Merge branch 'master' into skisel-bt/676-google-secret-manager-support

Consensys · Oct 19, 2023 · 876de61 · 876de61
2 parents 617535f + 98b698a
commit 876de61
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 29 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -64,15 +64,14 @@ executors:
   machine_executor_amd64:
     machine:
       image: ubuntu-2204:current # https://circleci.com/developer/machine/image/ubuntu-2204
-      docker_layer_caching: true
     working_directory: ~/project
     environment:
       architecture: "amd64"
       platform: "linux/amd64"
 
   trivy_executor:
     docker:
-      - image: docker:stable-git
+      - image: cimg/base:current
         auth:
           <<: *docker-auth
     resource_class: small
@@ -313,24 +312,16 @@ jobs:
     executor: trivy_executor
     steps:
       - prepare
-      - setup_remote_docker:
-          docker_layer_caching: false
       - run:
           name: Install trivy
-          command: |
-            apk add --update-cache --upgrade curl bash
-            curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
-      # remove the test files and only use the folder names
+          command: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b $HOME/bin
+      # scan both develop-arm64 and develop-amd64 images using remote src.
       - run:
           name: Scan with trivy
           shell: /bin/sh
           command: |
-            rm -rf docker/test*
-            for FILE in $(ls docker)
-            do
-              docker pull -q "consensys/web3signer:develop-$FILE"
-              trivy -q image --exit-code 1 --no-progress --severity HIGH,CRITICAL --ignorefile "gradle/trivyignore.txt" --timeout 10m "consensys/web3signer:develop-$FILE" 
-            done
+            $HOME/bin/trivy image consensys/web3signer:develop-arm64 --image-src remote --exit-code 1 --quiet --no-progress --severity HIGH,CRITICAL --ignorefile "gradle/trivyignore.txt" --timeout 10m
+            $HOME/bin/trivy image consensys/web3signer:develop-amd64 --image-src remote --exit-code 1 --quiet --no-progress --severity HIGH,CRITICAL --ignorefile "gradle/trivyignore.txt" --timeout 10m
       - notify
 
   publishOpenApiSpec:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## Next version
+
+### Bugs fixed
+- Update netty to fix CVE-2023-44487
+
 ## 23.9.1
 
 ### Breaking Changes

diff --git a/gradle/owasp-suppression.xml b/gradle/owasp-suppression.xml
@@ -1,18 +1,13 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <!-- See https://jeremylong.github.io/DependencyCheck/general/suppression.html for examples -->
-    <suppress until="2023-12-12">
+    <suppress until="2023-12-16">
         <notes><![CDATA[
-        Temporary suppression, as it's arguably a false positive: https://github.com/netty/netty/issues/8537#issuecomment-1527896917
-        The correct thing to do is ensure hostname verification is enabled: https://codetinkering.com/enable-hostname-verification-netty/
-        This is indeed the case for Azure, which is the netty-handler: https://github.com/Azure/azure-sdk-for-java/issues/18286#issuecomment-947958978
-        Also see: https://github.com/jeremylong/DependencyCheck/issues/5912
-        The other vulnerable lib is besu-metrics, which might want looking at, will see if this CVE gets flagged in besu first
-        file name: netty-handler-4.1.97.Final.jar
+        Suppress CVE-2023-36415 as this should only be applicable on version up to but excluding 1.10.2.
         ]]></notes>
-        <packageUrl regex="true">^pkg:maven/io\.netty/netty*@*.*$</packageUrl>
-        <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
-     </suppress>
+        <packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@1\.10\.[2-9]$</packageUrl>
+        <vulnerabilityName>CVE-2023-36415</vulnerabilityName>
+    </suppress>
     <suppress>
         <notes><![CDATA[
         Suppress CVE-2023-35116 as this is not considered a CVE according to discussion in https://github.com/FasterXML/jackson-databind/issues/3972

diff --git a/gradle/versions.gradle b/gradle/versions.gradle
@@ -126,12 +126,12 @@ dependencyManagement {
     dependency 'com.github.arteam:simple-json-rpc-server:1.3'
     dependency 'com.github.arteam:simple-json-rpc-client:1.3'
 
-    dependencySet(group: 'com.azure', version: '4.6.3') {
+    dependencySet(group: 'com.azure', version: '4.7.0') {
       entry 'azure-security-keyvault-secrets'
       entry 'azure-security-keyvault-keys'
     }
-    dependency 'com.azure:azure-identity:1.9.2'
-    dependency 'com.azure:azure-core-http-netty:1.13.5'
+    dependency 'com.azure:azure-identity:1.10.3'
+    dependency 'com.azure:azure-core-http-netty:1.13.8'
 
     dependency 'com.zaxxer:HikariCP:5.0.1'
     dependency 'org.postgresql:postgresql:42.5.3'
@@ -185,12 +185,18 @@ dependencyManagement {
     // addresses CVE-2023-3635
     dependency 'com.squareup.okio:okio:3.4.0'
 
-    // addressing CVE-2022-41881, CVE-2022-41915, CVE-2023-34462
-    dependencySet(group: 'io.netty', version: '4.1.97.Final') {
+    // addressing CVE-2023-44487
+    dependencySet(group: 'io.netty', version: '4.1.100.Final') {
       entry 'netty-all'
+      entry 'netty-codec-http2'
       entry 'netty-handler'
+      entry 'netty-handler-proxy'
       entry 'netty-resolver-dns'
       entry 'netty-transport'
+      entry 'netty-transport-classes-epoll'
+      entry 'netty-transport-classes-kqueue'
+      entry 'netty-transport-native-epoll'
+      entry 'netty-transport-native-kqueue'
       entry 'netty-resolver-dns-native-macos'
     }