chore: more rapid rst fun (#53)

Author: aaron-steinfeld

grpc-client-rx-utils/build.gradle.kts

@@ -6,7 +6,7 @@ plugins {
 }
 
 dependencies {
-  api(platform("io.grpc:grpc-bom:1.57.2"))
+  api(platform("io.grpc:grpc-bom:1.59.1"))
   api("io.reactivex.rxjava3:rxjava:3.1.4")
   api("io.grpc:grpc-stub")
   api(project(":grpc-context-utils"))

grpc-client-utils/build.gradle.kts

@@ -7,10 +7,11 @@ plugins {
 
 dependencies {
 
-  api(platform("io.grpc:grpc-bom:1.57.2"))
+  api(platform("io.grpc:grpc-bom:1.59.1"))
   api("io.grpc:grpc-context")
   api("io.grpc:grpc-api")
-  api(platform("io.netty:netty-bom:4.1.100.Final")) {
+  api("io.grpc:grpc-inprocess")
+  api(platform("io.netty:netty-bom:4.1.101.Final")) {
     because("CVE-2023-44487")
   }
 

grpc-context-utils/build.gradle.kts

@@ -10,7 +10,8 @@ tasks.test {
 }
 
 dependencies {
-  api(platform("io.grpc:grpc-bom:1.57.2"))
+  api(platform("io.grpc:grpc-bom:1.59.1"))
+  api(platform("com.fasterxml.jackson:jackson-bom:2.16.0"))
   implementation("io.grpc:grpc-core")
 
   implementation("com.auth0:java-jwt:4.4.0")
@@ -21,13 +22,6 @@ dependencies {
   annotationProcessor("org.projectlombok:lombok:1.18.24")
   compileOnly("org.projectlombok:lombok:1.18.24")
 
-  constraints {
-    implementation("com.google.protobuf:protobuf-java:3.21.7") {
-      // Not used directly, but typically used together for since we always use proto and grpc together
-      because("CVE-2022-3171")
-    }
-  }
-
   testImplementation("org.junit.jupiter:junit-jupiter:5.8.2")
   testImplementation("org.mockito:mockito-core:4.4.0")
   testImplementation("com.fasterxml.jackson.core:jackson-annotations:2.15.2")

grpc-server-rx-utils/build.gradle.kts

@@ -6,17 +6,14 @@ plugins {
 }
 
 dependencies {
-  api(platform("io.grpc:grpc-bom:1.57.2"))
+  api(platform("io.grpc:grpc-bom:1.59.1"))
   api("io.reactivex.rxjava3:rxjava:3.1.4")
   api("io.grpc:grpc-stub")
 
   annotationProcessor("org.projectlombok:lombok:1.18.24")
   compileOnly("org.projectlombok:lombok:1.18.24")
 
   implementation("org.slf4j:slf4j-api:1.7.36")
-  constraints {
-    implementation("com.google.guava:guava:32.0.1-jre")
-  }
 
   testImplementation("org.junit.jupiter:junit-jupiter:5.8.2")
   testImplementation("org.mockito:mockito-core:4.4.0")

grpc-server-utils/build.gradle.kts

@@ -10,11 +10,11 @@ tasks.test {
 }
 
 dependencies {
-  api(platform("io.grpc:grpc-bom:1.57.2"))
+  api(platform("io.grpc:grpc-bom:1.59.1"))
   api("io.grpc:grpc-context")
   api("io.grpc:grpc-api")
 
-  api(platform("io.netty:netty-bom:4.1.100.Final")) {
+  api(platform("io.netty:netty-bom:4.1.101.Final")) {
     because("CVE-2023-44487")
   }
 

owasp-suppressions.xml

@@ -1,18 +1,19 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress>
-        <notes><![CDATA[
+  <suppress>
+    <notes><![CDATA[
    Any hypertrace dep
    ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.hypertrace\..*@.*$</packageUrl>
-        <cpe>cpe:/a:grpc:grpc</cpe>
-    </suppress>
-    <suppress until="2023-11-30Z">
-        <notes><![CDATA[
-  file name: jackson-databind-2.14.2.jar
-  This is currently disputed.
-  ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
-        <cve>CVE-2023-35116</cve>
-    </suppress>
+    <packageUrl regex="true">^pkg:maven/org\.hypertrace\..*@.*$</packageUrl>
+    <cpe>cpe:/a:grpc:grpc</cpe>
+  </suppress>
+  <suppress until="2023-12-31Z">
+    <notes><![CDATA[
+   This CVE (rapid RST) is already mitigated as our servers aren't directly exposed, but it's also
+   addressed in 1.59.1, which the CVE doesn't reflect (not all grpc impls versions are exactly aligned).
+   Ref: https://github.com/grpc/grpc-java/pull/10675
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*@.*$</packageUrl>
+    <cve>CVE-2023-44487</cve>
+  </suppress>
 </suppressions>