From a5d800b860caf234e16d8c2a7556698e3bebc219 Mon Sep 17 00:00:00 2001
From: Aaron Steinfeld <aaron@traceable.ai>
Date: Mon, 4 Dec 2023 08:43:46 -0500
Subject: [PATCH] fix: update grpc, jackson and framework versions

---
 gradle/libs.versions.toml |  8 ++++----
 owasp-suppressions.xml    | 18 +++++++++---------
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 734d793..493d8be 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -1,8 +1,8 @@
 [versions]
 protoc = "3.24.1"
-grpc = "1.57.2"
-hypertrace-framework = "0.1.62"
-hypertrace-grpcutils = "0.12.6"
+grpc = "1.59.1"
+hypertrace-framework = "0.1.63"
+hypertrace-grpcutils = "0.12.7"
 hypertrace-kafka = "0.3.9"
 hypertrace-bom = "+"
 hypertrace-attributeservice = "0.14.35"
@@ -27,7 +27,7 @@ grpc-protobuf = { module = "io.grpc:grpc-protobuf" }
 grpc-api = { module = "io.grpc:grpc-api" }
 grpc-netty = { module = "io.grpc:grpc-netty" }
 grpc-context = { module = "io.grpc:grpc-context" }
-jackson-bom = { module = "com.fasterxml.jackson:jackson-bom", version = "2.15.2" }
+jackson-bom = { module = "com.fasterxml.jackson:jackson-bom", version = "2.16.0" }
 jackson-databind = { module = "com.fasterxml.jackson.core:jackson-databind" }
 jackson-datatype-jsr310 = { module = "com.fasterxml.jackson.datatype:jackson-datatype-jsr310" }
 jackson-datatype-jdk8 = { module = "com.fasterxml.jackson.datatype:jackson-datatype-jdk8" }
diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
index 1934f0f..c26b3d0 100644
--- a/owasp-suppressions.xml
+++ b/owasp-suppressions.xml
@@ -10,15 +10,6 @@
     <cpe>cpe:/a:service_project:service</cpe>
     <cpe>cpe:/a:processing:processing</cpe>
   </suppress>
-  <suppress until="2023-12-31Z">
-    <notes><![CDATA[
-   Doesn't appear to be a real vulnerability, jackson maintainers discuss at https://github.com/FasterXML/jackson-databind/issues/3973
-   Revisit when suppression expires
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$
-    </packageUrl>
-    <cve>CVE-2023-35116</cve>
-  </suppress>
   <suppress until="2023-12-31Z">
     <notes><![CDATA[
   This vulnerability is disputed, with the argument that SSL configuration is the responsibility of the client rather
@@ -41,4 +32,13 @@
     <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty\-servlets@9.4.53\..*$</packageUrl>
     <vulnerabilityName>CVE-2023-36479</vulnerabilityName>
   </suppress>
+  <suppress until="2023-12-31Z">
+    <notes><![CDATA[
+   This CVE (rapid RST) is already mitigated as our servers aren't directly exposed, but it's also
+   addressed in 1.59.1, which the CVE doesn't reflect (not all grpc impls versions are exactly aligned).
+   Ref: https://github.com/grpc/grpc-java/pull/10675
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*@.*$</packageUrl>
+    <cve>CVE-2023-44487</cve>
+  </suppress>
 </suppressions>
\ No newline at end of file