From b57dec97fd6166b70741e8abac48e24966d438f8 Mon Sep 17 00:00:00 2001 From: Nam Truong Date: Fri, 26 Apr 2024 15:12:34 +0700 Subject: [PATCH 1/9] Upgrade dependencies --- build.gradle | 10 +++++----- key-vault/azure-key-vault/build.gradle | 10 +++++----- tessera-jaxrs/openapi/generate/build.gradle | 2 +- tessera-jaxrs/sync-jaxrs/build.gradle | 2 +- tessera-jaxrs/thirdparty-jaxrs/build.gradle | 2 +- tessera-jaxrs/transaction-jaxrs/build.gradle | 2 +- 6 files changed, 14 insertions(+), 14 deletions(-) diff --git a/build.gradle b/build.gradle index ac44b03ff..054aa64cb 100644 --- a/build.gradle +++ b/build.gradle @@ -11,12 +11,12 @@ plugins { } ext { - jettyVersion = "11.0.11" + jettyVersion = "11.0.16" eclipselinkVersion = "3.0.2" swaggerVersion = "2.1.13" jerseyVersion = "3.0.4" slf4jVersion = "1.7.36" - logbackVersion = "1.2.11" + logbackVersion = "1.2.13" hk2Version = "3.0.2" jacksonVersion = "2.14.2" jacksonDatabindVersion = "2.14.2" @@ -68,7 +68,7 @@ allprojects { testImplementation "nl.jqno.equalsverifier:equalsverifier:3.7.1" testImplementation "com.mockrunner:mockrunner-jdbc:2.0.4" - implementation "org.yaml:snakeyaml:1.33" // transitive dependency of jackson-databind:2.13.3 + implementation 'org.yaml:snakeyaml:2.0' // transitive dependency of jackson-databind:2.13.3 implementation "commons-cli:commons-cli:1.5.0" implementation "commons-codec:commons-codec:1.15" @@ -116,8 +116,8 @@ allprojects { implementation('io.swagger.parser.v3:swagger-parser-v3:2.0.27') implementation "io.swagger.core.v3:swagger-jaxrs2-jakarta:$swaggerVersion" - implementation "org.bouncycastle:bcpkix-jdk15on:1.68" - implementation "org.bouncycastle:bcprov-jdk15on:1.68" + implementation "org.bouncycastle:bcpkix-jdk15on:1.69" + implementation "org.bouncycastle:bcprov-jdk15on:1.69" implementation "com.h2database:h2:2.1.214" implementation "com.zaxxer:HikariCP:5.0.1" diff --git a/key-vault/azure-key-vault/build.gradle b/key-vault/azure-key-vault/build.gradle index c7bbf1c72..e7a13f441 100644 --- a/key-vault/azure-key-vault/build.gradle +++ b/key-vault/azure-key-vault/build.gradle @@ -21,17 +21,17 @@ dependencies { implementation project(":config") implementation project(":key-vault:key-vault-api") - implementation ("com.azure:azure-security-keyvault-secrets:4.4.2") { + implementation ("com.azure:azure-security-keyvault-secrets:4.8.2") { exclude group: 'com.azure', module: 'azure-core-http-netty' } - implementation("com.azure:azure-identity:1.5.1") { + implementation("com.azure:azure-identity:1.11.4") { exclude group: 'com.azure', module: 'azure-core-http-netty' } - implementation("com.azure:azure-core:1.29.1") { + implementation("com.azure:azure-core:1.37.0") { exclude group: 'com.azure', module: 'azure-core-http-netty' } - implementation 'com.azure:azure-core-http-okhttp:1.10.1' - implementation 'com.squareup.okio:okio:3.1.0' + implementation 'com.azure:azure-core-http-okhttp:1.11.0' + implementation 'com.squareup.okio:okio:3.4.0' testImplementation "org.glassfish:jakarta.json" diff --git a/tessera-jaxrs/openapi/generate/build.gradle b/tessera-jaxrs/openapi/generate/build.gradle index b2a85062c..c14501339 100644 --- a/tessera-jaxrs/openapi/generate/build.gradle +++ b/tessera-jaxrs/openapi/generate/build.gradle @@ -4,7 +4,7 @@ plugins { configurations.all { resolutionStrategy { - force 'org.yaml:snakeyaml:1.33', 'com.fasterxml.jackson.core:jackson-databind:2.14.0-rc1' + force 'org.yaml:snakeyaml:2.0', 'com.fasterxml.jackson.core:jackson-databind:2.14.2' } } diff --git a/tessera-jaxrs/sync-jaxrs/build.gradle b/tessera-jaxrs/sync-jaxrs/build.gradle index 9daf45e5b..86ce59a4d 100644 --- a/tessera-jaxrs/sync-jaxrs/build.gradle +++ b/tessera-jaxrs/sync-jaxrs/build.gradle @@ -5,7 +5,7 @@ plugins { configurations.all { resolutionStrategy { - force 'org.yaml:snakeyaml:1.33', 'com.fasterxml.jackson.core:jackson-databind:2.14.0-rc1' + force 'org.yaml:snakeyaml:2.0', 'com.fasterxml.jackson.core:jackson-databind:2.14.2' } } diff --git a/tessera-jaxrs/thirdparty-jaxrs/build.gradle b/tessera-jaxrs/thirdparty-jaxrs/build.gradle index 4fe4a3aa7..b8f26ad99 100644 --- a/tessera-jaxrs/thirdparty-jaxrs/build.gradle +++ b/tessera-jaxrs/thirdparty-jaxrs/build.gradle @@ -5,7 +5,7 @@ plugins { configurations.all { resolutionStrategy { - force 'org.yaml:snakeyaml:1.33', 'com.fasterxml.jackson.core:jackson-databind:2.14.0-rc1' + force 'org.yaml:snakeyaml:2.0', 'com.fasterxml.jackson.core:jackson-databind:2.14.2' } } diff --git a/tessera-jaxrs/transaction-jaxrs/build.gradle b/tessera-jaxrs/transaction-jaxrs/build.gradle index a252ff421..2ef983902 100644 --- a/tessera-jaxrs/transaction-jaxrs/build.gradle +++ b/tessera-jaxrs/transaction-jaxrs/build.gradle @@ -5,7 +5,7 @@ plugins { configurations.all { resolutionStrategy { - force 'org.yaml:snakeyaml:1.33', 'com.fasterxml.jackson.core:jackson-databind:2.14.0-rc1' + force 'org.yaml:snakeyaml:2.0', 'com.fasterxml.jackson.core:jackson-databind:2.14.2' } } From 10ce6c64cd4d2f5e228df30cf819683095eb7338 Mon Sep 17 00:00:00 2001 From: Nam Truong Date: Fri, 26 Apr 2024 15:50:21 +0700 Subject: [PATCH 2/9] Upgrade bouncycastle --- build.gradle | 6 +++--- enclave/enclave-api/build.gradle | 2 +- enclave/enclave-jaxrs/build.gradle | 4 ++-- encryption/encryption-api/build.gradle | 2 +- encryption/encryption-ec/build.gradle | 2 +- key-generation/build.gradle | 2 +- security/build.gradle | 4 ++-- tessera-core/build.gradle | 2 +- tessera-data/build.gradle | 2 +- tessera-dist/build.gradle | 2 +- tests/acceptance-test/build.gradle | 4 ++-- 11 files changed, 16 insertions(+), 16 deletions(-) diff --git a/build.gradle b/build.gradle index 054aa64cb..88f28f25f 100644 --- a/build.gradle +++ b/build.gradle @@ -11,7 +11,7 @@ plugins { } ext { - jettyVersion = "11.0.16" + jettyVersion = "11.0.20" eclipselinkVersion = "3.0.2" swaggerVersion = "2.1.13" jerseyVersion = "3.0.4" @@ -116,8 +116,8 @@ allprojects { implementation('io.swagger.parser.v3:swagger-parser-v3:2.0.27') implementation "io.swagger.core.v3:swagger-jaxrs2-jakarta:$swaggerVersion" - implementation "org.bouncycastle:bcpkix-jdk15on:1.69" - implementation "org.bouncycastle:bcprov-jdk15on:1.69" + implementation "org.bouncycastle:bcpkix-jdk18on:1.77" + implementation "org.bouncycastle:bcprov-jdk18on:1.77" implementation "com.h2database:h2:2.1.214" implementation "com.zaxxer:HikariCP:5.0.1" diff --git a/enclave/enclave-api/build.gradle b/enclave/enclave-api/build.gradle index 44817c2d6..835a4fa56 100644 --- a/enclave/enclave-api/build.gradle +++ b/enclave/enclave-api/build.gradle @@ -7,7 +7,7 @@ dependencies { implementation project(":encryption:encryption-api") implementation project(":shared") implementation project(":key-vault:key-vault-api") - implementation "org.bouncycastle:bcpkix-jdk15on" + implementation "org.bouncycastle:bcpkix-jdk18on" implementation "com.fasterxml.jackson.core:jackson-databind:$jacksonDatabindVersion" implementation "com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:$jacksonVersion" diff --git a/enclave/enclave-jaxrs/build.gradle b/enclave/enclave-jaxrs/build.gradle index 507307ee8..919c3776d 100644 --- a/enclave/enclave-jaxrs/build.gradle +++ b/enclave/enclave-jaxrs/build.gradle @@ -61,8 +61,8 @@ dependencies { implementation "org.glassfish.jersey.media:jersey-media-json-processing" runtimeOnly "org.glassfish.jersey.media:jersey-media-moxy" runtimeOnly "com.sun.mail:jakarta.mail" - implementation "org.bouncycastle:bcprov-jdk15on" - implementation "org.bouncycastle:bcpkix-jdk15on" + implementation "org.bouncycastle:bcprov-jdk18on" + implementation "org.bouncycastle:bcpkix-jdk18on" implementation project(":server:jersey-server") diff --git a/encryption/encryption-api/build.gradle b/encryption/encryption-api/build.gradle index ddd06516c..f183a3b6f 100644 --- a/encryption/encryption-api/build.gradle +++ b/encryption/encryption-api/build.gradle @@ -4,5 +4,5 @@ plugins { dependencies { implementation project(":shared") - testImplementation "org.bouncycastle:bcpkix-jdk15on" + testImplementation "org.bouncycastle:bcpkix-jdk18on" } diff --git a/encryption/encryption-ec/build.gradle b/encryption/encryption-ec/build.gradle index 497d9360d..aa2fc3e52 100644 --- a/encryption/encryption-ec/build.gradle +++ b/encryption/encryption-ec/build.gradle @@ -4,5 +4,5 @@ plugins { dependencies { implementation project(":encryption:encryption-api") - implementation "org.bouncycastle:bcpkix-jdk15on" + implementation "org.bouncycastle:bcpkix-jdk18on" } diff --git a/key-generation/build.gradle b/key-generation/build.gradle index 0effd7165..73cb1458d 100644 --- a/key-generation/build.gradle +++ b/key-generation/build.gradle @@ -7,6 +7,6 @@ dependencies { implementation project(":config") implementation project(":shared") implementation project(":key-vault:key-vault-api") - implementation "org.bouncycastle:bcprov-jdk15on" + implementation "org.bouncycastle:bcprov-jdk18on" testRuntimeOnly project(":encryption:encryption-ec") } diff --git a/security/build.gradle b/security/build.gradle index 8b9a35d1a..e563fd8e0 100644 --- a/security/build.gradle +++ b/security/build.gradle @@ -5,8 +5,8 @@ plugins { dependencies { implementation project(":config") implementation project(":shared") - implementation "org.bouncycastle:bcpkix-jdk15on" - implementation "org.bouncycastle:bcprov-jdk15on" + implementation "org.bouncycastle:bcpkix-jdk18on" + implementation "org.bouncycastle:bcprov-jdk18on" implementation "org.cryptacular:cryptacular" implementation "jakarta.xml.bind:jakarta.xml.bind-api" diff --git a/tessera-core/build.gradle b/tessera-core/build.gradle index df7a2752a..5ac3901c6 100644 --- a/tessera-core/build.gradle +++ b/tessera-core/build.gradle @@ -18,7 +18,7 @@ dependencies { implementation "jakarta.transaction:jakarta.transaction-api" implementation "jakarta.annotation:jakarta.annotation-api" - implementation "org.bouncycastle:bcpkix-jdk15on" + implementation "org.bouncycastle:bcpkix-jdk18on" testImplementation project(":cli:cli-api") diff --git a/tessera-data/build.gradle b/tessera-data/build.gradle index 66ec7191e..03bf48279 100644 --- a/tessera-data/build.gradle +++ b/tessera-data/build.gradle @@ -10,7 +10,7 @@ dependencies { implementation project(":encryption:encryption-api") implementation project(":eclipselink-utils") implementation "jakarta.transaction:jakarta.transaction-api" - implementation "org.bouncycastle:bcprov-jdk15on" + implementation "org.bouncycastle:bcprov-jdk18on" implementation "jakarta.validation:jakarta.validation-api" runtimeOnly "com.h2database:h2" implementation "com.zaxxer:HikariCP" diff --git a/tessera-dist/build.gradle b/tessera-dist/build.gradle index a2be4e93e..75f8fcb17 100644 --- a/tessera-dist/build.gradle +++ b/tessera-dist/build.gradle @@ -80,7 +80,7 @@ dependencies { implementation project(":tessera-context") - implementation "org.bouncycastle:bcpkix-jdk15on" + implementation "org.bouncycastle:bcpkix-jdk18on" implementation "jakarta.inject:jakarta.inject-api" implementation "org.glassfish.jersey.core:jersey-common" diff --git a/tests/acceptance-test/build.gradle b/tests/acceptance-test/build.gradle index dbb8bf9ff..1656f2be1 100644 --- a/tests/acceptance-test/build.gradle +++ b/tests/acceptance-test/build.gradle @@ -54,8 +54,8 @@ dependencies { testImplementation "com.github.jnr:jnr-unixsocket" testImplementation "org.glassfish:jakarta.el" - testImplementation "org.bouncycastle:bcpkix-jdk15on" - testImplementation "org.bouncycastle:bcprov-jdk15on" + testImplementation "org.bouncycastle:bcpkix-jdk18on" + testImplementation "org.bouncycastle:bcprov-jdk18on" testRuntimeOnly "org.eclipse.persistence:org.eclipse.persistence.moxy" From 03779adbeb9186b77beaa2c8e3b7f339ca3df119 Mon Sep 17 00:00:00 2001 From: Nam Truong Date: Fri, 26 Apr 2024 16:34:14 +0700 Subject: [PATCH 3/9] Upgrade bouncycastle --- build.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index 88f28f25f..cd9043686 100644 --- a/build.gradle +++ b/build.gradle @@ -116,8 +116,8 @@ allprojects { implementation('io.swagger.parser.v3:swagger-parser-v3:2.0.27') implementation "io.swagger.core.v3:swagger-jaxrs2-jakarta:$swaggerVersion" - implementation "org.bouncycastle:bcpkix-jdk18on:1.77" - implementation "org.bouncycastle:bcprov-jdk18on:1.77" + implementation "org.bouncycastle:bcpkix-jdk18on:1.78" + implementation "org.bouncycastle:bcprov-jdk18on:1.78" implementation "com.h2database:h2:2.1.214" implementation "com.zaxxer:HikariCP:5.0.1" From 45dfcc6a60e083412336d51c67335090ab219b3a Mon Sep 17 00:00:00 2001 From: Nam Truong Date: Fri, 26 Apr 2024 17:42:47 +0700 Subject: [PATCH 4/9] bouncycastle - resolve conflict --- build.gradle | 2 +- security/build.gradle | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index cd9043686..667546174 100644 --- a/build.gradle +++ b/build.gradle @@ -108,7 +108,7 @@ allprojects { implementation "org.eclipse.jetty:jetty-http:$jettyVersion" implementation "org.eclipse.jetty:jetty-util:$jettyVersion" - implementation "org.cryptacular:cryptacular:1.2.4" + implementation "org.cryptacular:cryptacular:1.2.6" implementation "eu.neilalexander:jnacl:1.0.0" implementation("io.swagger.core.v3:swagger-annotations-jakarta:$swaggerVersion") diff --git a/security/build.gradle b/security/build.gradle index e563fd8e0..7e836700b 100644 --- a/security/build.gradle +++ b/security/build.gradle @@ -2,6 +2,12 @@ plugins { id "java-library" } +configurations.all { + resolutionStrategy { + force 'org.bouncycastle:bcprov-jdk18on:1.78' + } +} + dependencies { implementation project(":config") implementation project(":shared") From c2bc65c84caee5796b6b6188b7fb3db6ced0a500 Mon Sep 17 00:00:00 2001 From: Nam Truong Date: Fri, 26 Apr 2024 17:55:19 +0700 Subject: [PATCH 5/9] suppress CVE-2023-5072 --- cvss-suppressions.xml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cvss-suppressions.xml b/cvss-suppressions.xml index 77f449ef1..f873305bd 100644 --- a/cvss-suppressions.xml +++ b/cvss-suppressions.xml @@ -63,6 +63,7 @@ ]]> ^pkg:maven/org\.glassfish/jakarta\.json@.*$ CVE-2022-45688 + CVE-2023-5072 ^pkg:maven/org\.glassfish/jsonp-jaxrs@.*$ CVE-2022-45688 + CVE-2023-5072 ^pkg:maven/jakarta\.json/jakarta\.json-api@.*$ CVE-2022-45688 + CVE-2023-5072 Date: Fri, 26 Apr 2024 18:06:37 +0700 Subject: [PATCH 6/9] requires snakeyaml in openapiit test --- tests/acceptance-test/build.gradle | 2 +- tests/acceptance-test/src/main/java/module-info.java | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/acceptance-test/build.gradle b/tests/acceptance-test/build.gradle index 1656f2be1..9dca85e7b 100644 --- a/tests/acceptance-test/build.gradle +++ b/tests/acceptance-test/build.gradle @@ -70,7 +70,7 @@ dependencies { testImplementation "org.eclipse.jetty:jetty-servlet" - testImplementation "org.yaml:snakeyaml" + implementation "org.yaml:snakeyaml" } diff --git a/tests/acceptance-test/src/main/java/module-info.java b/tests/acceptance-test/src/main/java/module-info.java index 192791dcb..a4acfcc9d 100644 --- a/tests/acceptance-test/src/main/java/module-info.java +++ b/tests/acceptance-test/src/main/java/module-info.java @@ -17,4 +17,5 @@ requires jdk.httpserver; requires java.net.http; requires jakarta.json; + requires org.yaml.snakeyaml; } From 347c85163de1f6fab08f186bec850aa37301908b Mon Sep 17 00:00:00 2001 From: Nam Truong Date: Fri, 26 Apr 2024 18:16:47 +0700 Subject: [PATCH 7/9] Fix CVE-2023-35116, CVE-2023-32697 --- build.gradle | 6 +++--- tessera-jaxrs/openapi/generate/build.gradle | 2 +- tessera-jaxrs/sync-jaxrs/build.gradle | 2 +- tessera-jaxrs/thirdparty-jaxrs/build.gradle | 2 +- tessera-jaxrs/transaction-jaxrs/build.gradle | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/build.gradle b/build.gradle index 667546174..02730349e 100644 --- a/build.gradle +++ b/build.gradle @@ -18,8 +18,8 @@ ext { slf4jVersion = "1.7.36" logbackVersion = "1.2.13" hk2Version = "3.0.2" - jacksonVersion = "2.14.2" - jacksonDatabindVersion = "2.14.2" + jacksonVersion = "2.16.2" + jacksonDatabindVersion = "2.16.2" } allprojects { @@ -123,7 +123,7 @@ allprojects { implementation "com.zaxxer:HikariCP:5.0.1" implementation "org.hsqldb:hsqldb:2.7.1" - implementation "org.xerial:sqlite-jdbc:3.30.1" + implementation "org.xerial:sqlite-jdbc:3.45.1.0" api 'org.eclipse.jetty.toolchain:jetty-jakarta-servlet-api:5.0.2' api "jakarta.ws.rs:jakarta.ws.rs-api:3.0.0" diff --git a/tessera-jaxrs/openapi/generate/build.gradle b/tessera-jaxrs/openapi/generate/build.gradle index c14501339..b071c76e8 100644 --- a/tessera-jaxrs/openapi/generate/build.gradle +++ b/tessera-jaxrs/openapi/generate/build.gradle @@ -4,7 +4,7 @@ plugins { configurations.all { resolutionStrategy { - force 'org.yaml:snakeyaml:2.0', 'com.fasterxml.jackson.core:jackson-databind:2.14.2' + force 'org.yaml:snakeyaml:2.0', 'com.fasterxml.jackson.core:jackson-databind:2.16.2' } } diff --git a/tessera-jaxrs/sync-jaxrs/build.gradle b/tessera-jaxrs/sync-jaxrs/build.gradle index 86ce59a4d..d28249a48 100644 --- a/tessera-jaxrs/sync-jaxrs/build.gradle +++ b/tessera-jaxrs/sync-jaxrs/build.gradle @@ -5,7 +5,7 @@ plugins { configurations.all { resolutionStrategy { - force 'org.yaml:snakeyaml:2.0', 'com.fasterxml.jackson.core:jackson-databind:2.14.2' + force 'org.yaml:snakeyaml:2.0', 'com.fasterxml.jackson.core:jackson-databind:2.16.2' } } diff --git a/tessera-jaxrs/thirdparty-jaxrs/build.gradle b/tessera-jaxrs/thirdparty-jaxrs/build.gradle index b8f26ad99..a971f254d 100644 --- a/tessera-jaxrs/thirdparty-jaxrs/build.gradle +++ b/tessera-jaxrs/thirdparty-jaxrs/build.gradle @@ -5,7 +5,7 @@ plugins { configurations.all { resolutionStrategy { - force 'org.yaml:snakeyaml:2.0', 'com.fasterxml.jackson.core:jackson-databind:2.14.2' + force 'org.yaml:snakeyaml:2.0', 'com.fasterxml.jackson.core:jackson-databind:2.16.2' } } diff --git a/tessera-jaxrs/transaction-jaxrs/build.gradle b/tessera-jaxrs/transaction-jaxrs/build.gradle index 2ef983902..7dc03bded 100644 --- a/tessera-jaxrs/transaction-jaxrs/build.gradle +++ b/tessera-jaxrs/transaction-jaxrs/build.gradle @@ -5,7 +5,7 @@ plugins { configurations.all { resolutionStrategy { - force 'org.yaml:snakeyaml:2.0', 'com.fasterxml.jackson.core:jackson-databind:2.14.2' + force 'org.yaml:snakeyaml:2.0', 'com.fasterxml.jackson.core:jackson-databind:2.16.2' } } From 66be8a852baa0c74005e4ab66edffb51d343cfeb Mon Sep 17 00:00:00 2001 From: Nam Truong Date: Fri, 26 Apr 2024 18:24:24 +0700 Subject: [PATCH 8/9] Suppress CVE-2023-5072 --- cvss-suppressions.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cvss-suppressions.xml b/cvss-suppressions.xml index f873305bd..f9c8dcbf1 100644 --- a/cvss-suppressions.xml +++ b/cvss-suppressions.xml @@ -83,9 +83,10 @@ ^pkg:maven/com\.fasterxml\.jackson\.core/jackson-core@.*$ CVE-2022-45688 + CVE-2023-5072 From 9b2c65a527c842c2a3065ba30e663a1866f4aa38 Mon Sep 17 00:00:00 2001 From: Nam Truong Date: Fri, 26 Apr 2024 22:19:23 +0700 Subject: [PATCH 9/9] update suppression list --- cvss-suppressions.xml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/cvss-suppressions.xml b/cvss-suppressions.xml index f9c8dcbf1..1cee3e334 100644 --- a/cvss-suppressions.xml +++ b/cvss-suppressions.xml @@ -27,17 +27,6 @@ - ^pkg:maven/org.yaml/snakeyaml@1.33 - CVE-2022-41854 - CVE-2022-3064 - CVE-2022-38752 - CVE-2022-1471 - CVE-2021-4235 - - - ^pkg:maven/commons-io/commons-io@2.11.0