fix: update grpc, jackson and framework versions (#16)

aaron-steinfeld · web-flow · commit 2a2f83ccc2f6 · 2023-12-04T09:08:43.000-05:00
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -1,8 +1,8 @@
 [versions]
 protoc = "3.24.1"
-grpc = "1.57.2"
-hypertrace-framework = "0.1.62"
-hypertrace-grpcutils = "0.12.6"
+grpc = "1.59.1"
+hypertrace-framework = "0.1.63"
+hypertrace-grpcutils = "0.12.7"
 hypertrace-kafka = "0.3.9"
 hypertrace-bom = "+"
 hypertrace-attributeservice = "0.14.35"
@@ -27,7 +27,7 @@ grpc-protobuf = { module = "io.grpc:grpc-protobuf" }
 grpc-api = { module = "io.grpc:grpc-api" }
 grpc-netty = { module = "io.grpc:grpc-netty" }
 grpc-context = { module = "io.grpc:grpc-context" }
-jackson-bom = { module = "com.fasterxml.jackson:jackson-bom", version = "2.15.2" }
+jackson-bom = { module = "com.fasterxml.jackson:jackson-bom", version = "2.16.0" }
 jackson-databind = { module = "com.fasterxml.jackson.core:jackson-databind" }
 jackson-datatype-jsr310 = { module = "com.fasterxml.jackson.datatype:jackson-datatype-jsr310" }
 jackson-datatype-jdk8 = { module = "com.fasterxml.jackson.datatype:jackson-datatype-jdk8" }
diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
@@ -10,15 +10,6 @@
     <cpe>cpe:/a:service_project:service</cpe>
     <cpe>cpe:/a:processing:processing</cpe>
   </suppress>
-  <suppress until="2023-12-31Z">
-    <notes><![CDATA[
-   Doesn't appear to be a real vulnerability, jackson maintainers discuss at https://github.com/FasterXML/jackson-databind/issues/3973
-   Revisit when suppression expires
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$
-    </packageUrl>
-    <cve>CVE-2023-35116</cve>
-  </suppress>
   <suppress until="2023-12-31Z">
     <notes><![CDATA[
   This vulnerability is disputed, with the argument that SSL configuration is the responsibility of the client rather
@@ -41,4 +32,13 @@
     <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty\-servlets@9.4.53\..*$</packageUrl>
     <vulnerabilityName>CVE-2023-36479</vulnerabilityName>
   </suppress>
+  <suppress until="2023-12-31Z">
+    <notes><![CDATA[
+   This CVE (rapid RST) is already mitigated as our servers aren't directly exposed, but it's also
+   addressed in 1.59.1, which the CVE doesn't reflect (not all grpc impls versions are exactly aligned).
+   Ref: https://github.com/grpc/grpc-java/pull/10675
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*@.*$</packageUrl>
+    <cve>CVE-2023-44487</cve>
+  </suppress>
 </suppressions>
