Update dependencies to address security vulnerabilities (#314)

- CVE-2022-25647
- CVE-2023-2976
- CVE-2020-8908

Also:

- Update Gradle wrapper version to resolve Gradle bug in handling
  certain dependency JAR files.
- Update Gradle shadowJar plugin to v7.1.2 (except for bare-gradle contract,
  since builder uses Gradle v5 if no wrapper is provided).
- Add mergeServiceFiles() to test chaincode shadowJar Gradle tasks to
  resolve an issue with incorrect class versions being loaded from dependencies.
- Add ServicesResourceTransformer to test chaincode maven-shade-plugin
  Maven plugin configuration to resolve an issue with incorrect class
  versions being loaded from dependencies.
- Tidy-up integration test contract dependencies.

Signed-off-by: Mark S. Lewis <[email protected]>

Author: bestbeforetoday

dependency-suppression.xml

@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress>
+        <notes><![CDATA[
+        Core Fabric Go implementation vulnerability, not fabric-protos.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.hyperledger\.fabric/fabric\-protos@.*$</packageUrl>
+        <cve>CVE-2022-31121</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        Core Fabric Go implementation vulnerability, not fabric-protos.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.hyperledger\.fabric/fabric\-protos@.*$</packageUrl>
+        <cve>CVE-2022-36023</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        Vulnerability in C++ gRPC implementation.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/io\.opentelemetry\.instrumentation/opentelemetry\-grpc\-1\.6@.*$</packageUrl>
+        <cve>CVE-2023-33953</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        Vulnerability in C++ gRPC implementation.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/io\.opentelemetry\.instrumentation/opentelemetry\-grpc\-1\.6@.*$</packageUrl>
+        <cve>CVE-2023-32732</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        Vulnerability in hutool-json, which is not used.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
+        <cve>CVE-2022-45688</cve>
+    </suppress>
+</suppressions>

examples/fabric-contract-example-as-service/build.gradle

@@ -1,5 +1,5 @@
 plugins {
-    id 'com.github.johnrengelman.shadow' version '2.0.3'
+    id 'com.github.johnrengelman.shadow' version '7.1.2'
     id 'java'
 }
 
@@ -21,7 +21,7 @@ repositories {
 
 dependencies {
     compile group: 'org.hyperledger.fabric-chaincode-java', name: 'fabric-chaincode-shim', version: '2.3.+'
-    compile group: 'org.json', name: 'json', version: '20180813'
+    compile 'org.json:json:20230618'
     testImplementation 'org.junit.jupiter:junit-jupiter:5.4.2'
     testImplementation 'org.assertj:assertj-core:3.11.1'
     testImplementation 'org.mockito:mockito-core:2.+'
@@ -31,6 +31,7 @@ shadowJar {
     baseName = 'chaincode'
     version = null
     classifier = null
+    mergeServiceFiles()
 
     manifest {
         attributes 'Main-Class': 'org.example.Application'

examples/fabric-contract-example-gradle-kotlin/build.gradle.kts

@@ -5,7 +5,7 @@ import com.github.jengelman.gradle.plugins.shadow.tasks.ShadowJar
 
 
 plugins {
-    id("com.github.johnrengelman.shadow") version "5.2.0"
+    id("com.github.johnrengelman.shadow") version "7.1.2"
     id("org.jetbrains.kotlin.jvm") version "1.3.41"
 }
 
@@ -20,7 +20,7 @@ java {
 
 dependencies {
     implementation("org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim:2.5.0")
-    implementation("org.json:json:20180813")
+    implementation("org.json:json:20230618")
     implementation("org.jetbrains.kotlin:kotlin-stdlib-jdk8")
 
     testImplementation("org.junit.jupiter:junit-jupiter:5.4.2")
@@ -44,6 +44,7 @@ tasks {
         baseName = "chaincode"
         version = null
         classifier = null
+        mergeServiceFiles()
         manifest {
             attributes(mapOf("Main-Class" to "org.hyperledger.fabric.contract.ContractRouter"))
         }

examples/fabric-contract-example-gradle-kotlin/gradle/wrapper/gradle-wrapper.jar

@@ -1,5 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-5.6.2-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-7.6.2-bin.zip
+networkTimeout=10000
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists