Update dependencies to address CVE-2023-3635

Signed-off-by: Mark S. Lewis <[email protected]>
hyperledger · Dec 4, 2023 · 95e3a2d · 95e3a2d
1 parent e59b6d6
commit 95e3a2d
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 16 deletions.
diff --git a/dependency-suppressions.xml b/dependency-suppressions.xml
@@ -55,4 +55,10 @@
         <packageUrl regex="true">^pkg:maven/io\.opentelemetry\.instrumentation/opentelemetry\-grpc\-1\.6@.*$</packageUrl>
         <cve>CVE-2023-4785</cve>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+        CVE relates to attack on gRPC servers (not clients) and is dependent on the Netty version used
+        ]]></notes>
+        <cve>CVE-2023-44487</cve>
+    </suppress>
 </suppressions>
diff --git a/pom.xml b/pom.xml
@@ -38,22 +38,22 @@
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <javaVersion>8</javaVersion>
-        <javadoc.version>3.5.0</javadoc.version>
+        <javadoc.version>3.6.3</javadoc.version>
     </properties>
 
     <dependencyManagement>
         <dependencies>
             <dependency>
                 <groupId>io.cucumber</groupId>
                 <artifactId>cucumber-bom</artifactId>
-                <version>7.13.0</version>
+                <version>7.14.1</version>
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
             <dependency>
                 <groupId>org.junit</groupId>
                 <artifactId>junit-bom</artifactId>
-                <version>5.10.0</version>
+                <version>5.10.1</version>
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
@@ -108,15 +108,10 @@
             <artifactId>cucumber-junit</artifactId>
             <scope>test</scope>
         </dependency>
-        <dependency><!-- override the version under cloudant-client -->
-            <groupId>commons-codec</groupId>
-            <artifactId>commons-codec</artifactId>
-            <version>1.16.0</version>
-        </dependency>
         <dependency>
             <groupId>com.ibm.cloud</groupId>
             <artifactId>cloudant</artifactId>
-            <version>0.5.4</version>
+            <version>0.8.1</version>
         </dependency>
     </dependencies>
 
@@ -126,15 +121,15 @@
             <plugins>
                 <plugin>
                     <artifactId>maven-clean-plugin</artifactId>
-                    <version>3.3.1</version>
+                    <version>3.3.2</version>
                 </plugin>
                 <plugin>
                     <artifactId>maven-site-plugin</artifactId>
                     <version>3.12.1</version>
                 </plugin>
                 <plugin>
                     <artifactId>maven-project-info-reports-plugin</artifactId>
-                    <version>3.4.5</version>
+                    <version>3.5.0</version>
                 </plugin>
                 <!-- see http://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging -->
                 <plugin>
@@ -160,7 +155,7 @@
                 </plugin>
                 <plugin>
                     <artifactId>maven-surefire-plugin</artifactId>
-                    <version>3.1.2</version>
+                    <version>3.2.2</version>
                     <configuration>
                         <excludes>
                             <exclude>**/scenario/**</exclude>
@@ -233,7 +228,7 @@
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-enforcer-plugin</artifactId>
-                    <version>3.3.0</version>
+                    <version>3.4.1</version>
                     <executions>
                         <execution>
                             <id>enforce-version</id>
@@ -329,7 +324,7 @@
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-checkstyle-plugin</artifactId>
-                        <version>3.3.0</version>
+                        <version>3.3.1</version>
                         <configuration>
                             <configLocation>checkstyle.xml</configLocation>
                             <consoleOutput>true</consoleOutput>
@@ -341,7 +336,7 @@
                             <dependency>
                                 <groupId>com.puppycrawl.tools</groupId>
                                 <artifactId>checkstyle</artifactId>
-                                <version>10.12.2</version>
+                                <version>10.12.5</version>
                             </dependency>
                         </dependencies>
                         <executions>
@@ -364,7 +359,7 @@
                     <plugin>
                         <groupId>org.owasp</groupId>
                         <artifactId>dependency-check-maven</artifactId>
-                        <version>8.4.0</version>
+                        <version>9.0.2</version>
                         <configuration>
                             <skipProvidedScope>true</skipProvidedScope>
                             <skipTestScope>true</skipTestScope>
@@ -373,6 +368,7 @@
                             <suppressionFiles>
                                 <suppressionFile>dependency-suppressions.xml</suppressionFile>
                             </suppressionFiles>
+                            <nvdApiKey>${env.NVD_API_KEY}</nvdApiKey>
                         </configuration>
                         <executions>
                             <execution>