Update dependencies to address security vulnerabilities

- CVE-2022-25647 - CVE-2023-2976 - CVE-2020-8908 Also update Gradle wrapper version to resolve Gradle bug in handling certain dependency JAR files. Signed-off-by: Mark S. Lewis <[email protected]>
hyperledger · Aug 20, 2023 · f4e5685 · f4e5685
1 parent 3b5b2cb
commit f4e5685
Show file tree

Hide file tree

Showing 24 changed files with 367 additions and 69 deletions.
diff --git a/dependency-suppression.xml b/dependency-suppression.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress>
+        <notes><![CDATA[
+        Core Fabric Go implementation vulnerability, not fabric-protos.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.hyperledger\.fabric/fabric\-protos@.*$</packageUrl>
+        <cve>CVE-2022-31121</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        Core Fabric Go implementation vulnerability, not fabric-protos.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.hyperledger\.fabric/fabric\-protos@.*$</packageUrl>
+        <cve>CVE-2022-36023</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        Vulnerability in C++ gRPC implementation.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/io\.opentelemetry\.instrumentation/opentelemetry\-grpc\-1\.6@.*$</packageUrl>
+        <cve>CVE-2023-33953</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        Vulnerability in C++ gRPC implementation.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/io\.opentelemetry\.instrumentation/opentelemetry\-grpc\-1\.6@.*$</packageUrl>
+        <cve>CVE-2023-32732</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        Vulnerability in hutool-json, which is not used.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
+        <cve>CVE-2022-45688</cve>
+    </suppress>
+</suppressions>
diff --git a/examples/fabric-contract-example-as-service/build.gradle b/examples/fabric-contract-example-as-service/build.gradle
@@ -21,7 +21,7 @@ repositories {
 
 dependencies {
     compile group: 'org.hyperledger.fabric-chaincode-java', name: 'fabric-chaincode-shim', version: '2.3.+'
-    compile group: 'org.json', name: 'json', version: '20180813'
+    compile 'org.json:json:20230618'
     testImplementation 'org.junit.jupiter:junit-jupiter:5.4.2'
     testImplementation 'org.assertj:assertj-core:3.11.1'
     testImplementation 'org.mockito:mockito-core:2.+'

diff --git a/examples/fabric-contract-example-gradle-kotlin/build.gradle.kts b/examples/fabric-contract-example-gradle-kotlin/build.gradle.kts
@@ -20,7 +20,7 @@ java {
 
 dependencies {
     implementation("org.hyperledger.fabric-chaincode-java:fabric-chaincode-shim:2.5.0")
-    implementation("org.json:json:20180813")
+    implementation("org.json:json:20230618")
     implementation("org.jetbrains.kotlin:kotlin-stdlib-jdk8")
 
     testImplementation("org.junit.jupiter:junit-jupiter:5.4.2")

diff --git a/examples/fabric-contract-example-gradle/build.gradle b/examples/fabric-contract-example-gradle/build.gradle
@@ -21,7 +21,7 @@ repositories {
 
 dependencies {
     compile group: 'org.hyperledger.fabric-chaincode-java', name: 'fabric-chaincode-shim', version: '2.5.0'
-    compile group: 'org.json', name: 'json', version: '20180813'
+    compile 'org.json:json:20230618'
     testImplementation 'org.junit.jupiter:junit-jupiter:5.4.2'
     testImplementation 'org.assertj:assertj-core:3.11.1'
     testImplementation 'org.mockito:mockito-core:2.+'

diff --git a/examples/ledger-api/build.gradle b/examples/ledger-api/build.gradle
@@ -21,7 +21,7 @@ repositories {
 
 dependencies {
     compile group: 'org.hyperledger.fabric-chaincode-java', name: 'fabric-chaincode-shim', version: '1.4.5'
-    compile group: 'org.json', name: 'json', version: '20180813'
+    compile 'org.json:json:20230618'
     testImplementation 'org.junit.jupiter:junit-jupiter:5.4.2'
     testImplementation 'org.assertj:assertj-core:3.11.1'
     testImplementation 'org.mockito:mockito-core:2.+'

diff --git a/fabric-chaincode-integration-test/build.gradle b/fabric-chaincode-integration-test/build.gradle
@@ -1,7 +1,7 @@
 dependencies {
     implementation project(':fabric-chaincode-docker')
     implementation project(':fabric-chaincode-shim')
-    implementation group: 'org.json', name: 'json', version: '20180813'
+    implementation 'org.json:json:20230618'
 }
 
 

diff --git a/fabric-chaincode-integration-test/src/contracts/bare-gradle/build.gradle b/fabric-chaincode-integration-test/src/contracts/bare-gradle/build.gradle
@@ -19,11 +19,11 @@ repositories {
 
 dependencies {
     implementation group: 'org.hyperledger.fabric-chaincode-java', name: 'fabric-chaincode-shim', version: '2.5.1'
-    implementation group: 'org.hyperledger.fabric', name:'fabric-protos', version:'0.1.3'
+    implementation 'org.hyperledger.fabric:fabric-protos:0.2.1'
     testImplementation group: 'junit', name: 'junit', version: '4.12'
     implementation group: 'commons-logging', name: 'commons-logging', version: '1.2'
-    implementation group: 'com.google.code.gson', name: 'gson', version: '2.8.6'
-    implementation group: 'com.google.protobuf', name: 'protobuf-java', version: '3.4.0'
+    implementation 'com.google.code.gson:gson:2.10.1'
+    implementation 'com.google.protobuf:protobuf-java:3.22.5'
 }
 
 shadowJar {

diff --git a/fabric-chaincode-integration-test/src/contracts/bare-maven/pom.xml b/fabric-chaincode-integration-test/src/contracts/bare-maven/pom.xml
@@ -52,7 +52,7 @@
 		<dependency>
 			<groupId>org.hyperledger.fabric</groupId>
 			<artifactId>fabric-protos</artifactId>
-			<version>0.1.3</version>
+			<version>0.2.1</version>
 			<scope>compile</scope>
 		</dependency>
 
@@ -103,7 +103,7 @@
 		<dependency>
 			<groupId>org.json</groupId>
 			<artifactId>json</artifactId>
-			<version>20180813</version>
+			<version>20230618</version>
 		</dependency>
 
 	</dependencies>

diff --git a/fabric-chaincode-integration-test/src/contracts/fabric-shim-api/build.gradle b/fabric-chaincode-integration-test/src/contracts/fabric-shim-api/build.gradle
@@ -19,7 +19,7 @@ repositories {
 
 dependencies {
     implementation group: 'org.hyperledger.fabric-chaincode-java', name: 'fabric-chaincode-shim', version: '2.5.1'
-    implementation group: 'org.hyperledger.fabric', name:'fabric-protos', version:'0.1.3'
+    implementation group: 'org.hyperledger.fabric', name:'fabric-protos', version:'0.2.1'
     testImplementation group: 'junit', name: 'junit', version: '4.12'
     implementation group: 'commons-logging', name: 'commons-logging', version: '1.2'
     implementation group: 'com.google.code.gson', name: 'gson', version: '2.8.6'

diff --git a/...egration-test/src/test/java/org/hyperleder/fabric/shim/integration/util/InvokeHelper.java b/...egration-test/src/test/java/org/hyperleder/fabric/shim/integration/util/InvokeHelper.java
@@ -1,11 +1,12 @@
 package org.hyperleder.fabric.shim.integration.util;
 
-import java.util.Map;
-import java.util.stream.Collectors;
-
 import org.hyperleder.fabric.shim.integration.util.Command.Result;
 import org.hyperleder.fabric.shim.integration.util.Peer.PeerBuilder;
 
+import java.util.Arrays;
+import java.util.Map;
+import java.util.stream.Collectors;
+
 public class InvokeHelper {
 
     private String ccname;
@@ -33,6 +34,8 @@ public String invoke(String org, String... args){
             .trim();
 
         if (!text.contains("result: status:200")){
+            Command logsCommand = new Command(Arrays.asList("docker", "logs", "microfab"), orgEnv);
+            logsCommand.run();
             throw new RuntimeException(text);
         } 
 

diff --git a/fabric-chaincode-shim/build.gradle b/fabric-chaincode-shim/build.gradle
@@ -8,7 +8,7 @@
         mavenCentral()
     }
     dependencies {
-        classpath 'org.owasp:dependency-check-gradle:8.2.1'
+        classpath 'org.owasp:dependency-check-gradle:8.4.0'
     }
 }
 
@@ -22,7 +22,7 @@ plugins {
 apply plugin: 'org.owasp.dependencycheck'
 
 checkstyle {
-    toolVersion '8.29'
+    toolVersion '10.12.2'
     configFile file("../ci/checkstyle/checkstyle.xml")
     configProperties = [root_dir: file("..") ]
 }
@@ -34,37 +34,44 @@ checkstyleTest {
     source ='src/test/java'
 }
 
+dependencyCheck {
+    suppressionFile='dependency-suppression.xml'
+    scanConfigurations = ['runtimeClasspath']
+}
+
 check.dependsOn dependencyCheckAnalyze
 
 tasks.withType(org.gradle.api.tasks.testing.Test) {
     systemProperty 'CORE_CHAINCODE_LOGGING_LEVEL', 'DEBUG'
 }
 
 dependencies {
-    implementation group: 'org.hyperledger.fabric', name:'fabric-protos', version:'0.2.0'
-    implementation 'org.bouncycastle:bcpkix-jdk18on:1.75'
-    implementation 'org.bouncycastle:bcprov-jdk18on:1.75'
-    implementation 'io.github.classgraph:classgraph:4.8.161'
-    implementation group: 'com.github.everit-org.json-schema', name: 'org.everit.json.schema', version: '1.14.2'
+    implementation 'org.hyperledger.fabric:fabric-protos:0.2.1'
+    implementation 'org.bouncycastle:bcpkix-jdk18on:1.76'
+    implementation 'org.bouncycastle:bcprov-jdk18on:1.76'
+    implementation 'io.github.classgraph:classgraph:4.8.162'
+    implementation 'com.github.everit-org.json-schema:org.everit.json.schema:1.14.2'
     implementation 'org.json:json:20230618'
-    implementation group: 'com.google.protobuf', name: 'protobuf-java-util', version: '3.19.6'
+    implementation 'com.google.protobuf:protobuf-java-util:3.22.5'
 
     // Required if using Java 11+ as no longer bundled in the core libraries
-    testImplementation group: 'javax.xml.bind', name: 'jaxb-api', version: '2.3.1'
-    implementation 'io.grpc:grpc-netty-shaded:1.45.4'
-    implementation 'io.grpc:grpc-protobuf:1.45.4'
-    implementation 'io.grpc:grpc-stub:1.45.4'
-
-    implementation platform("io.opentelemetry:opentelemetry-bom:1.6.0")
-
-    implementation "io.opentelemetry:opentelemetry-api"
-    implementation "io.opentelemetry:opentelemetry-proto:1.6.0-alpha"
-    implementation "io.opentelemetry:opentelemetry-sdk"
-    implementation "io.opentelemetry:opentelemetry-sdk-extension-autoconfigure:1.6.0-alpha"
-    implementation "io.opentelemetry:opentelemetry-sdk-trace"
+    testImplementation 'javax.xml.bind:jaxb-api:2.3.1'
+
+    implementation platform('io.grpc:grpc-bom:1.57.2')
+    implementation 'io.grpc:grpc-netty-shaded'
+    implementation 'io.grpc:grpc-protobuf'
+    implementation 'io.grpc:grpc-stub'
+
+    implementation platform("io.opentelemetry:opentelemetry-bom:1.29.0")
+
+    implementation 'io.opentelemetry:opentelemetry-api'
+    implementation 'io.opentelemetry.proto:opentelemetry-proto:1.0.0-alpha'
+    implementation 'io.opentelemetry:opentelemetry-sdk'
+    implementation 'io.opentelemetry:opentelemetry-sdk-extension-autoconfigure'
+    implementation 'io.opentelemetry:opentelemetry-sdk-trace'
     implementation 'io.opentelemetry:opentelemetry-exporter-otlp'
-    implementation 'io.opentelemetry:opentelemetry-extension-trace-propagators:1.6.0'
-    implementation "io.opentelemetry.instrumentation:opentelemetry-grpc-1.6:1.5.3-alpha"
+    implementation 'io.opentelemetry:opentelemetry-extension-trace-propagators'
+    implementation 'io.opentelemetry.instrumentation:opentelemetry-grpc-1.6:1.29.0-alpha'
 }
 
 dependencyCheck {

diff --git a/...c-chaincode-shim/src/main/java/org/hyperledger/fabric/contract/annotation/Serializer.java b/...c-chaincode-shim/src/main/java/org/hyperledger/fabric/contract/annotation/Serializer.java
@@ -15,7 +15,7 @@
  * Class level annotation that defines the serializer that should be used to
  * convert objects to and from the wire format.
  *
- * This should annotate a class that implements the Serializer interface
+ * <p>This should annotate a class that implements the Serializer interface</p>
  */
 @Retention(RUNTIME)
 @Target({ElementType.TYPE, ElementType.TYPE_USE})
@@ -25,7 +25,14 @@
      *
      */
     enum TARGET {
-        TRANSACTION, ALL
+        /**
+         * Target transaction functions.
+         */
+        TRANSACTION,
+        /**
+         * Target all elements.
+         */
+        ALL
     }
 
     /**

diff --git a/...-chaincode-shim/src/main/java/org/hyperledger/fabric/contract/annotation/Transaction.java b/...-chaincode-shim/src/main/java/org/hyperledger/fabric/contract/annotation/Transaction.java
@@ -29,20 +29,27 @@
 public @interface Transaction {
 
     /**
-     * SUBMIT or EVALUATE semantics.
+     * The intended invocation style for a transaction function.
      */
     enum TYPE {
-        SUBMIT, EVALUATE
+        /**
+         * Transaction is used to submit updates to the ledger.
+         */
+        SUBMIT,
+        /**
+         * Transaction is evaluated to query information from the ledger.
+         */
+        EVALUATE
     }
 
     /**
      * Submit semantics.
      *
-     * TRUE indicates that this function is intended to be called with the 'submit'
-     * semantics
+     * <p>TRUE indicates that this function is intended to be called with the 'submit'
+     * semantics</p>
      *
-     * FALSE indicates that this is intended to be called with the evaluate
-     * semantics
+     * <p>FALSE indicates that this is intended to be called with the evaluate
+     * semantics</p>
      *
      * @return boolean, default is true
      * @deprecated Please use intent
@@ -52,11 +59,12 @@ enum TYPE {
 
     /**
      * What are submit semantics for this transaction.
-     *
-     * SUBMIT - indicates that this function is intended to be called with the
-     * 'submit' semantics EVALUATE - indicates that this is intended to be called
-     * with the 'evaluate' semantics
-     *
+     * <dl>
+     * <dt>SUBMIT</dt><dd>indicates that this function is intended to be called with the
+     * 'submit' semantics</dd>
+     * <dt>EVALUATE</dt><dd>indicates that this is intended to be called
+     * with the 'evaluate' semantics</dd>
+     * </dl>
      * @return submit semantics
      */
     TYPE intent() default Transaction.TYPE.SUBMIT;

diff --git a/fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/contract/routing/TxFunction.java b/fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/contract/routing/TxFunction.java
@@ -15,13 +15,32 @@
 public interface TxFunction {
 
     interface Routing {
-
+        /**
+         * Method to route calls to the transaction function.
+         * @return a method.
+         */
         Method getMethod();
 
+        /**
+         * The associated contract class.
+         * @return a contract class.
+         */
         Class<? extends ContractInterface> getContractClass();
 
+        /**
+         * The associated contract instance.
+         * @return a contract.
+         * @throws IllegalAccessException
+         * @throws InstantiationException
+         * @throws InvocationTargetException
+         * @throws NoSuchMethodException
+         */
         ContractInterface getContractInstance() throws IllegalAccessException, InstantiationException, InvocationTargetException, NoSuchMethodException;
 
+        /**
+         * Name of the serializer used for the transaction function.
+         * @return a serializer name.
+         */
         String getSerializerName();
     }
 
@@ -31,7 +50,7 @@ interface Routing {
     boolean isUnknownTx();
 
     /**
-     * @param unknown
+     * @param unknown true if the transaction is to be called when the request fn is unknown; otherwise false.
      */
     void setUnknownTx(boolean unknown);
 

diff --git a/fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/ledger/impl/package-info.java b/fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/ledger/impl/package-info.java
@@ -0,0 +1,6 @@
+/*
+ * Copyright 2023 IBM All Rights Reserved.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package org.hyperledger.fabric.ledger.impl;