fix dependency check

hypertrace · Dec 6, 2023 · 61750ec · 61750ec
1 parent 5336c3b
commit 61750ec
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 13 deletions.
diff --git a/gateway-service-impl/build.gradle.kts b/gateway-service-impl/build.gradle.kts
@@ -33,8 +33,8 @@ dependencies {
   implementation("com.google.guava:guava:32.1.2-jre")
   implementation("com.google.inject:guice:5.0.1")
 
-  implementation("com.fasterxml.jackson.core:jackson-annotations:2.15.2")
-  implementation("com.fasterxml.jackson.core:jackson-databind:2.15.2")
+  implementation("com.fasterxml.jackson.core:jackson-annotations:2.16.0")
+  implementation("com.fasterxml.jackson.core:jackson-databind:2.16.0")
 
   testImplementation("org.junit.jupiter:junit-jupiter:5.8.2")
   testImplementation("org.mockito:mockito-junit-jupiter:5.4.0")

diff --git a/...java/org/hypertrace/gateway/service/common/converters/StringToAttributeKindConverter.java b/...java/org/hypertrace/gateway/service/common/converters/StringToAttributeKindConverter.java
@@ -25,7 +25,7 @@ public class StringToAttributeKindConverter extends ToAttributeKindConverter<Str
   public static final StringToAttributeKindConverter INSTANCE =
       new StringToAttributeKindConverter();
   private static final String STRING_ARRAY_NULL_VALUE = "null";
-  private static final List<String> LIST_WITH_NULL_VALUE = List.of("null");
+  private static final List<String> LIST_WITH_NULL_STRING_VALUE = List.of("null");
   private final ObjectMapper objectMapper = new ObjectMapper();
 
   private StringToAttributeKindConverter() {}
@@ -97,7 +97,7 @@ private List<String> convertToArray(String jsonString) {
     // handle special case when "null" string is returned as string array value(default value
     // scenario). "null" is still a valid value, and should be converted to list with "null" value
     if (STRING_ARRAY_NULL_VALUE.equals(jsonString)) {
-      return LIST_WITH_NULL_VALUE;
+      return LIST_WITH_NULL_STRING_VALUE;
     }
 
     // Check if the string is already in a list format.

diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
@@ -9,15 +9,7 @@
     <cpe>cpe:/a:utils_project:utils</cpe>
     <cpe>cpe:/a:service_project:service</cpe>
   </suppress>
-  <suppress until="2023-07-31Z">
-    <notes><![CDATA[
-   Doesn't appear to be a real vulnerability, jackson maintainers discuss at https://github.com/FasterXML/jackson-databind/issues/3973
-   Revisit when suppression expires
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
-    <vulnerabilityName>CVE-2023-35116</vulnerabilityName>
-  </suppress>
-  <suppress until="2023-11-30Z">
+  <suppress until="2023-12-31Z">
     <notes><![CDATA[
   This vulnerability is disputed, with the argument that SSL configuration is the responsibility of the client rather
   than the transport. The change in default is under consideration for the next major Netty release, revisit then.
@@ -29,4 +21,13 @@
     <packageUrl regex="true">^pkg:maven/io\.netty/netty.*@.*$</packageUrl>
     <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
   </suppress>
+  <suppress until="2023-12-31Z">
+    <notes><![CDATA[
+   This CVE (rapid RST) is already mitigated as our servers aren't directly exposed, but it's also
+   addressed in 1.59.1, which the CVE doesn't reflect (not all grpc impls versions are exactly aligned).
+   Ref: https://github.com/grpc/grpc-java/pull/10675
+   ]]></notes>
+      <packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*@.*$</packageUrl>
+    <cve>CVE-2023-44487</cve>
+  </suppress>
 </suppressions>