From 0e9ef92a63c7573c69e7edd0bcc5306e4d8714e2 Mon Sep 17 00:00:00 2001 From: "Mark S. Lewis" Date: Mon, 19 Jun 2023 14:51:10 +0100 Subject: [PATCH] Update dependencies to address CVE-2022-45688, CVE-2022-1471 (#283) Signed-off-by: Mark S. Lewis --- dependency-suppressions.xml | 21 ------- pom.xml | 59 ++++++++++++------- .../sdk/ChaincodeCollectionConfiguration.java | 3 +- .../sdk/ChaincodeEndorsementPolicy.java | 3 +- .../LifecycleChaincodeEndorsementPolicy.java | 6 +- .../hyperledger/fabric/sdk/NetworkConfig.java | 3 +- 6 files changed, 49 insertions(+), 46 deletions(-) diff --git a/dependency-suppressions.xml b/dependency-suppressions.xml index c0519403..fbf9371b 100644 --- a/dependency-suppressions.xml +++ b/dependency-suppressions.xml @@ -1,24 +1,3 @@ - - - ^pkg:maven/io\.opentelemetry\.instrumentation/opentelemetry\-grpc\-1\.6@.*$ - CVE-2020-7768 - - - - ^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib\-common@1\.4\.0$ - CVE-2020-15824 - - - - ^pkg:maven/org\.apache\.logging\.log4j/log4j\-.*$ - CVE-2022-33915 - diff --git a/pom.xml b/pom.xml index f9535697..4ebc95f7 100644 --- a/pom.xml +++ b/pom.xml @@ -28,16 +28,15 @@ http://github.com/hyperledger/fabric-sdk-java - 1.54.1 - 3.21.12 - 1.73 + 1.56.0 + 3.22.5 + 1.74 4.5.14 - 3.2.0 + 3.4.1 true - 8.1.7.v20160121 UTF-8 - 0.8.8 - 2.19.0 + 0.8.10 + 2.20.0 IntegrationSuite.java gpg @@ -47,7 +46,7 @@ org.apache.maven.plugins maven-checkstyle-plugin - 2.17 + 3.0.0 @@ -81,14 +80,14 @@ io.opentelemetry opentelemetry-bom - 1.23.1 + 1.27.0 pom import io.opentelemetry.instrumentation opentelemetry-instrumentation-bom-alpha - 1.23.0-alpha + 1.27.0-alpha pom import @@ -154,12 +153,12 @@ org.apache.commons commons-compress - 1.22 + 1.23.0 commons-io commons-io - 2.11.0 + 2.13.0 @@ -200,7 +199,7 @@ com.google.api api-common - 2.6.1 + 2.12.0 @@ -214,7 +213,7 @@ org.yaml snakeyaml - 1.33 + 2.0 @@ -298,7 +297,7 @@ org.apache.maven.plugins maven-surefire-plugin - 3.0.0-M5 + 3.0.0-M7 ${surefireArgLine} @@ -310,7 +309,7 @@ org.apache.maven.plugins maven-failsafe-plugin - 3.0.0-M5 + 3.1.2 ${failsafeArgLine} @@ -357,7 +356,7 @@ org.apache.maven.plugins maven-compiler-plugin - 3.8.1 + 3.10.1 1.8 1.8 @@ -609,7 +608,7 @@ pl.project13.maven git-commit-id-plugin - 2.2.6 + 4.9.10 get-the-git-infos @@ -626,7 +625,7 @@ org.apache.maven.plugins maven-jar-plugin - 3.2.0 + 3.3.0 @@ -651,6 +650,26 @@ + + org.apache.maven.plugins + maven-enforcer-plugin + 3.3.0 + + + enforce-maven + + enforce + + + + + 3.2.5 + + + + + + @@ -669,7 +688,7 @@ org.owasp dependency-check-maven - 7.2.1 + 8.3.1 true true diff --git a/src/main/java/org/hyperledger/fabric/sdk/ChaincodeCollectionConfiguration.java b/src/main/java/org/hyperledger/fabric/sdk/ChaincodeCollectionConfiguration.java index 89c6b9e2..fb83d9c8 100644 --- a/src/main/java/org/hyperledger/fabric/sdk/ChaincodeCollectionConfiguration.java +++ b/src/main/java/org/hyperledger/fabric/sdk/ChaincodeCollectionConfiguration.java @@ -42,6 +42,7 @@ import org.hyperledger.fabric.protos.peer.Collection; import org.hyperledger.fabric.sdk.exception.ChaincodeCollectionConfigurationException; import org.hyperledger.fabric.sdk.exception.InvalidArgumentException; +import org.yaml.snakeyaml.LoaderOptions; import org.yaml.snakeyaml.Yaml; import org.yaml.snakeyaml.constructor.SafeConstructor; @@ -117,7 +118,7 @@ public static ChaincodeCollectionConfiguration fromYamlStream(InputStream config throw new InvalidArgumentException("ConfigStream must be specified"); } - Yaml yaml = new Yaml(new SafeConstructor()); + Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions())); List map = yaml.load(configStream); diff --git a/src/main/java/org/hyperledger/fabric/sdk/ChaincodeEndorsementPolicy.java b/src/main/java/org/hyperledger/fabric/sdk/ChaincodeEndorsementPolicy.java index a0256241..1cdbc94b 100644 --- a/src/main/java/org/hyperledger/fabric/sdk/ChaincodeEndorsementPolicy.java +++ b/src/main/java/org/hyperledger/fabric/sdk/ChaincodeEndorsementPolicy.java @@ -36,6 +36,7 @@ import org.hyperledger.fabric.protos.common.Policies; import org.hyperledger.fabric.protos.common.Policies.SignaturePolicy; import org.hyperledger.fabric.sdk.exception.ChaincodeEndorsementPolicyParseException; +import org.yaml.snakeyaml.LoaderOptions; import org.yaml.snakeyaml.Yaml; import org.yaml.snakeyaml.constructor.SafeConstructor; @@ -255,7 +256,7 @@ public static ChaincodeEndorsementPolicy fromYamlFile(Path yamlPolicyFile) throw } private static Policies.SignaturePolicyEnvelope loadPolicyFromYaml(Reader yamlReader) throws ChaincodeEndorsementPolicyParseException { - Yaml yaml = new Yaml(new SafeConstructor()); + Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions())); Map> load = yaml.load(yamlReader); Map mp = load.get("policy"); diff --git a/src/main/java/org/hyperledger/fabric/sdk/LifecycleChaincodeEndorsementPolicy.java b/src/main/java/org/hyperledger/fabric/sdk/LifecycleChaincodeEndorsementPolicy.java index f02b1fae..ddf13785 100644 --- a/src/main/java/org/hyperledger/fabric/sdk/LifecycleChaincodeEndorsementPolicy.java +++ b/src/main/java/org/hyperledger/fabric/sdk/LifecycleChaincodeEndorsementPolicy.java @@ -11,6 +11,7 @@ import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; +import java.nio.file.Files; import java.nio.file.Path; import java.util.HashMap; import java.util.LinkedHashMap; @@ -28,6 +29,7 @@ import org.hyperledger.fabric.protos.common.Policies.SignaturePolicy; import org.hyperledger.fabric.protos.peer.Policy; import org.hyperledger.fabric.sdk.exception.ChaincodeEndorsementPolicyParseException; +import org.yaml.snakeyaml.LoaderOptions; import org.yaml.snakeyaml.Yaml; import org.yaml.snakeyaml.constructor.SafeConstructor; @@ -225,8 +227,8 @@ private static IndexedHashMap parseIdentities(Map id // } public static LifecycleChaincodeEndorsementPolicy fromSignaturePolicyYamlFile(Path yamlPolicyFile) throws IOException, ChaincodeEndorsementPolicyParseException { - final Yaml yaml = new Yaml(new SafeConstructor()); - final Map load = (Map) yaml.load(new FileInputStream(yamlPolicyFile.toFile())); + final Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions())); + final Map load = (Map) yaml.load(Files.newInputStream(yamlPolicyFile.toFile().toPath())); Map mp = (Map) load.get("policy"); diff --git a/src/main/java/org/hyperledger/fabric/sdk/NetworkConfig.java b/src/main/java/org/hyperledger/fabric/sdk/NetworkConfig.java index 8ecd81d6..85767aa1 100755 --- a/src/main/java/org/hyperledger/fabric/sdk/NetworkConfig.java +++ b/src/main/java/org/hyperledger/fabric/sdk/NetworkConfig.java @@ -58,6 +58,7 @@ import org.hyperledger.fabric.sdk.exception.NetworkConfigurationException; import org.hyperledger.fabric.sdk.helper.Utils; import org.hyperledger.fabric.sdk.identity.X509Enrollment; +import org.yaml.snakeyaml.LoaderOptions; import org.yaml.snakeyaml.Yaml; import org.yaml.snakeyaml.constructor.SafeConstructor; @@ -302,7 +303,7 @@ public static NetworkConfig fromYamlStream(InputStream configStream) throws Netw throw new IllegalArgumentException("configStream must be specified"); } - Yaml yaml = new Yaml(new SafeConstructor()); + Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions())); Map map = yaml.load(configStream);