Merging the updates from upstream

gateway-service-api/build.gradle.kts

@@ -17,7 +17,7 @@ protobuf {
     // the identifier, which can be referred to in the "plugins"
     // container of the "generateProtoTasks" closure.
     id("grpc_java") {
-      artifact = "io.grpc:protoc-gen-grpc-java:1.57.2"
+      artifact = "io.grpc:protoc-gen-grpc-java:1.60.0"
     }
   }
   generateProtoTasks {
@@ -39,7 +39,7 @@ sourceSets {
 }
 
 dependencies {
-  api(platform("io.grpc:grpc-bom:1.57.2"))
+  api(platform("io.grpc:grpc-bom:1.60.0"))
   api("io.grpc:grpc-protobuf")
   api("io.grpc:grpc-stub")
   api("javax.annotation:javax.annotation-api:1.3.2")

gateway-service-factory/build.gradle.kts

@@ -3,7 +3,7 @@ plugins {
 }
 
 dependencies {
-  api("org.hypertrace.core.serviceframework:platform-grpc-service-framework:0.1.62")
+  api("org.hypertrace.core.serviceframework:platform-grpc-service-framework:0.1.64")
 
   implementation(project(":gateway-service-impl"))
 }

gateway-service-impl/build.gradle.kts

@@ -20,8 +20,8 @@ dependencies {
 
   implementation("org.hypertrace.entity.service:entity-service-client:0.8.87")
   implementation("org.hypertrace.entity.service:entity-service-api:0.8.87")
-  implementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.12.5")
-  implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.5")
+  implementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.13.1")
+  implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.13.1")
   implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.58")
 
   // Config
@@ -41,5 +41,5 @@ dependencies {
   testImplementation("org.mockito:mockito-core:5.5.0")
   testImplementation("org.mockito:mockito-inline:5.2.0")
   testImplementation("org.apache.logging.log4j:log4j-slf4j-impl:2.17.1")
-  testImplementation("io.grpc:grpc-netty:1.57.2")
+  testImplementation("io.grpc:grpc-netty:1.60.0")
 }

gateway-service/build.gradle.kts

@@ -8,12 +8,12 @@ plugins {
 dependencies {
   implementation(project(":gateway-service-factory"))
 
-  implementation("org.hypertrace.core.grpcutils:grpc-server-utils:0.12.5")
-  implementation("org.hypertrace.core.serviceframework:platform-grpc-service-framework:0.1.62")
+  implementation("org.hypertrace.core.grpcutils:grpc-server-utils:0.13.1")
+  implementation("org.hypertrace.core.serviceframework:platform-grpc-service-framework:0.1.64")
   implementation("org.slf4j:slf4j-api:1.7.30")
   implementation("com.typesafe:config:1.4.1")
 
-  runtimeOnly("io.grpc:grpc-netty:1.57.2")
+  runtimeOnly("io.grpc:grpc-netty:1.60.0")
   runtimeOnly("org.apache.logging.log4j:log4j-slf4j-impl:2.17.1")
 }
 

owasp-suppressions.xml

@@ -9,25 +9,4 @@
     <cpe>cpe:/a:utils_project:utils</cpe>
     <cpe>cpe:/a:service_project:service</cpe>
   </suppress>
-  <suppress until="2024-01-31Z">
-    <notes><![CDATA[
-  This vulnerability is disputed, with the argument that SSL configuration is the responsibility of the client rather
-  than the transport. The change in default is under consideration for the next major Netty release, revisit then.
-  Regardless, our client (which is what brings in this dependency) enables the concerned feature, hostname verification
-  Ref:
-  https://github.com/grpc/grpc-java/issues/10033
-  https://github.com/netty/netty/issues/8537#issuecomment-1527896917
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/io\.netty/netty.*@.*$</packageUrl>
-    <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
-  </suppress>
-  <suppress until="2024-01-31Z">
-    <notes><![CDATA[
-   This CVE (rapid RST) is already mitigated as our servers aren't directly exposed, but it's also
-   addressed in 1.59.1, which the CVE doesn't reflect (not all grpc impls versions are exactly aligned).
-   Ref: https://github.com/grpc/grpc-java/pull/10675
-   ]]></notes>
-      <packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*@.*$</packageUrl>
-    <cve>CVE-2023-44487</cve>
-  </suppress>
 </suppressions>