grpc-testing should be decoupled from beam-vendor-grpc as a separate test only artifact #21020
Description
grpc-testing includes potential security flaws as flagged by veracode within TestUtils.java
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') (CWE ID 757)
Description
A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.
Effort to Fix: 1 - Trivial implementation error. Fix is up to 5 lines of code. One hour or less to fix.
Recommendations
Do not support SSLv2 or weak SSL/TLS ciphers (i.e. 56-bit key length or less, or other inherent weaknesses).
org/apache/beam/vendor/grpc/v1p36p0/io/grpc/testing/TestUtils.java#136
org/apache/beam/vendor/grpc/v1p36p0/io/grpc/internal/testing/TestUtils.java#231
Moving grpc-testing to its own vendored library that can only be brought in at the test scope would address these security issues. Alternatively fix the upstream implementations removing the code.
Imported from Jira BEAM-12833. Original Jira may contain additional context.
Reported by: lcwik.