Skip to content
This repository has been archived by the owner on Apr 5, 2024. It is now read-only.

Fix reported security vulnerabilities reported #415

Closed
lucassaldanha opened this issue Jan 12, 2022 · 7 comments · Fixed by #419
Closed

Fix reported security vulnerabilities reported #415

lucassaldanha opened this issue Jan 12, 2022 · 7 comments · Fixed by #419
Assignees
@lucassaldanha @macfarla
Labels
TeamGroot Identifies a given issue is assigned to the Groot Team

Comments

@lucassaldanha
Copy link
Member

lucassaldanha commented Jan 12, 2022
edited by jframe

  • Update dependencies
  • Validate results on Sonarcube
  • Includes update to Vertx 4

image.png
@usmansaleem
Copy link
Contributor

https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-gradle/

@usmansaleem usmansaleem added the TeamGroot Identifies a given issue is assigned to the Groot Team label Jan 12, 2022
@macfarla
Copy link
Contributor

This one can be ignored for now: Protobuf has a recent vulnerability CVE-2021-22569 released on 10 Jan so CPE is not provided yet
Also the netty-handler one can be considered as LOW (sonartype bugs after exploitation)

@usmansaleem usmansaleem self-assigned this Jan 14, 2022
@jframe jframe closed this as completed Jan 20, 2022
@usmansaleem
Copy link
Contributor

Fixed by #419

@usmansaleem usmansaleem linked a pull request Jan 23, 2022 that will close this issue
Update various dependencies #419
Merged
@lucassaldanha lucassaldanha reopened this Feb 2, 2022
@lucassaldanha
Copy link
Member Author

After a new scan, there were still a few violations that we want to deal with.
image

@macfarla
Copy link
Contributor

macfarla commented Feb 2, 2022

See #432 and #433
This should solve jnr-posix and will bring protobuf to 3.19 in line with besu.
gson dependency comes from tuweni 2.0.0 via besu 21.10.9 hence this can be solved by updating to besu 22.1.0 when this is released.
guava - there is no update for this as yet. https://mvnrepository.com/artifact/com.google.guava/guava
grpc-core and netty are in line with besu 21.10.9

@siladu siladu added the blocked label Feb 2, 2022
@lucassaldanha
Copy link
Member Author

We are waiting for Besu 22.1.0 release to finalise this work in Ethsigner.

@macfarla macfarla removed the blocked label Feb 20, 2022
@macfarla
Copy link
Contributor

Besu 22.1.0 and EthSigner 22.1.0 have been released

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@lucassaldanha lucassaldanha

@macfarla macfarla

Labels
TeamGroot Identifies a given issue is assigned to the Groot Team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update various dependencies usmansaleem/ethsigner
5 participants
@usmansaleem @jframe @lucassaldanha @macfarla @siladu