chore: update grpc, jackson (#82)

aaron-steinfeld · skjindal93 · web-flow · commit d6508f681882 · 2023-12-04T08:35:57.000-05:00
* chore: update grpc, jackson

* chore: apply a max rst window

* upgrade grpc utils

* upgrade grpc utils

---------

Co-authored-by: SJ &lt;48863181+skjindal93@users.noreply.github.com&gt;
diff --git a/docstore-metrics/build.gradle.kts b/docstore-metrics/build.gradle.kts
@@ -11,5 +11,6 @@ dependencies {
 
   api(libs.hypertrace.documentStore)
   api(project(":service-framework-spi"))
+  api(platform("com.fasterxml.jackson:jackson-bom:2.16.0"))
   implementation(project(":platform-metrics"))
 }
diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
@@ -8,14 +8,7 @@
     <cpe>cpe:/a:grpc:grpc</cpe>
     <cpe>cpe:/a:utils_project:utils</cpe>
   </suppress>
-  <suppress>
-    <notes><![CDATA[
-   Not a real CVE.
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
-    <cve>CVE-2023-35116</cve>
-  </suppress>
-  <suppress until="2023-11-30Z">
+  <suppress until="2023-12-31Z">
     <notes><![CDATA[
    This CVE is declared fixed from 9.4.52, but the vuln db is not reflecting that. Suppress that specific version until
    db is updated.
@@ -25,4 +18,25 @@
     <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty\-servlets@9.4.53\..*$</packageUrl>
     <vulnerabilityName>CVE-2023-36479</vulnerabilityName>
   </suppress>
+  <suppress until="2023-12-31Z">
+    <notes><![CDATA[
+   This CVE (rapid RST) is already mitigated as our servers aren't directly exposed, but it's also
+   addressed in 1.59.1, which the CVE doesn't reflect (not all grpc impls versions are exactly aligned).
+   Ref: https://github.com/grpc/grpc-java/pull/10675
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*@.*$</packageUrl>
+    <cve>CVE-2023-44487</cve>
+  </suppress>
+  <suppress until="2023-12-31Z">
+    <notes><![CDATA[
+  This vulnerability is disputed, with the argument that SSL configuration is the responsibility of the client rather
+  than the transport. The change in default is under consideration for the next major Netty release, revisit then.
+  Regardless, our client (which is what brings in this dependency) enables the concerned feature, hostname verification
+  Ref:
+  https://github.com/grpc/grpc-java/issues/10033
+  https://github.com/netty/netty/issues/8537#issuecomment-1527896917
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.netty/netty.*@.*$</packageUrl>
+    <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
+  </suppress>
 </suppressions> 
diff --git a/platform-grpc-service-framework/build.gradle.kts b/platform-grpc-service-framework/build.gradle.kts
@@ -7,17 +7,19 @@ plugins {
 
 dependencies {
   api(project(":platform-service-framework"))
-  api(platform("io.grpc:grpc-bom:1.57.2"))
+  api(platform("io.grpc:grpc-bom:1.59.1"))
   api("io.grpc:grpc-api")
   api("io.grpc:grpc-services")
-  api("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.6")
+  api("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.7")
   api("com.typesafe:config:1.4.2")
   api(project(":service-framework-spi"))
 
   annotationProcessor("org.projectlombok:lombok:1.18.24")
   compileOnly("org.projectlombok:lombok:1.18.24")
 
   implementation(project(":platform-metrics"))
+  implementation("io.grpc:grpc-inprocess")
+  implementation("io.grpc:grpc-netty")
   implementation("org.slf4j:slf4j-api:1.7.36")
-  implementation("org.hypertrace.core.grpcutils:grpc-server-utils:0.12.6")
+  implementation("org.hypertrace.core.grpcutils:grpc-server-utils:0.12.7")
 }
diff --git a/platform-grpc-service-framework/src/main/java/org/hypertrace/core/serviceframework/grpc/GrpcPlatformServerDefinition.java b/platform-grpc-service-framework/src/main/java/org/hypertrace/core/serviceframework/grpc/GrpcPlatformServerDefinition.java
@@ -3,16 +3,20 @@
 import io.grpc.ServerInterceptor;
 import java.util.Collection;
 import java.util.List;
+import lombok.AccessLevel;
+import lombok.AllArgsConstructor;
 import lombok.Builder;
 import lombok.Singular;
 import lombok.Value;
 
 @Value
+@AllArgsConstructor(access = AccessLevel.PRIVATE)
 @Builder
 public class GrpcPlatformServerDefinition {
   String name;
   int port;
   int maxInboundMessageSize;
+  @Builder.Default int maxRstPerMinute = 500;
   @Singular Collection<GrpcPlatformServiceFactory> serviceFactories;
   @Singular List<ServerInterceptor> serverInterceptors;
 }
diff --git a/platform-grpc-service-framework/src/main/java/org/hypertrace/core/serviceframework/grpc/GrpcPlatformServiceContainer.java b/platform-grpc-service-framework/src/main/java/org/hypertrace/core/serviceframework/grpc/GrpcPlatformServiceContainer.java
@@ -11,6 +11,7 @@
 import io.grpc.health.v1.HealthGrpc;
 import io.grpc.health.v1.HealthGrpc.HealthBlockingStub;
 import io.grpc.inprocess.InProcessServerBuilder;
+import io.grpc.netty.NettyServerBuilder;
 import io.grpc.protobuf.services.HealthStatusManager;
 import io.micrometer.core.instrument.binder.grpc.MetricCollectingClientInterceptor;
 import io.micrometer.core.instrument.binder.grpc.MetricCollectingServerInterceptor;
@@ -233,11 +234,14 @@ protected abstract GrpcServiceContainerEnvironment buildContainerEnvironment(
       InProcessGrpcChannelRegistry channelRegistry, HealthStatusManager healthStatusManager);
 
   private ServerBuilder<?> initializeBuilder(GrpcPlatformServerDefinition serverDefinition) {
-    ServerBuilder<?> builder = ServerBuilder.forPort(serverDefinition.getPort());
+    NettyServerBuilder builder = NettyServerBuilder.forPort(serverDefinition.getPort());
 
     if (serverDefinition.getMaxInboundMessageSize() > 0) {
       builder.maxInboundMessageSize(serverDefinition.getMaxInboundMessageSize());
     }
+    if (serverDefinition.getMaxRstPerMinute() > 0) {
+      builder.maxRstFramesPerWindow(serverDefinition.getMaxRstPerMinute(), 60);
+    }
     // add micrometer-grpc interceptor to collect server metrics.
     builder.intercept(
         new MetricCollectingServerInterceptor(PlatformMetricsRegistry.getMeterRegistry()));
@@ -248,6 +252,7 @@ private ServerBuilder<?> initializeBuilder(GrpcPlatformServerDefinition serverDe
 
   @Value
   private static class ConstructedServer {
+
     String name;
     Server server;
   }
diff --git a/platform-http-service-framework/build.gradle.kts b/platform-http-service-framework/build.gradle.kts
@@ -5,7 +5,7 @@ plugins {
 
 dependencies {
   api(project(":platform-service-framework"))
-  api("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.6")
+  api("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.7")
   api("com.typesafe:config:1.4.2")
   api("javax.servlet:javax.servlet-api:4.0.1")
   api("com.google.inject:guice:5.1.0")
diff --git a/platform-service-framework/build.gradle.kts b/platform-service-framework/build.gradle.kts
@@ -11,16 +11,14 @@ tasks.test {
 
 dependencies {
   api(project(":service-framework-spi"))
+  api(platform("com.fasterxml.jackson:jackson-bom:2.16.0"))
   implementation(project(":platform-metrics"))
 
   api("org.slf4j:slf4j-api:1.7.36")
   api("com.typesafe:config:1.4.2")
 
   // Use for thread dump servlet
   implementation("io.dropwizard.metrics:metrics-servlets:4.2.16")
-  constraints {
-    implementation("com.fasterxml.jackson.core:jackson-databind:2.15.2")
-  }
   implementation("org.eclipse.jetty:jetty-servlet:9.4.53.v20231009")
 
   // Use for metrics servlet

Original file line number	Diff line number	Diff line change
`@@ -11,5 +11,6 @@ dependencies {`
`11`	`11`
`12`	`12`	`api(libs.hypertrace.documentStore)`
`13`	`13`	`api(project(":service-framework-spi"))`
	`14`	`+ api(platform("com.fasterxml.jackson:jackson-bom:2.16.0"))`
`14`	`15`	`implementation(project(":platform-metrics"))`
`15`	`16`	`}`