hypertrace · aaron-steinfeld · Dec 12, 2023 · Dec 12, 2023
@@ -1,8 +1,8 @@
 [versions]
 protoc = "3.24.1"
-grpc = "1.59.1"
-hypertrace-framework = "0.1.63"
-hypertrace-grpcutils = "0.12.7"
+grpc = "1.60.0"
+hypertrace-framework = "0.1.64"
+hypertrace-grpcutils = "0.12.8"
 hypertrace-kafka = "0.3.9"
 hypertrace-bom = "+"
 hypertrace-attributeservice = "0.14.35"

@@ -10,18 +10,6 @@
     <cpe>cpe:/a:service_project:service</cpe>
     <cpe>cpe:/a:processing:processing</cpe>
   </suppress>
-  <suppress until="2023-12-31Z">
-    <notes><![CDATA[
-  This vulnerability is disputed, with the argument that SSL configuration is the responsibility of the client rather
-  than the transport. The change in default is under consideration for the next major Netty release, revisit then.
-  Regardless, our client (which is what brings in this dependency) enables the concerned feature, hostname verification
-  Ref:
-  https://github.com/grpc/grpc-java/issues/10033
-  https://github.com/netty/netty/issues/8537#issuecomment-1527896917
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/io\.netty/netty.*@.*$</packageUrl>
-    <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
-  </suppress>
   <suppress until="2023-12-31Z">
     <notes><![CDATA[
    This CVE is declared fixed from 9.4.52, but the vuln db is not reflecting that. Suppress that specific version until
@@ -32,13 +20,4 @@
     <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty\[email protected]\..*$</packageUrl>
     <vulnerabilityName>CVE-2023-36479</vulnerabilityName>
   </suppress>
-  <suppress until="2023-12-31Z">
-    <notes><![CDATA[
-   This CVE (rapid RST) is already mitigated as our servers aren't directly exposed, but it's also
-   addressed in 1.59.1, which the CVE doesn't reflect (not all grpc impls versions are exactly aligned).
-   Ref: https://github.com/grpc/grpc-java/pull/10675
-   ]]></notes>
-    <packageUrl regex="true">^pkg:maven/io\.grpc/grpc\-.*@.*$</packageUrl>
-    <cve>CVE-2023-44487</cve>
-  </suppress>
 </suppressions>