hypertrace · aman-bansal · Nov 23, 2023 · Nov 22, 2023
@@ -0,0 +1 @@
+CVE-2023-5678 exp:2023-11-30
@@ -3,7 +3,7 @@ plugins {
 }
 
 dependencies {
-  api("org.hypertrace.core.serviceframework:platform-grpc-service-framework:0.1.58")
+  api("org.hypertrace.core.serviceframework:platform-grpc-service-framework:0.1.62")
 
   implementation(project(":gateway-service-impl"))
 }
@@ -18,8 +18,8 @@ dependencies {
   implementation("org.hypertrace.core.query.service:query-service-client:0.8.0")
   implementation("org.hypertrace.core.attribute.service:attribute-service-client:0.14.25")
 
-  implementation("org.hypertrace.entity.service:entity-service-client:0.8.56")
-  implementation("org.hypertrace.entity.service:entity-service-api:0.8.56")
+  implementation("org.hypertrace.entity.service:entity-service-client:0.8.87")
+  implementation("org.hypertrace.entity.service:entity-service-api:0.8.87")
   implementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.12.5")
   implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.5")
   implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.58")

@@ -364,13 +364,12 @@ private List<EntityInteractionQueryRequest> prepareQueryRequests(
         .collect(Collectors.toList());
   }
 
-  private Set<String> getOtherEntityTypes(org.hypertrace.gateway.service.v1.common.Filter filter) {
+  protected Set<String> getOtherEntityTypes(
+      org.hypertrace.gateway.service.v1.common.Filter filter) {
+    Set<String> result = new HashSet<>();
     if (filter.getChildFilterCount() > 0) {
       for (org.hypertrace.gateway.service.v1.common.Filter child : filter.getChildFilterList()) {
-        Set<String> result = getOtherEntityTypes(child);
-        if (!result.isEmpty()) {
-          return result;
-        }
+        result.addAll(getOtherEntityTypes(child));
       }
     } else if (ExpressionReader.isSimpleAttributeSelection(filter.getLhs())) {
       String attributeId =
@@ -382,7 +381,7 @@ private Set<String> getOtherEntityTypes(org.hypertrace.gateway.service.v1.common
       }
     }
 
-    return Collections.emptySet();
+    return Collections.unmodifiableSet(result);
   }
 
   private Filter convertToQueryFilter(

@@ -9,7 +9,7 @@ dependencies {
   implementation(project(":gateway-service-factory"))
 
   implementation("org.hypertrace.core.grpcutils:grpc-server-utils:0.12.5")
-  implementation("org.hypertrace.core.serviceframework:platform-grpc-service-framework:0.1.58")
+  implementation("org.hypertrace.core.serviceframework:platform-grpc-service-framework:0.1.62")
   implementation("org.slf4j:slf4j-api:1.7.30")
   implementation("com.typesafe:config:1.4.1")
 

@@ -17,4 +17,16 @@
     <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
     <vulnerabilityName>CVE-2023-35116</vulnerabilityName>
   </suppress>
+  <suppress until="2023-11-30Z">
+    <notes><![CDATA[
+  This vulnerability is disputed, with the argument that SSL configuration is the responsibility of the client rather
+  than the transport. The change in default is under consideration for the next major Netty release, revisit then.
+  Regardless, our client (which is what brings in this dependency) enables the concerned feature, hostname verification
+  Ref:
+  https://github.com/grpc/grpc-java/issues/10033
+  https://github.com/netty/netty/issues/8537#issuecomment-1527896917
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.netty/netty.*@.*$</packageUrl>
+    <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
+  </suppress>
 </suppressions>