shim.integration.ledgertests;
 import static org.hamcrest.core.StringContains.containsString;
-import static org.junit.Assert.assertThat;
+import static org.hamcrest.MatcherAssert.assertThat;
 
 import org.hyperleder.fabric.shim.integration.util.FabricState;
 import org.hyperleder.fabric.shim.integration.util.InvokeHelper;
-import org.junit.BeforeClass;
-import org.junit.Test;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
 
 /**
  * Basic Java Chaincode Test
  *
  */
 public class LedgerIntegrationTest {
 
-   @BeforeClass
+   @BeforeAll
     public static void setUp() throws Exception {
 
 

Diff for: fabric-chaincode-integration-test/src/test/java/org/hyperleder/fabric/shim/integration/shimtests/SACCIntegrationTest.java

@@ -5,20 +5,20 @@
 */
 package org.hyperleder.fabric.shim.integration.shimtests;
 import static org.hamcrest.core.StringContains.containsString;
-import static org.junit.Assert.assertThat;
+import static org.hamcrest.MatcherAssert.assertThat;
 
 import org.hyperleder.fabric.shim.integration.util.FabricState;
 import org.hyperleder.fabric.shim.integration.util.InvokeHelper;
-import org.junit.BeforeClass;
-import org.junit.Test;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
 
 /**
  * Basic Java Chaincode Test
  *
  */
 public class SACCIntegrationTest {
 
-    @BeforeClass
+    @BeforeAll
     public static void setUp() throws Exception {
         FabricState.getState().start();       
 

Diff for: fabric-chaincode-integration-test/src/test/java/org/hyperleder/fabric/shim/integration/shimtests/SBECCIntegrationTest.java

@@ -7,16 +7,16 @@
 
 import static org.hamcrest.core.StringContains.containsString;
 import static org.hamcrest.Matchers.not; 
-import static org.junit.Assert.assertThat;
+import static org.hamcrest.MatcherAssert.assertThat;
 
 import org.hyperleder.fabric.shim.integration.util.FabricState;
 import org.hyperleder.fabric.shim.integration.util.InvokeHelper;
-import org.junit.BeforeClass;
-import org.junit.Test;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
 
 public class SBECCIntegrationTest {
 
-    @BeforeClass
+    @BeforeAll
     public static void setUp() throws Exception {
         FabricState.getState().start();
 

Diff for: fabric-chaincode-shim/build.gradle

@@ -3,25 +3,16 @@
  *
  * SPDX-License-Identifier: Apache-2.0
  */
- buildscript {
-    repositories {
-        mavenCentral()
-    }
-    dependencies {
-        classpath 'org.owasp:dependency-check-gradle:8.4.0'
-    }
-}
 
 plugins {
     id 'maven-publish'
     id 'jacoco'
     id 'signing'
     id 'checkstyle'
-    id 'org.cyclonedx.bom' version '1.8.1'
 }
 
 checkstyle {
-    toolVersion '10.12.5'
+    toolVersion '10.18.1'
     configFile file("../ci/checkstyle/checkstyle.xml")
     configProperties = [root_dir: file("..") ]
 }
@@ -54,34 +45,33 @@ tasks.withType(org.gradle.api.tasks.testing.Test) {
 }
 
 dependencies {
+    implementation platform('com.google.protobuf:protobuf-bom:3.25.5')
+    implementation platform('io.grpc:grpc-bom:1.68.0')
+    implementation platform('io.opentelemetry:opentelemetry-bom:1.42.1')
+
     implementation 'org.hyperledger.fabric:fabric-protos:0.3.3'
     implementation 'org.bouncycastle:bcpkix-jdk18on:1.78.1'
     implementation 'org.bouncycastle:bcprov-jdk18on:1.78.1'
-    implementation 'io.github.classgraph:classgraph:4.8.165'
+    implementation 'io.github.classgraph:classgraph:4.8.176'
     implementation 'com.github.everit-org.json-schema:org.everit.json.schema:1.14.4'
     implementation 'org.json:json:20240303'
-    implementation 'com.google.protobuf:protobuf-java-util:3.24.4'
+    implementation 'com.google.protobuf:protobuf-java-util'
 
-    // Required if using Java 11+ as no longer bundled in the core libraries
-    testImplementation 'javax.xml.bind:jaxb-api:2.3.1'
-
-    implementation platform('io.grpc:grpc-bom:1.60.0')
     implementation 'io.grpc:grpc-netty-shaded'
     implementation 'io.grpc:grpc-protobuf'
     implementation 'io.grpc:grpc-stub'
-
     testImplementation 'io.grpc:grpc-inprocess'
-
-    implementation platform("io.opentelemetry:opentelemetry-bom:1.32.0")
+    // Required if using Java 11+ as no longer bundled in the core libraries
+    testImplementation 'javax.xml.bind:jaxb-api:2.3.1'
 
     implementation 'io.opentelemetry:opentelemetry-api'
-    implementation 'io.opentelemetry.proto:opentelemetry-proto:1.0.0-alpha'
+    implementation 'io.opentelemetry.proto:opentelemetry-proto:1.3.2-alpha'
     implementation 'io.opentelemetry:opentelemetry-sdk'
     implementation 'io.opentelemetry:opentelemetry-sdk-extension-autoconfigure'
     implementation 'io.opentelemetry:opentelemetry-sdk-trace'
     implementation 'io.opentelemetry:opentelemetry-exporter-otlp'
     implementation 'io.opentelemetry:opentelemetry-extension-trace-propagators'
-    implementation 'io.opentelemetry.instrumentation:opentelemetry-grpc-1.6:1.32.0-alpha'
+    implementation 'io.opentelemetry.instrumentation:opentelemetry-grpc-1.6:2.8.0-alpha'
 }
 
 sourceSets {

Diff for: fabric-chaincode-shim/src/test/java/ChaincodeWithoutPackageTest.java

@@ -4,31 +4,25 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-import static org.hamcrest.Matchers.is;
-import static org.hyperledger.fabric.protos.peer.ChaincodeMessage.Type.READY;
-import static org.hyperledger.fabric.protos.peer.ChaincodeMessage.Type.REGISTER;
-import static org.junit.Assert.assertThat;
+import org.hyperledger.fabric.shim.ChaincodeBase;
+import org.hyperledger.fabric.shim.mock.peer.ChaincodeMockPeer;
+import org.hyperledger.fabric.shim.mock.peer.RegisterStep;
+import org.hyperledger.fabric.shim.mock.peer.ScenarioStep;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Test;
 
 import java.util.ArrayList;
 import java.util.List;
 import java.util.concurrent.TimeUnit;
 
-import org.hyperledger.fabric.shim.ChaincodeBase;
-import org.hyperledger.fabric.shim.mock.peer.ChaincodeMockPeer;
-import org.hyperledger.fabric.shim.mock.peer.RegisterStep;
-import org.hyperledger.fabric.shim.mock.peer.ScenarioStep;
-import org.junit.After;
-import org.junit.Rule;
-import org.junit.Test;
-import org.junit.contrib.java.lang.system.EnvironmentVariables;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.hyperledger.fabric.protos.peer.ChaincodeMessage.Type.READY;
+import static org.hyperledger.fabric.protos.peer.ChaincodeMessage.Type.REGISTER;
 
 public final class ChaincodeWithoutPackageTest {
-    @Rule
-    public final EnvironmentVariables environmentVariables = new EnvironmentVariables();
-
     private ChaincodeMockPeer server;
 
-    @After
+    @AfterEach
     public void afterTest() throws Exception {
         if (server != null) {
             server.stop();
@@ -49,8 +43,8 @@ public void testRegisterChaincodeWithoutPackage() throws Exception {
 
         ChaincodeMockPeer.checkScenarioStepEnded(server, 1, 5000, TimeUnit.MILLISECONDS);
 
-        assertThat(server.getLastMessageSend().getType(), is(READY));
-        assertThat(server.getLastMessageRcvd().getType(), is(REGISTER));
+        assertThat(server.getLastMessageSend().getType()).isEqualTo(READY);
+        assertThat(server.getLastMessageRcvd().getType()).isEqualTo(REGISTER);
     }
 
 }