Libraries upgrade to fix reported CVE (Consensys#989)

* fix: Update bouncycastle libraries * fix: Update transitive dependency threetenbp and google cloud secretmanager library * build: assign dependency scan nvd api key from env variable * fix: Update guava and commons-logging libraries
usmansaleem · Apr 15, 2024 · 4f25790 · 4f25790
1 parent 165c715
commit 4f25790
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,8 @@
 ## Next Version
 
 ### Bugs fixed
+- Update transitive dependency threetenbp and google cloud secretmanager library to fix CVE-2024-23082, CVE-2024-23081
+- Update bouncycastle libraries to fix CVE-2024-29857, CVE-2024-30171, CVE-2024-30172
 - Update Teku libraries to 24.3.1
 - Update Vert.x to 4.5.7 (which include fixes for CVE-2024-1023)
 - Fix Host Allow List handler to handle empty host header

diff --git a/build.gradle b/build.gradle
@@ -157,6 +157,9 @@ allprojects {
   }
 
   dependencyCheck {
+    nvd {
+      apiKey = System.getenv('NVD_API_KEY')
+    }
     failBuildOnCVSS = 7 // Fail on high CVSS severity
     suppressionFile = "${rootDir}/gradle/owasp-suppression.xml"
     skipConfigurations = [

diff --git a/gradle/versions.gradle b/gradle/versions.gradle
@@ -25,11 +25,12 @@ dependencyManagement {
 
     dependency 'tech.pegasys.tools.epchecks:errorprone-checks:1.1.1'
 
-    dependency 'com.google.guava:guava:32.0.1-jre'
+    dependency 'com.google.guava:guava:33.1.0-jre'
 
     dependency 'commons-cli:commons-cli:1.5.0'
     dependency 'commons-io:commons-io:2.11.0'
     dependency 'org.apache.commons:commons-lang3:3.12.0'
+    dependency 'commons-logging:commons-logging:1.3.1'
 
     dependency 'info.picocli:picocli:4.6.2'
 
@@ -66,7 +67,7 @@ dependencyManagement {
 
     dependency 'org.awaitility:awaitility:4.1.1'
 
-    dependencySet(group: 'org.bouncycastle', version: '1.74') {
+    dependencySet(group: 'org.bouncycastle', version: '1.78') {
       entry 'bcpkix-jdk18on'
       entry 'bcprov-jdk18on'
     }
@@ -143,7 +144,12 @@ dependencyManagement {
 
     dependency 'org.flywaydb:flyway-core:6.1.1'
 
-    dependency 'com.google.cloud:google-cloud-secretmanager:2.29.0'
+    dependency 'com.google.cloud:google-cloud-secretmanager:2.41.0'
+    /*
+      org.threeten:threetenbp:1.6.8 //CVE-2024-23082, CVE-2024-23081
+      \--- com.google.cloud:google-cloud-secretmanager:2.41.0
+     */
+    dependency 'org.threeten:threetenbp:1.6.9'
     dependency 'io.zonky.test.postgres:embedded-postgres-binaries-bom:11.19.0'
     dependency 'io.zonky.test:embedded-postgres:2.0.3'
 

diff --git a/signing/build.gradle b/signing/build.gradle
@@ -45,6 +45,7 @@ dependencies {
 
   runtimeOnly 'com.squareup.okhttp3:okhttp'
   runtimeOnly 'org.apache.logging.log4j:log4j-slf4j2-impl'
+  runtimeOnly 'commons-logging:commons-logging'
   runtimeOnly 'org.bouncycastle:bcpkix-jdk18on'
   runtimeOnly 'tech.pegasys:jblst'