Update dependencies to address CVE-2022-45688, CVE-2022-1471 (#283)

Signed-off-by: Mark S. Lewis <[email protected]>

dependency-suppressions.xml

@@ -1,24 +1,3 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress>
-        <notes><![CDATA[
-        CVE was reported against @grpc/grpc-js npm package, not Java
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/io\.opentelemetry\.instrumentation/opentelemetry\-grpc\-1\.6@.*$</packageUrl>
-        <cve>CVE-2020-7768</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        CVE was reported in version 1.4-M1 to 1.4-RC and fixed in version 1.4.0
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib\-common@1\.4\.0$</packageUrl>
-        <cve>CVE-2020-15824</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Vulnerability is reported against an AWS hotfix, not the Apache log4j package
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.logging\.log4j/log4j\-.*$</packageUrl>
-        <cve>CVE-2022-33915</cve>
-    </suppress>
 </suppressions>

pom.xml

@@ -28,16 +28,15 @@
         <url>http://github.com/hyperledger/fabric-sdk-java</url>
     </scm>
     <properties>
-        <grpc.version>1.54.1</grpc.version>
-        <protobuf.version>3.21.12</protobuf.version> <!-- Must match version used by grpc-protobuf -->
-        <bouncycastle.version>1.73</bouncycastle.version>
+        <grpc.version>1.56.0</grpc.version>
+        <protobuf.version>3.22.5</protobuf.version> <!-- Must match version used by grpc-protobuf -->
+        <bouncycastle.version>1.74</bouncycastle.version>
         <httpclient.version>4.5.14</httpclient.version>
-        <javadoc.version>3.2.0</javadoc.version>
+        <javadoc.version>3.4.1</javadoc.version>
         <skipITs>true</skipITs>
-        <alpn-boot-version>8.1.7.v20160121</alpn-boot-version>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <jacoco.version>0.8.8</jacoco.version>
-        <log4j.version>2.19.0</log4j.version>
+        <jacoco.version>0.8.10</jacoco.version>
+        <log4j.version>2.20.0</log4j.version>
         <org.hyperledger.fabric.sdktest.ITSuite>IntegrationSuite.java</org.hyperledger.fabric.sdktest.ITSuite>
         <gpg.executable>gpg</gpg.executable>
     </properties>
@@ -47,7 +46,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-checkstyle-plugin</artifactId>
-                <version>2.17</version>
+                <version>3.0.0</version>
                 <reportSets>
                     <reportSet>
                         <reports>
@@ -81,14 +80,14 @@
             <dependency>
                 <groupId>io.opentelemetry</groupId>
                 <artifactId>opentelemetry-bom</artifactId>
-                <version>1.23.1</version>
+                <version>1.27.0</version>
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
             <dependency>
                 <groupId>io.opentelemetry.instrumentation</groupId>
                 <artifactId>opentelemetry-instrumentation-bom-alpha</artifactId>
-                <version>1.23.0-alpha</version>
+                <version>1.27.0-alpha</version>
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
@@ -154,12 +153,12 @@
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-compress</artifactId>
-            <version>1.22</version>
+            <version>1.23.0</version>
         </dependency>
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
-            <version>2.11.0</version>
+            <version>2.13.0</version>
         </dependency>
 
         <!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core -->
@@ -200,7 +199,7 @@
         <dependency>
             <groupId>com.google.api</groupId>
             <artifactId>api-common</artifactId>
-            <version>2.6.1</version>
+            <version>2.12.0</version>
         </dependency>
 
         <!-- https://mvnrepository.com/artifact/org.glassfish/javax.json -->
@@ -214,7 +213,7 @@
         <dependency>
             <groupId>org.yaml</groupId>
             <artifactId>snakeyaml</artifactId>
-            <version>1.33</version>
+            <version>2.0</version>
         </dependency>
 
         <!-- https://mvnrepository.com/artifact/org.miracl.milagro.amcl/milagro-crypto-java -->
@@ -298,7 +297,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
-                <version>3.0.0-M5</version>
+                <version>3.0.0-M7</version>
                 <configuration>
                     <argLine>${surefireArgLine}</argLine>
                     <includes>
@@ -310,7 +309,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-failsafe-plugin</artifactId>
-                <version>3.0.0-M5</version>
+                <version>3.1.2</version>
                 <configuration>
                     <argLine>${failsafeArgLine}</argLine>
                     <includes>
@@ -357,7 +356,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.8.1</version>
+                <version>3.10.1</version>
                 <configuration>
                     <source>1.8</source>
                     <target>1.8</target>
@@ -609,7 +608,7 @@
             <plugin>
                 <groupId>pl.project13.maven</groupId>
                 <artifactId>git-commit-id-plugin</artifactId>
-                <version>2.2.6</version>
+                <version>4.9.10</version>
                 <executions>
                     <execution>
                         <id>get-the-git-infos</id>
@@ -626,7 +625,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-jar-plugin</artifactId>
-                <version>3.2.0</version>
+                <version>3.3.0</version>
                 <configuration>
                     <archive>
                         <manifestEntries>
@@ -651,6 +650,26 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-enforcer-plugin</artifactId>
+                <version>3.3.0</version>
+                <executions>
+                    <execution>
+                        <id>enforce-maven</id>
+                        <goals>
+                            <goal>enforce</goal>
+                        </goals>
+                        <configuration>
+                            <rules>
+                                <requireMavenVersion>
+                                    <version>3.2.5</version>
+                                </requireMavenVersion>
+                            </rules>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
     </build>
     <distributionManagement>
@@ -669,7 +688,7 @@
                     <plugin>
                         <groupId>org.owasp</groupId>
                         <artifactId>dependency-check-maven</artifactId>
-                        <version>7.2.1</version>
+                        <version>8.3.1</version>
                         <configuration>
                             <skipProvidedScope>true</skipProvidedScope>
                             <skipTestScope>true</skipTestScope>

src/main/java/org/hyperledger/fabric/sdk/ChaincodeCollectionConfiguration.java

@@ -42,6 +42,7 @@
 import org.hyperledger.fabric.protos.peer.Collection;
 import org.hyperledger.fabric.sdk.exception.ChaincodeCollectionConfigurationException;
 import org.hyperledger.fabric.sdk.exception.InvalidArgumentException;
+import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
 import org.yaml.snakeyaml.constructor.SafeConstructor;
 
@@ -117,7 +118,7 @@ public static ChaincodeCollectionConfiguration fromYamlStream(InputStream config
             throw new InvalidArgumentException("ConfigStream must be specified");
         }
 
-        Yaml yaml = new Yaml(new SafeConstructor());
+        Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions()));
 
         List<Object> map = yaml.load(configStream);
 

src/main/java/org/hyperledger/fabric/sdk/ChaincodeEndorsementPolicy.java

@@ -36,6 +36,7 @@
 import org.hyperledger.fabric.protos.common.Policies;
 import org.hyperledger.fabric.protos.common.Policies.SignaturePolicy;
 import org.hyperledger.fabric.sdk.exception.ChaincodeEndorsementPolicyParseException;
+import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
 import org.yaml.snakeyaml.constructor.SafeConstructor;
 
@@ -255,7 +256,7 @@ public static ChaincodeEndorsementPolicy fromYamlFile(Path yamlPolicyFile) throw
     }
 
     private static Policies.SignaturePolicyEnvelope loadPolicyFromYaml(Reader yamlReader) throws ChaincodeEndorsementPolicyParseException {
-        Yaml yaml = new Yaml(new SafeConstructor());
+        Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions()));
         Map<?, Map<?, ?>> load = yaml.load(yamlReader);
 
         Map<?, ?> mp = load.get("policy");

src/main/java/org/hyperledger/fabric/sdk/LifecycleChaincodeEndorsementPolicy.java

@@ -11,6 +11,7 @@
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.HashMap;
 import java.util.LinkedHashMap;
@@ -28,6 +29,7 @@
 import org.hyperledger.fabric.protos.common.Policies.SignaturePolicy;
 import org.hyperledger.fabric.protos.peer.Policy;
 import org.hyperledger.fabric.sdk.exception.ChaincodeEndorsementPolicyParseException;
+import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
 import org.yaml.snakeyaml.constructor.SafeConstructor;
 
@@ -225,8 +227,8 @@ private static IndexedHashMap<String, MSPPrincipal> parseIdentities(Map<?, ?> id
 //    }
 
     public static LifecycleChaincodeEndorsementPolicy fromSignaturePolicyYamlFile(Path yamlPolicyFile) throws IOException, ChaincodeEndorsementPolicyParseException {
-        final Yaml yaml = new Yaml(new SafeConstructor());
-        final Map<?, ?> load = (Map<?, ?>) yaml.load(new FileInputStream(yamlPolicyFile.toFile()));
+        final Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions()));
+        final Map<?, ?> load = (Map<?, ?>) yaml.load(Files.newInputStream(yamlPolicyFile.toFile().toPath()));
 
         Map<?, ?> mp = (Map<?, ?>) load.get("policy");
 

src/main/java/org/hyperledger/fabric/sdk/NetworkConfig.java

@@ -58,6 +58,7 @@
 import org.hyperledger.fabric.sdk.exception.NetworkConfigurationException;
 import org.hyperledger.fabric.sdk.helper.Utils;
 import org.hyperledger.fabric.sdk.identity.X509Enrollment;
+import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
 import org.yaml.snakeyaml.constructor.SafeConstructor;
 
@@ -302,7 +303,7 @@ public static NetworkConfig fromYamlStream(InputStream configStream) throws Netw
             throw new IllegalArgumentException("configStream must be specified");
         }
 
-        Yaml yaml = new Yaml(new SafeConstructor());
+        Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions()));
 
         Map<String, Object> map = yaml.load(configStream);