From 0f7fab6353a9800e309f4eca0820d31d9e635e6b Mon Sep 17 00:00:00 2001
From: "Mark S. Lewis" <Mark.S.Lewis@outlook.com>
Date: Wed, 21 Feb 2024 23:12:44 +0000
Subject: [PATCH] Update dependencies to address CVE-2024-25710, CVE-2024-26308

- Address vulnerabilities in Apache commons-compress.
- Update other dependencies to stay current.
- Fix some minor compilation issues following dependency updates.

Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
---
 pom.xml                                       | 32 +++++++--------
 .../hyperledger/fabric/sdk/helper/Utils.java  | 41 +++++++++----------
 .../fabric/sdkintegration/Util.java           | 21 ++++------
 3 files changed, 45 insertions(+), 49 deletions(-)

diff --git a/pom.xml b/pom.xml
index c328f524..27e9aa4d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -28,15 +28,15 @@
         <url>http://github.com/hyperledger/fabric-sdk-java</url>
     </scm>
     <properties>
-        <grpc.version>1.59.0</grpc.version>
-        <protobuf.version>3.24.4</protobuf.version> <!-- Must match version used by grpc-protobuf -->
+        <grpc.version>1.61.1</grpc.version>
+        <protobuf.version>3.25.1</protobuf.version> <!-- Must match version used by grpc-protobuf -->
         <bouncycastle.version>1.77</bouncycastle.version>
         <httpclient.version>4.5.14</httpclient.version>
-        <javadoc.version>3.6.2</javadoc.version>
+        <javadoc.version>3.6.3</javadoc.version>
         <skipITs>true</skipITs>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <jacoco.version>0.8.11</jacoco.version>
-        <log4j.version>2.21.1</log4j.version>
+        <log4j.version>2.23.0</log4j.version>
         <org.hyperledger.fabric.sdktest.ITSuite>IntegrationSuite.java</org.hyperledger.fabric.sdktest.ITSuite>
         <gpg.executable>gpg</gpg.executable>
         <javaVersion>8</javaVersion>
@@ -54,7 +54,7 @@
             <dependency>
                 <groupId>io.opentelemetry</groupId>
                 <artifactId>opentelemetry-bom</artifactId>
-                <version>1.32.0</version>
+                <version>1.35.0</version>
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
@@ -111,7 +111,7 @@
         <dependency>
             <groupId>commons-logging</groupId>
             <artifactId>commons-logging</artifactId>
-            <version>1.2</version>
+            <version>1.3.0</version>
         </dependency>
         <dependency>
             <groupId>commons-cli</groupId>
@@ -121,12 +121,12 @@
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-compress</artifactId>
-            <version>1.24.0</version>
+            <version>1.26.0</version>
         </dependency>
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
-            <version>2.15.0</version>
+            <version>2.15.1</version>
         </dependency>
 
         <!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core -->
@@ -167,7 +167,7 @@
         <dependency>
             <groupId>com.google.api</groupId>
             <artifactId>api-common</artifactId>
-            <version>2.20.0</version>
+            <version>2.26.0</version>
         </dependency>
 
         <dependency>
@@ -222,12 +222,12 @@
         <dependency>
             <groupId>io.opentelemetry.instrumentation</groupId>
             <artifactId>opentelemetry-grpc-1.6</artifactId>
-            <version>1.32.0-alpha</version>
+            <version>2.1.0-alpha</version>
         </dependency>
         <dependency>
             <groupId>io.opentelemetry.proto</groupId>
             <artifactId>opentelemetry-proto</artifactId>
-            <version>1.0.0-alpha</version>
+            <version>1.1.0-alpha</version>
         </dependency>
     </dependencies>
 
@@ -255,7 +255,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
-                <version>3.2.2</version>
+                <version>3.2.5</version>
                 <configuration>
                     <argLine>${surefireArgLine}</argLine>
                     <includes>
@@ -267,7 +267,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-failsafe-plugin</artifactId>
-                <version>3.2.2</version>
+                <version>3.2.5</version>
                 <configuration>
                     <argLine>${failsafeArgLine}</argLine>
                     <includes>
@@ -314,7 +314,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.11.0</version>
+                <version>3.12.1</version>
                 <configuration>
                     <source>${javaVersion}</source>
                     <target>${javaVersion}</target>
@@ -619,7 +619,7 @@
                     <plugin>
                         <groupId>org.owasp</groupId>
                         <artifactId>dependency-check-maven</artifactId>
-                        <version>8.4.3</version>
+                        <version>9.0.9</version>
                         <configuration>
                             <skipProvidedScope>true</skipProvidedScope>
                             <skipTestScope>true</skipTestScope>
@@ -695,7 +695,7 @@
                         <dependency>
                             <groupId>com.puppycrawl.tools</groupId>
                             <artifactId>checkstyle</artifactId>
-                            <version>10.12.5</version>
+                            <version>10.13.0</version>
                         </dependency>
                     </dependencies>
                 </plugin>
diff --git a/src/main/java/org/hyperledger/fabric/sdk/helper/Utils.java b/src/main/java/org/hyperledger/fabric/sdk/helper/Utils.java
index ffae7fea..55e3ba1f 100644
--- a/src/main/java/org/hyperledger/fabric/sdk/helper/Utils.java
+++ b/src/main/java/org/hyperledger/fabric/sdk/helper/Utils.java
@@ -14,11 +14,27 @@
 
 package org.hyperledger.fabric.sdk.helper;
 
+import com.google.common.collect.ImmutableMap;
+import com.google.protobuf.ByteString;
+import com.google.protobuf.Timestamp;
+import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
+import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
+import org.apache.commons.compress.compressors.gzip.GzipCompressorOutputStream;
+import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.digests.SHA3Digest;
+import org.bouncycastle.util.Arrays;
+import org.bouncycastle.util.encoders.Hex;
+
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.UncheckedIOException;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.math.BigDecimal;
@@ -41,22 +57,6 @@
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 
-import com.google.common.collect.ImmutableMap;
-import com.google.protobuf.ByteString;
-import com.google.protobuf.Timestamp;
-import org.apache.commons.compress.archivers.ArchiveEntry;
-import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
-import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
-import org.apache.commons.compress.compressors.gzip.GzipCompressorOutputStream;
-import org.apache.commons.io.FilenameUtils;
-import org.apache.commons.io.IOUtils;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.bouncycastle.crypto.Digest;
-import org.bouncycastle.crypto.digests.SHA3Digest;
-import org.bouncycastle.util.Arrays;
-import org.bouncycastle.util.encoders.Hex;
-
 import static java.lang.String.format;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.apache.commons.codec.binary.Hex.encodeHexString;
@@ -144,7 +144,7 @@ public static String generateDirectoryHash(String rootDir, String chaincodeDir,
                         hashBuilder.setLength(0);
                         hashBuilder.append(Hex.toHexString(hash(toHash, new SHA3Digest())));
                     } catch (IOException ex) {
-                        throw new RuntimeException(format("Error while reading file %s", file.getAbsolutePath()), ex);
+                        throw new UncheckedIOException(format("Error while reading file %s", file.getAbsolutePath()), ex);
                     }
                 });
 
@@ -178,7 +178,6 @@ public static byte[] generateTarGz(File sourceDirectory, String pathPrefix, File
 
             Collection<File> childrenFiles = org.apache.commons.io.FileUtils.listFiles(sourceDirectory, null, true);
 
-            ArchiveEntry archiveEntry;
             for (File childFile : childrenFiles) {
                 String childPath = childFile.getAbsolutePath();
                 String relativePath = childPath.substring((sourcePath.length() + 1));
@@ -193,7 +192,7 @@ public static byte[] generateTarGz(File sourceDirectory, String pathPrefix, File
                     logger.trace(format("generateTarGz: Adding '%s' entry from source '%s' to archive.", relativePath, childFile.getAbsolutePath()));
                 }
 
-                archiveEntry = new TarArchiveEntry(childFile, relativePath);
+                TarArchiveEntry archiveEntry = new TarArchiveEntry(childFile, relativePath);
                 archiveOutputStream.putArchiveEntry(archiveEntry);
 
                 try (FileInputStream fileInputStream = new FileInputStream(childFile)) {
@@ -217,7 +216,7 @@ public static byte[] generateTarGz(File sourceDirectory, String pathPrefix, File
                         logger.trace(format("generateTarGz: Adding '%s' entry from source '%s' to archive.", relativePath, childFile.getAbsolutePath()));
                     }
 
-                    archiveEntry = new TarArchiveEntry(childFile, relativePath);
+                    TarArchiveEntry archiveEntry = new TarArchiveEntry(childFile, relativePath);
                     archiveOutputStream.putArchiveEntry(archiveEntry);
 
                     try (FileInputStream fileInputStream = new FileInputStream(childFile)) {
@@ -385,7 +384,7 @@ public static boolean isNullOrEmpty(String url) {
      * @return returns a string which does not have unprintable characters and trimmed in length.
      */
     public static String logString(final String string) {
-        if (string == null || string.length() == 0) {
+        if (string == null || string.isEmpty()) {
             return string;
         }
 
diff --git a/src/test/java/org/hyperledger/fabric/sdkintegration/Util.java b/src/test/java/org/hyperledger/fabric/sdkintegration/Util.java
index f2acb97d..7c2085d5 100644
--- a/src/test/java/org/hyperledger/fabric/sdkintegration/Util.java
+++ b/src/test/java/org/hyperledger/fabric/sdkintegration/Util.java
@@ -16,6 +16,13 @@
 
 package org.hyperledger.fabric.sdkintegration;
 
+import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
+import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
+import org.apache.commons.compress.compressors.gzip.GzipCompressorOutputStream;
+import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.io.IOUtils;
+import org.hyperledger.fabric.sdk.helper.Utils;
+
 import java.io.BufferedOutputStream;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -25,14 +32,6 @@
 import java.io.InputStream;
 import java.util.Collection;
 
-import org.apache.commons.compress.archivers.ArchiveEntry;
-import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
-import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
-import org.apache.commons.compress.compressors.gzip.GzipCompressorOutputStream;
-import org.apache.commons.io.FilenameUtils;
-import org.apache.commons.io.IOUtils;
-import org.hyperledger.fabric.sdk.helper.Utils;
-
 import static java.lang.String.format;
 
 class Util {
@@ -64,8 +63,6 @@ public static InputStream generateTarGzInputStream(File src, String pathPrefix)
         try {
             Collection<File> childrenFiles = org.apache.commons.io.FileUtils.listFiles(sourceDirectory, null, true);
 
-            ArchiveEntry archiveEntry;
-            FileInputStream fileInputStream;
             for (File childFile : childrenFiles) {
                 String childPath = childFile.getAbsolutePath();
                 String relativePath = childPath.substring((sourcePath.length() + 1), childPath.length());
@@ -76,8 +73,8 @@ public static InputStream generateTarGzInputStream(File src, String pathPrefix)
 
                 relativePath = FilenameUtils.separatorsToUnix(relativePath);
 
-                archiveEntry = new TarArchiveEntry(childFile, relativePath);
-                fileInputStream = new FileInputStream(childFile);
+                TarArchiveEntry archiveEntry = new TarArchiveEntry(childFile, relativePath);
+                FileInputStream fileInputStream = new FileInputStream(childFile);
                 archiveOutputStream.putArchiveEntry(archiveEntry);
 
                 try {