From 09d005afdd279b5ba14d336a73dad02955f15bdc Mon Sep 17 00:00:00 2001
From: "Mark S. Lewis" <Mark.S.Lewis@outlook.com>
Date: Wed, 21 Feb 2024 23:12:44 +0000
Subject: [PATCH] Update dependencies to address CVE-2024-25710, CVE-2024-26308

- Address vulnerabilities in Apache commons-compress.
- Update other dependencies to stay current.
- Fix some minor compilation issues following dependency updates.

Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
---
 pom.xml                                       | 32 +++++------
 .../hyperledger/fabric/sdk/helper/Utils.java  | 56 ++++++++++---------
 .../fabric/sdkintegration/Util.java           | 40 +++++--------
 3 files changed, 59 insertions(+), 69 deletions(-)

diff --git a/pom.xml b/pom.xml
index c328f524..27e9aa4d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -28,15 +28,15 @@
         <url>http://github.com/hyperledger/fabric-sdk-java</url>
     </scm>
     <properties>
-        <grpc.version>1.59.0</grpc.version>
-        <protobuf.version>3.24.4</protobuf.version> <!-- Must match version used by grpc-protobuf -->
+        <grpc.version>1.61.1</grpc.version>
+        <protobuf.version>3.25.1</protobuf.version> <!-- Must match version used by grpc-protobuf -->
         <bouncycastle.version>1.77</bouncycastle.version>
         <httpclient.version>4.5.14</httpclient.version>
-        <javadoc.version>3.6.2</javadoc.version>
+        <javadoc.version>3.6.3</javadoc.version>
         <skipITs>true</skipITs>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <jacoco.version>0.8.11</jacoco.version>
-        <log4j.version>2.21.1</log4j.version>
+        <log4j.version>2.23.0</log4j.version>
         <org.hyperledger.fabric.sdktest.ITSuite>IntegrationSuite.java</org.hyperledger.fabric.sdktest.ITSuite>
         <gpg.executable>gpg</gpg.executable>
         <javaVersion>8</javaVersion>
@@ -54,7 +54,7 @@
             <dependency>
                 <groupId>io.opentelemetry</groupId>
                 <artifactId>opentelemetry-bom</artifactId>
-                <version>1.32.0</version>
+                <version>1.35.0</version>
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
@@ -111,7 +111,7 @@
         <dependency>
             <groupId>commons-logging</groupId>
             <artifactId>commons-logging</artifactId>
-            <version>1.2</version>
+            <version>1.3.0</version>
         </dependency>
         <dependency>
             <groupId>commons-cli</groupId>
@@ -121,12 +121,12 @@
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-compress</artifactId>
-            <version>1.24.0</version>
+            <version>1.26.0</version>
         </dependency>
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
-            <version>2.15.0</version>
+            <version>2.15.1</version>
         </dependency>
 
         <!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core -->
@@ -167,7 +167,7 @@
         <dependency>
             <groupId>com.google.api</groupId>
             <artifactId>api-common</artifactId>
-            <version>2.20.0</version>
+            <version>2.26.0</version>
         </dependency>
 
         <dependency>
@@ -222,12 +222,12 @@
         <dependency>
             <groupId>io.opentelemetry.instrumentation</groupId>
             <artifactId>opentelemetry-grpc-1.6</artifactId>
-            <version>1.32.0-alpha</version>
+            <version>2.1.0-alpha</version>
         </dependency>
         <dependency>
             <groupId>io.opentelemetry.proto</groupId>
             <artifactId>opentelemetry-proto</artifactId>
-            <version>1.0.0-alpha</version>
+            <version>1.1.0-alpha</version>
         </dependency>
     </dependencies>
 
@@ -255,7 +255,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
-                <version>3.2.2</version>
+                <version>3.2.5</version>
                 <configuration>
                     <argLine>${surefireArgLine}</argLine>
                     <includes>
@@ -267,7 +267,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-failsafe-plugin</artifactId>
-                <version>3.2.2</version>
+                <version>3.2.5</version>
                 <configuration>
                     <argLine>${failsafeArgLine}</argLine>
                     <includes>
@@ -314,7 +314,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.11.0</version>
+                <version>3.12.1</version>
                 <configuration>
                     <source>${javaVersion}</source>
                     <target>${javaVersion}</target>
@@ -619,7 +619,7 @@
                     <plugin>
                         <groupId>org.owasp</groupId>
                         <artifactId>dependency-check-maven</artifactId>
-                        <version>8.4.3</version>
+                        <version>9.0.9</version>
                         <configuration>
                             <skipProvidedScope>true</skipProvidedScope>
                             <skipTestScope>true</skipTestScope>
@@ -695,7 +695,7 @@
                         <dependency>
                             <groupId>com.puppycrawl.tools</groupId>
                             <artifactId>checkstyle</artifactId>
-                            <version>10.12.5</version>
+                            <version>10.13.0</version>
                         </dependency>
                     </dependencies>
                 </plugin>
diff --git a/src/main/java/org/hyperledger/fabric/sdk/helper/Utils.java b/src/main/java/org/hyperledger/fabric/sdk/helper/Utils.java
index ffae7fea..7fac2ecf 100644
--- a/src/main/java/org/hyperledger/fabric/sdk/helper/Utils.java
+++ b/src/main/java/org/hyperledger/fabric/sdk/helper/Utils.java
@@ -14,11 +14,27 @@
 
 package org.hyperledger.fabric.sdk.helper;
 
+import com.google.common.collect.ImmutableMap;
+import com.google.protobuf.ByteString;
+import com.google.protobuf.Timestamp;
+import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
+import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
+import org.apache.commons.compress.compressors.gzip.GzipCompressorOutputStream;
+import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.digests.SHA3Digest;
+import org.bouncycastle.util.Arrays;
+import org.bouncycastle.util.encoders.Hex;
+
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.UncheckedIOException;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.math.BigDecimal;
@@ -40,22 +56,7 @@
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
-
-import com.google.common.collect.ImmutableMap;
-import com.google.protobuf.ByteString;
-import com.google.protobuf.Timestamp;
-import org.apache.commons.compress.archivers.ArchiveEntry;
-import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
-import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
-import org.apache.commons.compress.compressors.gzip.GzipCompressorOutputStream;
-import org.apache.commons.io.FilenameUtils;
-import org.apache.commons.io.IOUtils;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.bouncycastle.crypto.Digest;
-import org.bouncycastle.crypto.digests.SHA3Digest;
-import org.bouncycastle.util.Arrays;
-import org.bouncycastle.util.encoders.Hex;
+import java.util.stream.Stream;
 
 import static java.lang.String.format;
 import static java.nio.charset.StandardCharsets.UTF_8;
@@ -133,8 +134,8 @@ public static String generateDirectoryHash(String rootDir, String chaincodeDir,
         }
 
         StringBuilder hashBuilder = new StringBuilder(hash);
-        Files.walk(projectPath)
-                .sorted(Comparator.naturalOrder())
+        try (Stream<Path> walkStream = Files.walk(projectPath)) {
+            walkStream.sorted(Comparator.naturalOrder())
                 .filter(Files::isRegularFile)
                 .map(Path::toFile)
                 .forEach(file -> {
@@ -144,9 +145,10 @@ public static String generateDirectoryHash(String rootDir, String chaincodeDir,
                         hashBuilder.setLength(0);
                         hashBuilder.append(Hex.toHexString(hash(toHash, new SHA3Digest())));
                     } catch (IOException ex) {
-                        throw new RuntimeException(format("Error while reading file %s", file.getAbsolutePath()), ex);
+                        throw new UncheckedIOException(format("Error while reading file %s", file.getAbsolutePath()), ex);
                     }
                 });
+        }
 
         // If original hash and final hash are the same, it indicates that no new contents were found
         if (hashBuilder.toString().equals(hash)) {
@@ -178,7 +180,6 @@ public static byte[] generateTarGz(File sourceDirectory, String pathPrefix, File
 
             Collection<File> childrenFiles = org.apache.commons.io.FileUtils.listFiles(sourceDirectory, null, true);
 
-            ArchiveEntry archiveEntry;
             for (File childFile : childrenFiles) {
                 String childPath = childFile.getAbsolutePath();
                 String relativePath = childPath.substring((sourcePath.length() + 1));
@@ -193,7 +194,7 @@ public static byte[] generateTarGz(File sourceDirectory, String pathPrefix, File
                     logger.trace(format("generateTarGz: Adding '%s' entry from source '%s' to archive.", relativePath, childFile.getAbsolutePath()));
                 }
 
-                archiveEntry = new TarArchiveEntry(childFile, relativePath);
+                TarArchiveEntry archiveEntry = new TarArchiveEntry(childFile, relativePath);
                 archiveOutputStream.putArchiveEntry(archiveEntry);
 
                 try (FileInputStream fileInputStream = new FileInputStream(childFile)) {
@@ -217,7 +218,7 @@ public static byte[] generateTarGz(File sourceDirectory, String pathPrefix, File
                         logger.trace(format("generateTarGz: Adding '%s' entry from source '%s' to archive.", relativePath, childFile.getAbsolutePath()));
                     }
 
-                    archiveEntry = new TarArchiveEntry(childFile, relativePath);
+                    TarArchiveEntry archiveEntry = new TarArchiveEntry(childFile, relativePath);
                     archiveOutputStream.putArchiveEntry(archiveEntry);
 
                     try (FileInputStream fileInputStream = new FileInputStream(childFile)) {
@@ -276,10 +277,11 @@ public static void deleteFileOrDirectory(File file) throws IOException {
             if (file.isDirectory()) {
                 Path rootPath = Paths.get(file.getAbsolutePath());
 
-                Files.walk(rootPath, FileVisitOption.FOLLOW_LINKS)
-                        .sorted(Comparator.reverseOrder())
-                        .map(Path::toFile)
-                        .forEach(File::delete);
+                try (Stream<Path> walkStream = Files.walk(rootPath, FileVisitOption.FOLLOW_LINKS)) {
+                    walkStream.sorted(Comparator.reverseOrder())
+                            .map(Path::toFile)
+                            .forEach(File::delete);
+                }
             } else {
                 file.delete();
             }
@@ -385,7 +387,7 @@ public static boolean isNullOrEmpty(String url) {
      * @return returns a string which does not have unprintable characters and trimmed in length.
      */
     public static String logString(final String string) {
-        if (string == null || string.length() == 0) {
+        if (string == null || string.isEmpty()) {
             return string;
         }
 
diff --git a/src/test/java/org/hyperledger/fabric/sdkintegration/Util.java b/src/test/java/org/hyperledger/fabric/sdkintegration/Util.java
index f2acb97d..6f3ba19a 100644
--- a/src/test/java/org/hyperledger/fabric/sdkintegration/Util.java
+++ b/src/test/java/org/hyperledger/fabric/sdkintegration/Util.java
@@ -16,6 +16,13 @@
 
 package org.hyperledger.fabric.sdkintegration;
 
+import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
+import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
+import org.apache.commons.compress.compressors.gzip.GzipCompressorOutputStream;
+import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.io.IOUtils;
+import org.hyperledger.fabric.sdk.helper.Utils;
+
 import java.io.BufferedOutputStream;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -25,14 +32,6 @@
 import java.io.InputStream;
 import java.util.Collection;
 
-import org.apache.commons.compress.archivers.ArchiveEntry;
-import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
-import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
-import org.apache.commons.compress.compressors.gzip.GzipCompressorOutputStream;
-import org.apache.commons.io.FilenameUtils;
-import org.apache.commons.io.IOUtils;
-import org.hyperledger.fabric.sdk.helper.Utils;
-
 import static java.lang.String.format;
 
 class Util {
@@ -52,23 +51,16 @@ private Util() {
      * @throws IOException
      */
     public static InputStream generateTarGzInputStream(File src, String pathPrefix) throws IOException {
-        File sourceDirectory = src;
-
         ByteArrayOutputStream bos = new ByteArrayOutputStream(500000);
+        String sourcePath = src.getAbsolutePath();
 
-        String sourcePath = sourceDirectory.getAbsolutePath();
-
-        TarArchiveOutputStream archiveOutputStream = new TarArchiveOutputStream(new GzipCompressorOutputStream(new BufferedOutputStream(bos)));
-        archiveOutputStream.setLongFileMode(TarArchiveOutputStream.LONGFILE_GNU);
-
-        try {
-            Collection<File> childrenFiles = org.apache.commons.io.FileUtils.listFiles(sourceDirectory, null, true);
+        try (TarArchiveOutputStream archiveOutputStream = new TarArchiveOutputStream(new GzipCompressorOutputStream(new BufferedOutputStream(bos)))) {
+            archiveOutputStream.setLongFileMode(TarArchiveOutputStream.LONGFILE_GNU);
+            Collection<File> childrenFiles = org.apache.commons.io.FileUtils.listFiles(src, null, true);
 
-            ArchiveEntry archiveEntry;
-            FileInputStream fileInputStream;
             for (File childFile : childrenFiles) {
                 String childPath = childFile.getAbsolutePath();
-                String relativePath = childPath.substring((sourcePath.length() + 1), childPath.length());
+                String relativePath = childPath.substring((sourcePath.length() + 1));
 
                 if (pathPrefix != null) {
                     relativePath = Utils.combinePaths(pathPrefix, relativePath);
@@ -76,19 +68,15 @@ public static InputStream generateTarGzInputStream(File src, String pathPrefix)
 
                 relativePath = FilenameUtils.separatorsToUnix(relativePath);
 
-                archiveEntry = new TarArchiveEntry(childFile, relativePath);
-                fileInputStream = new FileInputStream(childFile);
+                TarArchiveEntry archiveEntry = new TarArchiveEntry(childFile, relativePath);
                 archiveOutputStream.putArchiveEntry(archiveEntry);
 
-                try {
+                try (FileInputStream fileInputStream = new FileInputStream(childFile)) {
                     IOUtils.copy(fileInputStream, archiveOutputStream);
                 } finally {
-                    IOUtils.closeQuietly(fileInputStream);
                     archiveOutputStream.closeArchiveEntry();
                 }
             }
-        } finally {
-            IOUtils.closeQuietly(archiveOutputStream);
         }
 
         return new ByteArrayInputStream(bos.toByteArray());