refactor: update vulns, add dep check (#46)

Author: aaron-steinfeld

.github/CODEOWNERS

@@ -1,7 +1,7 @@
 # Each line is a file pattern followed by one or more owners.
 
 # global
-* @buchi-busireddy @tim-mwangi @surajpuvvada @avinashkolluru
+* @hypertrace/platform-util-owners
 
 # GH action
-.github/ @aaron-steinfeld @jbahire @kotharironak @buchi-busireddy
+.github/ @hypertrace/ci-owners

.github/workflows/codeql-analysis.yml

@@ -28,21 +28,6 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v3
 
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: Cache packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
-
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v2

.github/workflows/pr-build.yml

@@ -9,47 +9,17 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
        # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
           fetch-depth: 0
-      
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: Cache packages
-        id: cache-packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
 
       - name: Build with Gradle
         uses: hypertrace/github-actions/gradle@main
         with: 
           args: build
-
-  snyk-scan:
-    runs-on: ubuntu-20.04
-    steps:
-    # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
-      - name: Check out code
-        uses: actions/[email protected]
-        with:
-          ref: ${{github.event.pull_request.head.ref}}
-          repository: ${{github.event.pull_request.head.repo.full_name}}
-          fetch-depth: 0
-      - name: Setup snyk
-        uses: snyk/actions/[email protected]
-      - name: Snyk test
-        run: snyk test --all-sub-projects --org=hypertrace --severity-threshold=low --policy-path=.snyk --configuration-matching='^runtimeClasspath$' --remote-repo-url='https://github.com/hypertrace/java-grpc-utils.git'
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

.github/workflows/pr-test.yml

@@ -7,34 +7,21 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
        # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: Cache packages
-        id: cache-packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
 
       - name: Unit test
         uses: hypertrace/github-actions/gradle@main
         with: 
           args: build jacocoTestReport
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v2
+        uses: codecov/codecov-action@v3
         with:
           name: unit test reports
           fail_ci_if_error: true
@@ -46,15 +33,22 @@ jobs:
           args: copyAllReports --output-dir=/tmp/test-reports
 
       - name: Archive test reports
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@v3
         with:
           name: test-reports
           path: /tmp/test-reports
         if: always()
 
       - name: Publish Unit Test Results
-        uses: docker://ghcr.io/enricomi/publish-unit-test-result-action:v1.6
+        uses: EnricoMi/publish-unit-test-result-action@v2
         if: always()
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           files: ./**/build/test-results/**/*.xml
+
+  dependency-check:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Dependency Check
+        uses: hypertrace/github-actions/dependency-check@main
+

.github/workflows/publish.yml

@@ -8,26 +8,14 @@ on:
 
 jobs:
   publish-artifacts:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: Cache packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
-
       - name: publish java artifacts
         uses: hypertrace/github-actions/gradle@main
         with: 

.snyk

@@ -7,6 +7,7 @@ plugins {
   id("org.hypertrace.publish-plugin") version "1.0.2" apply false
   id("org.hypertrace.jacoco-report-plugin") version "0.2.0" apply false
   id("org.hypertrace.code-style-plugin") version "1.1.2" apply false
+  id("org.owasp.dependencycheck") version "8.2.1"
 }
 
 subprojects {
@@ -26,3 +27,10 @@ subprojects {
 
   apply(plugin = "org.hypertrace.code-style-plugin")
 }
+
+dependencyCheck {
+  format = org.owasp.dependencycheck.reporting.ReportGenerator.Format.ALL.toString()
+  suppressionFile = "owasp-suppressions.xml"
+  scanConfigurations.add("runtimeClasspath")
+  failBuildOnCVSS = 3.0F
+}

build.gradle.kts

@@ -6,7 +6,7 @@ plugins {
 }
 
 dependencies {
-  api(platform("io.grpc:grpc-bom:1.50.0"))
+  api(platform("io.grpc:grpc-bom:1.56.0"))
   api("io.reactivex.rxjava3:rxjava:3.1.4")
   api("io.grpc:grpc-stub")
   api(project(":grpc-context-utils"))

grpc-client-rx-utils/build.gradle.kts

@@ -7,7 +7,7 @@ plugins {
 
 dependencies {
 
-  api(platform("io.grpc:grpc-bom:1.50.0"))
+  api(platform("io.grpc:grpc-bom:1.56.0"))
   api("io.grpc:grpc-context")
   api("io.grpc:grpc-api")
   api(platform("io.netty:netty-bom:4.1.86.Final")) {

grpc-client-utils/build.gradle.kts

@@ -10,21 +10,18 @@ tasks.test {
 }
 
 dependencies {
-  api(platform("io.grpc:grpc-bom:1.50.0"))
+  api(platform("io.grpc:grpc-bom:1.56.0"))
   implementation("io.grpc:grpc-core")
 
   implementation("com.auth0:java-jwt:4.4.0")
   implementation("com.auth0:jwks-rsa:0.22.0")
-  implementation("com.google.guava:guava:31.1-jre")
+  implementation("com.google.guava:guava:32.0.1-jre")
   implementation("org.slf4j:slf4j-api:1.7.36")
 
   annotationProcessor("org.projectlombok:lombok:1.18.24")
   compileOnly("org.projectlombok:lombok:1.18.24")
 
   constraints {
-    implementation("com.fasterxml.jackson.core:jackson-databind:2.13.4.2") {
-      because("https://nvd.nist.gov/vuln/detail/CVE-2022-42003")
-    }
     implementation("com.google.protobuf:protobuf-java:3.21.7") {
       // Not used directly, but typically used together for since we always use proto and grpc together
       because("CVE-2022-3171")
@@ -33,7 +30,7 @@ dependencies {
 
   testImplementation("org.junit.jupiter:junit-jupiter:5.8.2")
   testImplementation("org.mockito:mockito-core:4.4.0")
-  testImplementation("com.fasterxml.jackson.core:jackson-annotations:2.13.4")
+  testImplementation("com.fasterxml.jackson.core:jackson-annotations:2.15.2")
   testAnnotationProcessor("org.projectlombok:lombok:1.18.24")
   testCompileOnly("org.projectlombok:lombok:1.18.24")
 }

grpc-context-utils/build.gradle.kts

@@ -6,14 +6,17 @@ plugins {
 }
 
 dependencies {
-  api(platform("io.grpc:grpc-bom:1.50.0"))
+  api(platform("io.grpc:grpc-bom:1.56.0"))
   api("io.reactivex.rxjava3:rxjava:3.1.4")
   api("io.grpc:grpc-stub")
 
   annotationProcessor("org.projectlombok:lombok:1.18.24")
   compileOnly("org.projectlombok:lombok:1.18.24")
 
   implementation("org.slf4j:slf4j-api:1.7.36")
+  constraints {
+    implementation("com.google.guava:guava:32.0.1-jre")
+  }
 
   testImplementation("org.junit.jupiter:junit-jupiter:5.8.2")
   testImplementation("org.mockito:mockito-core:4.4.0")

grpc-server-rx-utils/build.gradle.kts

@@ -10,7 +10,7 @@ tasks.test {
 }
 
 dependencies {
-  api(platform("io.grpc:grpc-bom:1.50.0"))
+  api(platform("io.grpc:grpc-bom:1.56.0"))
   api("io.grpc:grpc-context")
   api("io.grpc:grpc-api")
 

grpc-server-utils/build.gradle.kts

@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+</suppressions>