refactor: update grpc to 1.60 and remove old suppressions (#83)

aaron-steinfeld · web-flow · commit 1198a78ee0be · 2023-12-12T10:28:44.000-05:00
diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
@@ -18,25 +18,4 @@
     <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty\-servlets@9.4.53\..*$</packageUrl>
     <vulnerabilityName>CVE-2023-36479</vulnerabilityName>
   </suppress>
-  <suppress until="2023-12-31Z">
-    <notes><![CDATA[
-   This CVE (rapid RST) is already mitigated as our servers aren't directly exposed, but it's also
-   addressed in 1.59.1, which the CVE doesn't reflect (not all grpc impls versions are exactly aligned).
-   Ref: https://github.com/grpc/grpc-java/pull/10675
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*@.*$</packageUrl>
-    <cve>CVE-2023-44487</cve>
-  </suppress>
-  <suppress until="2023-12-31Z">
-    <notes><![CDATA[
-  This vulnerability is disputed, with the argument that SSL configuration is the responsibility of the client rather
-  than the transport. The change in default is under consideration for the next major Netty release, revisit then.
-  Regardless, our client (which is what brings in this dependency) enables the concerned feature, hostname verification
-  Ref:
-  https://github.com/grpc/grpc-java/issues/10033
-  https://github.com/netty/netty/issues/8537#issuecomment-1527896917
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/io\.netty/netty.*@.*$</packageUrl>
-    <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
-  </suppress>
 </suppressions> 
diff --git a/platform-grpc-service-framework/build.gradle.kts b/platform-grpc-service-framework/build.gradle.kts
@@ -7,10 +7,10 @@ plugins {
 
 dependencies {
   api(project(":platform-service-framework"))
-  api(platform("io.grpc:grpc-bom:1.59.1"))
+  api(platform("io.grpc:grpc-bom:1.60.0"))
   api("io.grpc:grpc-api")
   api("io.grpc:grpc-services")
-  api("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.7")
+  api("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.8")
   api("com.typesafe:config:1.4.2")
   api(project(":service-framework-spi"))
 
@@ -21,5 +21,5 @@ dependencies {
   implementation("io.grpc:grpc-inprocess")
   implementation("io.grpc:grpc-netty")
   implementation("org.slf4j:slf4j-api:1.7.36")
-  implementation("org.hypertrace.core.grpcutils:grpc-server-utils:0.12.7")
+  implementation("org.hypertrace.core.grpcutils:grpc-server-utils:0.12.8")
 }
diff --git a/platform-http-service-framework/build.gradle.kts b/platform-http-service-framework/build.gradle.kts
@@ -5,7 +5,7 @@ plugins {
 
 dependencies {
   api(project(":platform-service-framework"))
-  api("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.7")
+  api("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.8")
   api("com.typesafe:config:1.4.2")
   api("javax.servlet:javax.servlet-api:4.0.1")
   api("com.google.inject:guice:5.1.0")
