build - suppress unrelated owasp warnings and update azure libraries (C…

…onsensys#981)
usmansaleem · Mar 18, 2024 · 2560b0c · 2560b0c
1 parent 16d301c
commit 2560b0c
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 20 deletions.
diff --git a/build.gradle b/build.gradle
@@ -25,7 +25,7 @@ buildscript {
   }
   dependencies {
     classpath 'tech.pegasys.internal.license.reporter:license-reporter:1.0.1'
-    classpath 'org.owasp:dependency-check-gradle:9.0.2'
+    classpath 'org.owasp:dependency-check-gradle:9.0.10'
   }
 }
 

diff --git a/gradle/owasp-suppression.xml b/gradle/owasp-suppression.xml
@@ -1,40 +1,26 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <!-- See https://jeremylong.github.io/DependencyCheck/general/suppression.html for examples -->
-    <suppress until="2024-03-16">
+    <suppress until="2024-06-16">
         <notes><![CDATA[
         Suppress CVE-2023-36415 as this should only be applicable on version up to but excluding 1.10.2.
         https://github.com/jeremylong/DependencyCheck/issues/5992
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@1\.11\.[1-9]$</packageUrl>
         <vulnerabilityName>CVE-2023-36415</vulnerabilityName>
     </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Suppress CVE-2023-3782 as Web3Signer doesn't use brotli and the NVD is incorrectly applying against all okhttp packages instead of just brotli one. See discussion in https://github.com/square/okhttp/issues/7738
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.squareup\.okhttp3/.*$</packageUrl>
-        <cve>CVE-2023-3782</cve>
-    </suppress>
-    <suppress until="2024-03-16">
+    <suppress until="2024-06-16">
         <notes><![CDATA[
         FP per issue #6100 - CVE-2023-36052 since it is related to Azure-cli not to the azure-core libraries
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.azure/azure*@*.*$</packageUrl>
         <cve>CVE-2023-36052</cve>
     </suppress>
-    <suppress until="2024-03-16">
+    <suppress until="2024-06-16">
         <notes><![CDATA[
         CVE relates to attach on gRPC servers (not clients) and is dependent on the Netty version used
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*$</packageUrl>
         <cve>CVE-2023-44487</cve>
     </suppress>
-    <suppress until="2024-03-16">
-        <notes><![CDATA[
-        CVE relates to usage hostname verification when using TLS and doesn't apply as we use Tuweni for this
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/io\.vertx/vertx\-core@.*$</packageUrl>
-        <cve>CVE-2023-4586</cve>
-    </suppress>
 </suppressions>
diff --git a/gradle/versions.gradle b/gradle/versions.gradle
@@ -126,11 +126,11 @@ dependencyManagement {
     dependency 'com.github.arteam:simple-json-rpc-server:1.3'
     dependency 'com.github.arteam:simple-json-rpc-client:1.3'
 
-    dependencySet(group: 'com.azure', version: '4.7.3') {
+    dependencySet(group: 'com.azure', version: '4.8.0') {
       entry 'azure-security-keyvault-secrets'
       entry 'azure-security-keyvault-keys'
     }
-    dependency 'com.azure:azure-identity:1.11.1'
+    dependency 'com.azure:azure-identity:1.11.4'
 
     dependency 'com.zaxxer:HikariCP:5.0.1'
     dependency 'org.postgresql:postgresql:42.7.2'