fix: update netty due to vuln (#47)

aaron-steinfeld · web-flow · commit df9fb713e310 · 2023-06-21T17:42:07.000-07:00
diff --git a/grpc-client-utils/build.gradle.kts b/grpc-client-utils/build.gradle.kts
@@ -10,8 +10,8 @@ dependencies {
   api(platform("io.grpc:grpc-bom:1.56.0"))
   api("io.grpc:grpc-context")
   api("io.grpc:grpc-api")
-  api(platform("io.netty:netty-bom:4.1.86.Final")) {
-    because("CVE-2022-41881")
+  api(platform("io.netty:netty-bom:4.1.94.Final")) {
+    because("CVE-2023-34462")
   }
 
   implementation(project(":grpc-context-utils"))
diff --git a/grpc-server-utils/build.gradle.kts b/grpc-server-utils/build.gradle.kts
@@ -14,8 +14,8 @@ dependencies {
   api("io.grpc:grpc-context")
   api("io.grpc:grpc-api")
 
-  api(platform("io.netty:netty-bom:4.1.86.Final")) {
-    because("CVE-2022-41881")
+  api(platform("io.netty:netty-bom:4.1.94.Final")) {
+    because("CVE-2023-34462")
   }
 
   implementation(project(":grpc-context-utils"))
diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
@@ -1,3 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress>
+        <notes><![CDATA[
+   Any hypertrace dep
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.hypertrace\..*@.*$</packageUrl>
+        <cpe>cpe:/a:grpc:grpc</cpe>
+    </suppress>
 </suppressions> 

Original file line number	Diff line number	Diff line change
`@@ -14,8 +14,8 @@ dependencies {`
`14`	`14`	`api("io.grpc:grpc-context")`
`15`	`15`	`api("io.grpc:grpc-api")`
`16`	`16`
`17`		`- api(platform("io.netty:netty-bom:4.1.86.Final")) {`
`18`		`- because("CVE-2022-41881")`
	`17`	`+ api(platform("io.netty:netty-bom:4.1.94.Final")) {`
	`18`	`+ because("CVE-2023-34462")`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`implementation(project(":grpc-context-utils"))`