fix: upgrade netty (#52)

aaron-steinfeld · web-flow · commit a0bc6d11a5d2 · 2023-10-18T14:35:10.000-04:00
* fix: upgrade netty

* fix: update jackson suppression
diff --git a/grpc-client-utils/build.gradle.kts b/grpc-client-utils/build.gradle.kts
@@ -10,8 +10,8 @@ dependencies {
   api(platform("io.grpc:grpc-bom:1.57.2"))
   api("io.grpc:grpc-context")
   api("io.grpc:grpc-api")
-  api(platform("io.netty:netty-bom:4.1.94.Final")) {
-    because("CVE-2023-34462")
+  api(platform("io.netty:netty-bom:4.1.100.Final")) {
+    because("CVE-2023-44487")
   }
 
   implementation(project(":grpc-context-utils"))
diff --git a/grpc-server-utils/build.gradle.kts b/grpc-server-utils/build.gradle.kts
@@ -14,8 +14,8 @@ dependencies {
   api("io.grpc:grpc-context")
   api("io.grpc:grpc-api")
 
-  api(platform("io.netty:netty-bom:4.1.94.Final")) {
-    because("CVE-2023-34462")
+  api(platform("io.netty:netty-bom:4.1.100.Final")) {
+    because("CVE-2023-44487")
   }
 
   implementation(project(":grpc-context-utils"))
diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
@@ -7,7 +7,7 @@
         <packageUrl regex="true">^pkg:maven/org\.hypertrace\..*@.*$</packageUrl>
         <cpe>cpe:/a:grpc:grpc</cpe>
     </suppress>
-    <suppress until="2023-09-30Z">
+    <suppress until="2023-11-30Z">
         <notes><![CDATA[
   file name: jackson-databind-2.14.2.jar
   This is currently disputed.

Original file line number	Diff line number	Diff line change
`@@ -14,8 +14,8 @@ dependencies {`
`14`	`14`	`api("io.grpc:grpc-context")`
`15`	`15`	`api("io.grpc:grpc-api")`
`16`	`16`
`17`		`- api(platform("io.netty:netty-bom:4.1.94.Final")) {`
`18`		`- because("CVE-2023-34462")`
	`17`	`+ api(platform("io.netty:netty-bom:4.1.100.Final")) {`
	`18`	`+ because("CVE-2023-44487")`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`implementation(project(":grpc-context-utils"))`