Update dependencies to address security vulnerabilities

- CVE-2022-25647 - CVE-2023-2976 - CVE-2020-8908 Also: - Update Gradle wrapper version to resolve Gradle bug in handling certain dependency JAR files. - Update Gradle shadowJar plugin to v8.1.1. - Add mergeServiceFiles() to test chaincode shadowJar Gradle tasks to resolve an issue with incorrect class versions being loaded from dependencies. - Add ServicesResourceTransformer to test chaincode maven-shade-plugin Maven plugin configuration to resolve an issue with incorrect class versions being loaded from dependencies. - Tidy-up integration test contract dependencies Signed-off-by: Mark S. Lewis <[email protected]>
hyperledger · Aug 22, 2023 · 37f9346 · 37f9346
1 parent 3b5b2cb
commit 37f9346
Show file tree

Hide file tree

Showing 39 changed files with 468 additions and 341 deletions.
diff --git a/dependency-suppression.xml b/dependency-suppression.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress>
+        <notes><![CDATA[
+        Core Fabric Go implementation vulnerability, not fabric-protos.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.hyperledger\.fabric/fabric\-protos@.*$</packageUrl>
+        <cve>CVE-2022-31121</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        Core Fabric Go implementation vulnerability, not fabric-protos.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.hyperledger\.fabric/fabric\-protos@.*$</packageUrl>
+        <cve>CVE-2022-36023</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        Vulnerability in C++ gRPC implementation.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/io\.opentelemetry\.instrumentation/opentelemetry\-grpc\-1\.6@.*$</packageUrl>
+        <cve>CVE-2023-33953</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        Vulnerability in C++ gRPC implementation.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/io\.opentelemetry\.instrumentation/opentelemetry\-grpc\-1\.6@.*$</packageUrl>
+        <cve>CVE-2023-32732</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        Vulnerability in hutool-json, which is not used.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
+        <cve>CVE-2022-45688</cve>
+    </suppress>
+</suppressions>
diff --git a/examples/fabric-contract-example-as-service/build.gradle b/examples/fabric-contract-example-as-service/build.gradle
@@ -1,5 +1,5 @@
 plugins {
-    id 'com.github.johnrengelman.shadow' version '2.0.3'
+    id 'com.github.johnrengelman.shadow' version '8.1.1'
     id 'java'
 }
 
@@ -21,7 +21,7 @@ repositories {
 
 dependencies {
     compile group: 'org.hyperledger.fabric-chaincode-java', name: 'fabric-chaincode-shim', version: '2.3.+'
-    compile group: 'org.json', name: 'json', version: '20180813'
+    compile 'org.json:json:20230618'
     testImplementation 'org.junit.jupiter:junit-jupiter:5.4.2'
     testImplementation 'org.assertj:assertj-core:3.11.1'
     testImplementation 'org.mockito:mockito-core:2.+'
@@ -31,6 +31,7 @@ shadowJar {
     baseName = 'chaincode'
     version = null
     classifier = null
+    mergeServiceFiles()
 
     manifest {
         attributes 'Main-Class': 'org.example.Application'

diff --git a/examples/fabric-contract-example-gradle-kotlin/build.gradle.kts b/examples/fabric-contract-example-gradle-kotlin/build.gradle.kts
@@ -5,7 +5,7 @@ import com.github.jengelman.gradle.plugins.shadow.tasks.ShadowJar
 
 
 plugins {
-    id("com.github.johnrengelman.shadow") version "5.2.0"
+    id("com.github.johnrengelman.shadow") version "8.1.1"
     id("org.jetbrains.kotlin.jvm") version "1.3.41"
 }
 
@@ -20,7 +20,7 @@ java {
 
 dependencies {
     implementation("org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim:2.5.0")
-    implementation("org.json:json:20180813")
+    implementation("org.json:json:20230618")
     implementation("org.jetbrains.kotlin:kotlin-stdlib-jdk8")
 
     testImplementation("org.junit.jupiter:junit-jupiter:5.4.2")
@@ -44,6 +44,7 @@ tasks {
         baseName = "chaincode"
         version = null
         classifier = null
+        mergeServiceFiles()
         manifest {
             attributes(mapOf("Main-Class" to "org.hyperledger.fabric.contract.ContractRouter"))
         }

diff --git a/examples/fabric-contract-example-gradle/build.gradle b/examples/fabric-contract-example-gradle/build.gradle
@@ -1,5 +1,5 @@
 plugins {
-    id 'com.github.johnrengelman.shadow' version '2.0.3'
+    id 'com.github.johnrengelman.shadow' version '8.1.1'
     id 'java'
 }
 
@@ -21,7 +21,7 @@ repositories {
 
 dependencies {
     compile group: 'org.hyperledger.fabric-chaincode-java', name: 'fabric-chaincode-shim', version: '2.5.0'
-    compile group: 'org.json', name: 'json', version: '20180813'
+    compile 'org.json:json:20230618'
     testImplementation 'org.junit.jupiter:junit-jupiter:5.4.2'
     testImplementation 'org.assertj:assertj-core:3.11.1'
     testImplementation 'org.mockito:mockito-core:2.+'
@@ -31,6 +31,7 @@ shadowJar {
     baseName = 'chaincode'
     version = null
     classifier = null
+    mergeServiceFiles()
 
     manifest {
         attributes 'Main-Class': 'org.hyperledger.fabric.contract.ContractRouter'

diff --git a/examples/ledger-api/build.gradle b/examples/ledger-api/build.gradle
@@ -1,5 +1,5 @@
 plugins {
-    id 'com.github.johnrengelman.shadow' version '2.0.3'
+    id 'com.github.johnrengelman.shadow' version '8.1.1'
     id 'java'
 }
 
@@ -21,7 +21,7 @@ repositories {
 
 dependencies {
     compile group: 'org.hyperledger.fabric-chaincode-java', name: 'fabric-chaincode-shim', version: '1.4.5'
-    compile group: 'org.json', name: 'json', version: '20180813'
+    compile 'org.json:json:20230618'
     testImplementation 'org.junit.jupiter:junit-jupiter:5.4.2'
     testImplementation 'org.assertj:assertj-core:3.11.1'
     testImplementation 'org.mockito:mockito-core:2.+'
@@ -31,6 +31,7 @@ shadowJar {
     baseName = 'chaincode'
     version = null
     classifier = null
+    mergeServiceFiles()
 
     manifest {
         attributes 'Main-Class': 'org.hyperledger.fabric.contract.ContractRouter'

diff --git a/fabric-chaincode-integration-test/build.gradle b/fabric-chaincode-integration-test/build.gradle
@@ -1,7 +1,7 @@
 dependencies {
     implementation project(':fabric-chaincode-docker')
     implementation project(':fabric-chaincode-shim')
-    implementation group: 'org.json', name: 'json', version: '20180813'
+    implementation 'org.json:json:20230618'
 }
 
 

diff --git a/fabric-chaincode-integration-test/src/contracts/bare-gradle/build.gradle b/fabric-chaincode-integration-test/src/contracts/bare-gradle/build.gradle
@@ -1,5 +1,5 @@
 plugins {
-    id 'com.github.johnrengelman.shadow' version '5.1.0'
+    id 'com.github.johnrengelman.shadow' version '8.1.1'
     id 'java'
 }
 
@@ -18,18 +18,15 @@ repositories {
 }
 
 dependencies {
-    implementation group: 'org.hyperledger.fabric-chaincode-java', name: 'fabric-chaincode-shim', version: '2.5.1'
-    implementation group: 'org.hyperledger.fabric', name:'fabric-protos', version:'0.1.3'
-    testImplementation group: 'junit', name: 'junit', version: '4.12'
-    implementation group: 'commons-logging', name: 'commons-logging', version: '1.2'
-    implementation group: 'com.google.code.gson', name: 'gson', version: '2.8.6'
-    implementation group: 'com.google.protobuf', name: 'protobuf-java', version: '3.4.0'
+    implementation'org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim:2.5.1'
+    implementation 'org.hyperledger.fabric:fabric-protos:0.2.+'
 }
 
 shadowJar {
     baseName = 'chaincode'
     version = null
     classifier = null
+    mergeServiceFiles()
 
     manifest {
         attributes 'Main-Class': 'org.hyperledger.fabric.contract.ContractRouter'

diff --git a/...st/src/contracts/bare-gradle/src/main/java/org/hyperledger/fabric/example/BareGradle.java b/...st/src/contracts/bare-gradle/src/main/java/org/hyperledger/fabric/example/BareGradle.java
@@ -5,14 +5,12 @@
 
 import org.hyperledger.fabric.contract.Context;
 import org.hyperledger.fabric.contract.ContractInterface;
-import org.hyperledger.fabric.contract.annotation.*;
-import org.hyperledger.fabric.metrics.Metrics;
-import org.hyperledger.fabric.metrics.MetricsProvider;
-import org.hyperledger.fabric.shim.ledger.*;
-import org.hyperledger.fabric.shim.*;
-
-import java.util.*;
-import static java.nio.charset.StandardCharsets.UTF_8;
+import org.hyperledger.fabric.contract.annotation.Contact;
+import org.hyperledger.fabric.contract.annotation.Contract;
+import org.hyperledger.fabric.contract.annotation.Default;
+import org.hyperledger.fabric.contract.annotation.Info;
+import org.hyperledger.fabric.contract.annotation.License;
+import org.hyperledger.fabric.contract.annotation.Transaction;
 
 @Contract(name = "BareGradle",
     info = @Info(title = "BareGradle contract",

diff --git a/fabric-chaincode-integration-test/src/contracts/bare-maven/pom.xml b/fabric-chaincode-integration-test/src/contracts/bare-maven/pom.xml
@@ -14,14 +14,6 @@
 		<!-- fabric-chaincode-java -->
 		<fabric-chaincode-java.version>2.5.1</fabric-chaincode-java.version>
 
-		<!-- Logging -->
-		<logback.version>1.2.0</logback.version>
-		<slf4j.version>1.7.5</slf4j.version>
-
-		<!-- Test -->
-		<junit.jupiter.version>5.3.0-RC1</junit.jupiter.version>
-		<junit.platform.version>1.3.0-RC1</junit.platform.version>
-
 	</properties>
 
     <repositories>
@@ -49,75 +41,13 @@
 			<scope>compile</scope>
 		</dependency>
 
-		<dependency>
-			<groupId>org.hyperledger.fabric</groupId>
-			<artifactId>fabric-protos</artifactId>
-			<version>0.1.3</version>
-			<scope>compile</scope>
-		</dependency>
-
-
-		<!-- fabric-sdk-java -->
-
-		<!-- Logging with SLF4J & LogBack -->
-		<dependency>
-			<groupId>org.slf4j</groupId>
-			<artifactId>slf4j-api</artifactId>
-			<version>${slf4j.version}</version>
-			<scope>compile</scope>
-		</dependency>
-		<dependency>
-			<groupId>ch.qos.logback</groupId>
-			<artifactId>logback-classic</artifactId>
-			<version>${logback.version}</version>
-			<scope>runtime</scope>
-		</dependency>
-
-		<!-- Test Artifacts -->
-		<dependency>
-			<groupId>org.junit.jupiter</groupId>
-			<artifactId>junit-jupiter-api</artifactId>
-			<version>${junit.jupiter.version}</version>
-			<scope>compile</scope>
-		</dependency>
-		<dependency>
-			<groupId>org.junit.jupiter</groupId>
-			<artifactId>junit-jupiter-params</artifactId>
-			<version>${junit.jupiter.version}</version>
-			<scope>test</scope>
-		</dependency>
-		<dependency>
-			<groupId>org.junit.jupiter</groupId>
-			<artifactId>junit-jupiter-engine</artifactId>
-			<version>${junit.jupiter.version}</version>
-			<scope>test</scope>
-		</dependency>
-<!-- https://mvnrepository.com/artifact/org.mockito/mockito-core -->
-<dependency>
-    <groupId>org.mockito</groupId>
-    <artifactId>mockito-core</artifactId>
-    <version>2.10.0</version>
-</dependency>
-
-		<!-- https://mvnrepository.com/artifact/org.json/json -->
-		<dependency>
-			<groupId>org.json</groupId>
-			<artifactId>json</artifactId>
-			<version>20180813</version>
-		</dependency>
-
 	</dependencies>
 	<build>
 		<sourceDirectory>src</sourceDirectory>
 		<plugins>
-					<!-- JUnit 5 requires Surefire version 2.22.0 or higher -->
-			<plugin>
-				<artifactId>maven-surefire-plugin</artifactId>
-				<version>2.22.0</version>
-			</plugin>
 			<plugin>
 				<artifactId>maven-compiler-plugin</artifactId>
-				<version>3.1</version>
+				<version>3.11.0</version>
 				<configuration>
 					<source>${java.version}</source>
 					<target>${java.version}</target>
@@ -126,7 +56,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-shade-plugin</artifactId>
-				<version>3.1.0</version>
+				<version>3.5.0</version>
 				<executions>
 					<execution>
 						<phase>package</phase>
@@ -136,6 +66,7 @@
 						<configuration>
 							<finalName>chaincode</finalName>
 							<transformers>
+								<transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer"/>
 								<transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
 									<mainClass>org.hyperledger.fabric.contract.ContractRouter</mainClass>
 								</transformer>
@@ -158,5 +89,4 @@
 		</plugins>
 	</build>
 
-
 </project>
diff --git a/...test/src/contracts/bare-maven/src/main/java/org/hyperledger/fabric/example/BareMaven.java b/...test/src/contracts/bare-maven/src/main/java/org/hyperledger/fabric/example/BareMaven.java
@@ -5,14 +5,12 @@
 
 import org.hyperledger.fabric.contract.Context;
 import org.hyperledger.fabric.contract.ContractInterface;
-import org.hyperledger.fabric.contract.annotation.*;
-import org.hyperledger.fabric.metrics.Metrics;
-import org.hyperledger.fabric.metrics.MetricsProvider;
-import org.hyperledger.fabric.shim.ledger.*;
-import org.hyperledger.fabric.shim.*;
-
-import java.util.*;
-import static java.nio.charset.StandardCharsets.UTF_8;
+import org.hyperledger.fabric.contract.annotation.Contact;
+import org.hyperledger.fabric.contract.annotation.Contract;
+import org.hyperledger.fabric.contract.annotation.Default;
+import org.hyperledger.fabric.contract.annotation.Info;
+import org.hyperledger.fabric.contract.annotation.License;
+import org.hyperledger.fabric.contract.annotation.Transaction;
 
 @Contract(name = "BareMaven",
     info = @Info(title = "BareGradle contract",

diff --git a/fabric-chaincode-integration-test/src/contracts/fabric-ledger-api/build.gradle b/fabric-chaincode-integration-test/src/contracts/fabric-ledger-api/build.gradle
@@ -1,5 +1,5 @@
 plugins {
-    id 'com.github.johnrengelman.shadow' version '5.1.0'
+    id 'com.github.johnrengelman.shadow' version '8.1.1'
     id 'java'
 }
 
@@ -18,14 +18,15 @@ repositories {
 }
 
 dependencies {
-    implementation group: 'org.hyperledger.fabric-chaincode-java', name: 'fabric-chaincode-shim', version: '2.5.1'
-    testImplementation group: 'junit', name: 'junit', version: '4.12'
+    implementation'org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim:2.5.1'
+    implementation 'org.hyperledger.fabric:fabric-protos:0.2.+'
 }
 
 shadowJar {
     baseName = 'chaincode'
     version = null
     classifier = null
+    mergeServiceFiles()
 
     manifest {
         attributes 'Main-Class': 'org.hyperledger.fabric.contract.ContractRouter'

diff --git a/...incode-integration-test/src/contracts/fabric-ledger-api/gradle/wrapper/gradle-wrapper.jar b/...incode-integration-test/src/contracts/fabric-ledger-api/gradle/wrapper/gradle-wrapper.jar
diff --git a/...integration-test/src/contracts/fabric-ledger-api/gradle/wrapper/gradle-wrapper.properties b/...integration-test/src/contracts/fabric-ledger-api/gradle/wrapper/gradle-wrapper.properties
@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-7.6.2-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists