chore: update some old dependencies (#101)

aaron-steinfeld · web-flow · commit cdc3c37d28c8 · 2024-10-04T11:32:49.000-04:00
diff --git a/kafka-bom/build.gradle.kts b/kafka-bom/build.gradle.kts
@@ -6,18 +6,16 @@ plugins {
 
 var confluentVersion = "7.7.0"
 var confluentCcsVersion = "$confluentVersion-ccs"
-var protobufVersion = "3.21.7"
+var protobufVersion = "3.25.5"
 
 dependencies {
   constraints {
-    api("com.fasterxml.jackson.core:jackson-databind:2.15.2")
+    api("com.fasterxml.jackson.core:jackson-databind:2.16.1")
     api("org.xerial.snappy:snappy-java:1.1.10.5") {
       because("[https://nvd.nist.gov/vuln/detail/CVE-2023-34455] in 'org.apache.kafka:kafka-clients:*'")
       because("[https://nvd.nist.gov/vuln/detail/CVE-2023-43642]")
     }
-    api("com.google.protobuf:protobuf-java-util:3.21.7") {
-      because("https://nvd.nist.gov/vuln/detail/CVE-2022-3171")
-    }
+    api("com.google.protobuf:protobuf-java-util:$protobufVersion")
     api("com.squareup.okio:okio:3.4.0") {
       because("https://nvd.nist.gov/vuln/detail/CVE-2023-3635 in io.confluent:kafka-protobuf-serializer:7.4.0")
     }
@@ -32,6 +30,6 @@ dependencies {
     api("org.apache.kafka:kafka-clients:$confluentCcsVersion")
     api("org.apache.kafka:kafka-streams:$confluentCcsVersion")
     api("org.apache.kafka:kafka-streams-test-utils:$confluentCcsVersion")
-    api("org.apache.avro:avro:1.11.3")
+    api("org.apache.avro:avro:1.11.4")
   }
 }
diff --git a/kafka-streams-framework/build.gradle.kts b/kafka-streams-framework/build.gradle.kts
@@ -18,7 +18,7 @@ dependencies {
   api(platform(project(":kafka-bom")))
   api("org.apache.kafka:kafka-streams")
   api("io.confluent:kafka-streams-avro-serde")
-  api("org.hypertrace.core.grpcutils:grpc-client-utils:0.13.0")
+  api("org.hypertrace.core.grpcutils:grpc-client-utils:0.13.6")
 
   implementation("org.apache.avro:avro")
   implementation("org.apache.kafka:kafka-clients")
diff --git a/kafka-streams-partitioners/weighted-group-partitioner/build.gradle.kts b/kafka-streams-partitioners/weighted-group-partitioner/build.gradle.kts
@@ -15,10 +15,10 @@ dependencies {
 
   api(platform(project(":kafka-bom")))
   api("org.apache.kafka:kafka-streams")
-  api("org.hypertrace.core.grpcutils:grpc-client-utils:0.13.0")
+  api("org.hypertrace.core.grpcutils:grpc-client-utils:0.13.6")
   api("com.typesafe:config:1.4.2")
   implementation("com.google.guava:guava:32.0.1-jre")
-  implementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.13.0")
+  implementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.13.6")
   implementation("org.hypertrace.config.service:partitioner-config-service-api:0.1.46")
   implementation("org.slf4j:slf4j-api:1.7.36")
 
diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
@@ -1,18 +1,3 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress>
-        <notes><![CDATA[
-   Any hypertrace core dep
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.hypertrace\.core\..*@.*$</packageUrl>
-        <cpe>cpe:/a:grpc:grpc</cpe>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-   file name: jackson-databind-2.15.2.jar
-   Excluding the disputed vulnerability (CVE-2023-35116)
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
-        <vulnerabilityName>CVE-2023-35116</vulnerabilityName>
-    </suppress>
 </suppressions>
