chore: clean up vulnerabilities, move to owasp scan

.github/CODEOWNERS

@@ -1,7 +1,7 @@
 # Each line is a file pattern followed by one or more owners.
 
 # global
-* @buchi-busireddy @tim-mwangi @surajpuvvada @avinashkolluru
+* @hypertrace/platform-util-owners
 
 # GH action
-.github/ @aaron-steinfeld @jbahire @kotharironak @buchi-busireddy
+.github/ @hypertrace/ci-owners

.github/workflows/pr-build.yml

@@ -4,53 +4,22 @@ on:
     branches:
       - main
   pull_request_target:
-    branches: 
+    branches:
       - main
 
 jobs:
-
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
-       # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
+      # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           ref: ${{github.event.pull_request.head.ref}}
           repository: ${{github.event.pull_request.head.repo.full_name}}
           fetch-depth: 0
-
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: Cache packages
-        id: cache-packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
 
       - name: Build with Gradle
         uses: hypertrace/github-actions/gradle@main
-        with: 
-          args: build
-
-  snyk-scan:
-    runs-on: ubuntu-20.04
-    steps:
-    # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
-      - name: Check out code
-        uses: actions/checkout@v2.3.4
         with:
-          ref: ${{github.event.pull_request.head.ref}}
-          repository: ${{github.event.pull_request.head.repo.full_name}}
-          fetch-depth: 0
-      - name: Setup snyk
-        uses: snyk/actions/setup@0.3.0
-      - name: Snyk test
-        run: snyk test --all-sub-projects --org=hypertrace --severity-threshold=low --policy-path=.snyk --configuration-matching='^runtimeClasspath$'
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          args: build

.github/workflows/pr-test.yml

@@ -7,54 +7,46 @@ on:
 
 jobs:
   test:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
-       # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
+      # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
-
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: Cache packages
-        id: cache-packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
 
       - name: Unit test
         uses: hypertrace/github-actions/gradle@main
-        with: 
+        with:
           args: jacocoTestReport
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v2
+        uses: codecov/codecov-action@v3
         with:
           name: unit test reports
           fail_ci_if_error: true
           flags: unit
 
       - name: copy test reports
         uses: hypertrace/github-actions/gradle@main
-        with: 
+        with:
           args: copyAllReports --output-dir=/tmp/test-reports
 
       - name: Archive test reports
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@v3
         with:
           name: test-reports
           path: /tmp/test-reports
         if: always()
-     
+
       - name: Publish Unit Test Results
         uses: docker://ghcr.io/enricomi/publish-unit-test-result-action:v1.6
         if: always()
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           files: ./**/build/test-results/**/*.xml
+  dependency-check:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Dependency Check
+        uses: hypertrace/github-actions/dependency-check@main

.github/workflows/publish.yml

@@ -1,36 +1,24 @@
 name: Publish artifacts
 on:
-# Will only run when release is published. 
+  # Will only run when release is published.
   release:
-    types: 
+    types:
       - created
   workflow_dispatch:
 
 jobs:
   publish-artifacts:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       # Set fetch-depth: 0 to fetch commit history and tags for use in version calculation
       - name: Check out code
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
-      - name: create checksum file
-        uses: hypertrace/github-actions/checksum@main
-
-      - name: Cache packages
-        uses: actions/cache@v2
-        with:
-          path: ~/.gradle
-          key: gradle-packages-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/checksum.txt') }}
-          restore-keys: |
-            gradle-packages-${{ runner.os }}-${{ github.job }}
-            gradle-packages-${{ runner.os }}
-
       - name: publish java artifacts
         uses: hypertrace/github-actions/gradle@main
-        with: 
+        with:
           args: publish
         env:
           ORG_GRADLE_PROJECT_artifactory_contextUrl: ${{ secrets.ARTIFACTORY_CONTEXT_URL }}

build.gradle.kts

@@ -7,6 +7,7 @@ plugins {
   id("org.hypertrace.publish-plugin") version "1.0.2" apply false
   id("org.hypertrace.jacoco-report-plugin") version "0.2.0" apply false
   id("org.hypertrace.code-style-plugin") version "1.1.2" apply false
+  id("org.owasp.dependencycheck") version "8.2.1"
 }
 
 subprojects {
@@ -25,3 +26,10 @@ subprojects {
     }
   }
 }
+
+dependencyCheck {
+  format = org.owasp.dependencycheck.reporting.ReportGenerator.Format.ALL.toString()
+  suppressionFile = "owasp-suppressions.xml"
+  scanConfigurations.add("runtimeClasspath")
+  failBuildOnCVSS = 3.0F
+}

owasp-suppressions.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <suppress>
+    <notes><![CDATA[
+   Any hypertrace dep
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.hypertrace\..*@.*$</packageUrl>
+    <cpe>cpe:/a:grpc:grpc</cpe>
+    <cpe>cpe:/a:utils_project:utils</cpe>
+  </suppress>
+</suppressions> 

platform-grpc-service-framework/build.gradle.kts

@@ -7,10 +7,10 @@ plugins {
 
 dependencies {
   api(project(":platform-service-framework"))
-  api(platform("io.grpc:grpc-bom:1.52.1"))
+  api(platform("io.grpc:grpc-bom:1.56.0"))
   api("io.grpc:grpc-api")
   api("io.grpc:grpc-services")
-  api("org.hypertrace.core.grpcutils:grpc-client-utils:0.11.2")
+  api("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.0")
   api("com.typesafe:config:1.4.2")
   api(project(":service-framework-spi"))
 
@@ -19,5 +19,5 @@ dependencies {
 
   implementation(project(":platform-metrics"))
   implementation("org.slf4j:slf4j-api:1.7.36")
-  implementation("org.hypertrace.core.grpcutils:grpc-server-utils:0.11.2")
+  implementation("org.hypertrace.core.grpcutils:grpc-server-utils:0.12.0")
 }

platform-http-service-framework/build.gradle.kts

@@ -5,7 +5,7 @@ plugins {
 
 dependencies {
   api(project(":platform-service-framework"))
-  api("org.hypertrace.core.grpcutils:grpc-client-utils:0.11.2")
+  api("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.0")
   api("com.typesafe:config:1.4.2")
   api("javax.servlet:javax.servlet-api:4.0.1")
   api("com.google.inject:guice:5.1.0")
@@ -15,9 +15,9 @@ dependencies {
   implementation("org.slf4j:slf4j-api:1.7.36")
   implementation("com.google.inject.extensions:guice-servlet:5.1.0")
   implementation("com.google.guava:guava:31.1-jre")
-  implementation("org.eclipse.jetty:jetty-servlet:9.4.50.v20221201")
-  implementation("org.eclipse.jetty:jetty-server:9.4.50.v20221201")
-  implementation("org.eclipse.jetty:jetty-servlets:9.4.50.v20221201")
+  implementation("org.eclipse.jetty:jetty-servlet:9.4.51.v20230217")
+  implementation("org.eclipse.jetty:jetty-server:9.4.51.v20230217")
+  implementation("org.eclipse.jetty:jetty-servlets:9.4.51.v20230217")
 
   annotationProcessor("org.projectlombok:lombok:1.18.24")
   compileOnly("org.projectlombok:lombok:1.18.24")

platform-metrics/build.gradle.kts

@@ -24,8 +24,8 @@ dependencies {
   implementation("io.prometheus:simpleclient_dropwizard:0.12.0")
   implementation("io.prometheus:simpleclient_servlet:0.12.0")
   implementation("io.prometheus:simpleclient_pushgateway:0.12.0")
-  implementation("org.eclipse.jetty:jetty-servlet:9.4.50.v20221201")
-  implementation("com.google.guava:guava:31.1-jre")
+  implementation("org.eclipse.jetty:jetty-servlet:9.4.51.v20230217")
+  implementation("com.google.guava:guava:32.0.1-jre")
 
   testImplementation("org.junit.jupiter:junit-jupiter:5.9.0")
   testImplementation("org.mockito:mockito-core:4.8.0")

platform-service-framework/build.gradle.kts

@@ -23,7 +23,7 @@ dependencies {
       because("version 2.12.7.1 has a vulnerability https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424")
     }
   }
-  implementation("org.eclipse.jetty:jetty-servlet:9.4.50.v20221201")
+  implementation("org.eclipse.jetty:jetty-servlet:9.4.51.v20230217")
 
   // Use for metrics servlet
   implementation("io.prometheus:simpleclient_servlet:0.12.0")
@@ -40,6 +40,6 @@ dependencies {
   testImplementation("org.apache.logging.log4j:log4j-slf4j-impl:2.19.0")
   testImplementation("org.junit.jupiter:junit-jupiter:5.9.0")
   testImplementation("org.mockito:mockito-core:4.8.0")
-  testImplementation("org.eclipse.jetty:jetty-servlet:9.4.50.v20221201:tests")
-  testImplementation("org.eclipse.jetty:jetty-http:9.4.50.v20221201:tests")
+  testImplementation("org.eclipse.jetty:jetty-servlet:9.4.51.v20230217:tests")
+  testImplementation("org.eclipse.jetty:jetty-http:9.4.51.v20230217:tests")
 }