Skip to content

Commit

Permalink
Update dependencies to address CVE-2024-25710, CVE-2024-26308
Browse files Browse the repository at this point in the history
- Address vulnerabilities in Apache commons-compress.
- Update other dependencies to stay current.
- Fix some minor compilation issues following dependency updates.

Signed-off-by: Mark S. Lewis <[email protected]>
  • Loading branch information
bestbeforetoday committed Feb 21, 2024
1 parent 4b8425d commit 09d005a
Show file tree
Hide file tree
Showing 3 changed files with 59 additions and 69 deletions.
32 changes: 16 additions & 16 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -28,15 +28,15 @@
<url>http://github.com/hyperledger/fabric-sdk-java</url>
</scm>
<properties>
<grpc.version>1.59.0</grpc.version>
<protobuf.version>3.24.4</protobuf.version> <!-- Must match version used by grpc-protobuf -->
<grpc.version>1.61.1</grpc.version>
<protobuf.version>3.25.1</protobuf.version> <!-- Must match version used by grpc-protobuf -->
<bouncycastle.version>1.77</bouncycastle.version>
<httpclient.version>4.5.14</httpclient.version>
<javadoc.version>3.6.2</javadoc.version>
<javadoc.version>3.6.3</javadoc.version>
<skipITs>true</skipITs>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<jacoco.version>0.8.11</jacoco.version>
<log4j.version>2.21.1</log4j.version>
<log4j.version>2.23.0</log4j.version>
<org.hyperledger.fabric.sdktest.ITSuite>IntegrationSuite.java</org.hyperledger.fabric.sdktest.ITSuite>
<gpg.executable>gpg</gpg.executable>
<javaVersion>8</javaVersion>
Expand All @@ -54,7 +54,7 @@
<dependency>
<groupId>io.opentelemetry</groupId>
<artifactId>opentelemetry-bom</artifactId>
<version>1.32.0</version>
<version>1.35.0</version>
<type>pom</type>
<scope>import</scope>
</dependency>
Expand Down Expand Up @@ -111,7 +111,7 @@
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.2</version>
<version>1.3.0</version>
</dependency>
<dependency>
<groupId>commons-cli</groupId>
Expand All @@ -121,12 +121,12 @@
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.24.0</version>
<version>1.26.0</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.15.0</version>
<version>2.15.1</version>
</dependency>

<!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core -->
Expand Down Expand Up @@ -167,7 +167,7 @@
<dependency>
<groupId>com.google.api</groupId>
<artifactId>api-common</artifactId>
<version>2.20.0</version>
<version>2.26.0</version>
</dependency>

<dependency>
Expand Down Expand Up @@ -222,12 +222,12 @@
<dependency>
<groupId>io.opentelemetry.instrumentation</groupId>
<artifactId>opentelemetry-grpc-1.6</artifactId>
<version>1.32.0-alpha</version>
<version>2.1.0-alpha</version>
</dependency>
<dependency>
<groupId>io.opentelemetry.proto</groupId>
<artifactId>opentelemetry-proto</artifactId>
<version>1.0.0-alpha</version>
<version>1.1.0-alpha</version>
</dependency>
</dependencies>

Expand Down Expand Up @@ -255,7 +255,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>3.2.2</version>
<version>3.2.5</version>
<configuration>
<argLine>${surefireArgLine}</argLine>
<includes>
Expand All @@ -267,7 +267,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<version>3.2.2</version>
<version>3.2.5</version>
<configuration>
<argLine>${failsafeArgLine}</argLine>
<includes>
Expand Down Expand Up @@ -314,7 +314,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.11.0</version>
<version>3.12.1</version>
<configuration>
<source>${javaVersion}</source>
<target>${javaVersion}</target>
Expand Down Expand Up @@ -619,7 +619,7 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>8.4.3</version>
<version>9.0.9</version>
<configuration>
<skipProvidedScope>true</skipProvidedScope>
<skipTestScope>true</skipTestScope>
Expand Down Expand Up @@ -695,7 +695,7 @@
<dependency>
<groupId>com.puppycrawl.tools</groupId>
<artifactId>checkstyle</artifactId>
<version>10.12.5</version>
<version>10.13.0</version>
</dependency>
</dependencies>
</plugin>
Expand Down
56 changes: 29 additions & 27 deletions src/main/java/org/hyperledger/fabric/sdk/helper/Utils.java
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,27 @@

package org.hyperledger.fabric.sdk.helper;

import com.google.common.collect.ImmutableMap;
import com.google.protobuf.ByteString;
import com.google.protobuf.Timestamp;
import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
import org.apache.commons.compress.compressors.gzip.GzipCompressorOutputStream;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.io.IOUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.bouncycastle.crypto.Digest;
import org.bouncycastle.crypto.digests.SHA3Digest;
import org.bouncycastle.util.Arrays;
import org.bouncycastle.util.encoders.Hex;

import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.UncheckedIOException;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.math.BigDecimal;
Expand All @@ -40,22 +56,7 @@
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;

import com.google.common.collect.ImmutableMap;
import com.google.protobuf.ByteString;
import com.google.protobuf.Timestamp;
import org.apache.commons.compress.archivers.ArchiveEntry;
import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
import org.apache.commons.compress.compressors.gzip.GzipCompressorOutputStream;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.io.IOUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.bouncycastle.crypto.Digest;
import org.bouncycastle.crypto.digests.SHA3Digest;
import org.bouncycastle.util.Arrays;
import org.bouncycastle.util.encoders.Hex;
import java.util.stream.Stream;

import static java.lang.String.format;
import static java.nio.charset.StandardCharsets.UTF_8;
Expand Down Expand Up @@ -133,8 +134,8 @@ public static String generateDirectoryHash(String rootDir, String chaincodeDir,
}

StringBuilder hashBuilder = new StringBuilder(hash);
Files.walk(projectPath)
.sorted(Comparator.naturalOrder())
try (Stream<Path> walkStream = Files.walk(projectPath)) {
walkStream.sorted(Comparator.naturalOrder())
.filter(Files::isRegularFile)
.map(Path::toFile)
.forEach(file -> {
Expand All @@ -144,9 +145,10 @@ public static String generateDirectoryHash(String rootDir, String chaincodeDir,
hashBuilder.setLength(0);
hashBuilder.append(Hex.toHexString(hash(toHash, new SHA3Digest())));
} catch (IOException ex) {
throw new RuntimeException(format("Error while reading file %s", file.getAbsolutePath()), ex);
throw new UncheckedIOException(format("Error while reading file %s", file.getAbsolutePath()), ex);
}
});
}

// If original hash and final hash are the same, it indicates that no new contents were found
if (hashBuilder.toString().equals(hash)) {
Expand Down Expand Up @@ -178,7 +180,6 @@ public static byte[] generateTarGz(File sourceDirectory, String pathPrefix, File

Collection<File> childrenFiles = org.apache.commons.io.FileUtils.listFiles(sourceDirectory, null, true);

ArchiveEntry archiveEntry;
for (File childFile : childrenFiles) {
String childPath = childFile.getAbsolutePath();
String relativePath = childPath.substring((sourcePath.length() + 1));
Expand All @@ -193,7 +194,7 @@ public static byte[] generateTarGz(File sourceDirectory, String pathPrefix, File
logger.trace(format("generateTarGz: Adding '%s' entry from source '%s' to archive.", relativePath, childFile.getAbsolutePath()));
}

archiveEntry = new TarArchiveEntry(childFile, relativePath);
TarArchiveEntry archiveEntry = new TarArchiveEntry(childFile, relativePath);
archiveOutputStream.putArchiveEntry(archiveEntry);

try (FileInputStream fileInputStream = new FileInputStream(childFile)) {
Expand All @@ -217,7 +218,7 @@ public static byte[] generateTarGz(File sourceDirectory, String pathPrefix, File
logger.trace(format("generateTarGz: Adding '%s' entry from source '%s' to archive.", relativePath, childFile.getAbsolutePath()));
}

archiveEntry = new TarArchiveEntry(childFile, relativePath);
TarArchiveEntry archiveEntry = new TarArchiveEntry(childFile, relativePath);
archiveOutputStream.putArchiveEntry(archiveEntry);

try (FileInputStream fileInputStream = new FileInputStream(childFile)) {
Expand Down Expand Up @@ -276,10 +277,11 @@ public static void deleteFileOrDirectory(File file) throws IOException {
if (file.isDirectory()) {
Path rootPath = Paths.get(file.getAbsolutePath());

Files.walk(rootPath, FileVisitOption.FOLLOW_LINKS)
.sorted(Comparator.reverseOrder())
.map(Path::toFile)
.forEach(File::delete);
try (Stream<Path> walkStream = Files.walk(rootPath, FileVisitOption.FOLLOW_LINKS)) {
walkStream.sorted(Comparator.reverseOrder())
.map(Path::toFile)
.forEach(File::delete);
}
} else {
file.delete();
}
Expand Down Expand Up @@ -385,7 +387,7 @@ public static boolean isNullOrEmpty(String url) {
* @return returns a string which does not have unprintable characters and trimmed in length.
*/
public static String logString(final String string) {
if (string == null || string.length() == 0) {
if (string == null || string.isEmpty()) {
return string;
}

Expand Down
40 changes: 14 additions & 26 deletions src/test/java/org/hyperledger/fabric/sdkintegration/Util.java
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,13 @@

package org.hyperledger.fabric.sdkintegration;

import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
import org.apache.commons.compress.compressors.gzip.GzipCompressorOutputStream;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.io.IOUtils;
import org.hyperledger.fabric.sdk.helper.Utils;

import java.io.BufferedOutputStream;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
Expand All @@ -25,14 +32,6 @@
import java.io.InputStream;
import java.util.Collection;

import org.apache.commons.compress.archivers.ArchiveEntry;
import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
import org.apache.commons.compress.compressors.gzip.GzipCompressorOutputStream;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.io.IOUtils;
import org.hyperledger.fabric.sdk.helper.Utils;

import static java.lang.String.format;

class Util {
Expand All @@ -52,43 +51,32 @@ private Util() {
* @throws IOException
*/
public static InputStream generateTarGzInputStream(File src, String pathPrefix) throws IOException {
File sourceDirectory = src;

ByteArrayOutputStream bos = new ByteArrayOutputStream(500000);
String sourcePath = src.getAbsolutePath();

String sourcePath = sourceDirectory.getAbsolutePath();

TarArchiveOutputStream archiveOutputStream = new TarArchiveOutputStream(new GzipCompressorOutputStream(new BufferedOutputStream(bos)));
archiveOutputStream.setLongFileMode(TarArchiveOutputStream.LONGFILE_GNU);

try {
Collection<File> childrenFiles = org.apache.commons.io.FileUtils.listFiles(sourceDirectory, null, true);
try (TarArchiveOutputStream archiveOutputStream = new TarArchiveOutputStream(new GzipCompressorOutputStream(new BufferedOutputStream(bos)))) {
archiveOutputStream.setLongFileMode(TarArchiveOutputStream.LONGFILE_GNU);
Collection<File> childrenFiles = org.apache.commons.io.FileUtils.listFiles(src, null, true);

ArchiveEntry archiveEntry;
FileInputStream fileInputStream;
for (File childFile : childrenFiles) {
String childPath = childFile.getAbsolutePath();
String relativePath = childPath.substring((sourcePath.length() + 1), childPath.length());
String relativePath = childPath.substring((sourcePath.length() + 1));

if (pathPrefix != null) {
relativePath = Utils.combinePaths(pathPrefix, relativePath);
}

relativePath = FilenameUtils.separatorsToUnix(relativePath);

archiveEntry = new TarArchiveEntry(childFile, relativePath);
fileInputStream = new FileInputStream(childFile);
TarArchiveEntry archiveEntry = new TarArchiveEntry(childFile, relativePath);
archiveOutputStream.putArchiveEntry(archiveEntry);

try {
try (FileInputStream fileInputStream = new FileInputStream(childFile)) {
IOUtils.copy(fileInputStream, archiveOutputStream);
} finally {
IOUtils.closeQuietly(fileInputStream);
archiveOutputStream.closeArchiveEntry();
}
}
} finally {
IOUtils.closeQuietly(archiveOutputStream);
}

return new ByteArrayInputStream(bos.toByteArray());
Expand Down

0 comments on commit 09d005a

Please sign in to comment.