Fix vulns (#406)

Co-authored-by: mihir gore <mihir@mihirs-MacBook-Pro.local>

hypertrace-ingester/build.gradle.kts

@@ -26,7 +26,7 @@ hypertraceDocker {
 
 dependencies {
 
-  implementation("org.hypertrace.core.kafkastreams.framework:kafka-streams-framework:0.2.14")
+  implementation("org.hypertrace.core.kafkastreams.framework:kafka-streams-framework:0.3.2")
   implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.54")
   implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.54")
 

hypertrace-metrics-generator/hypertrace-metrics-generator/build.gradle.kts

@@ -30,7 +30,7 @@ dependencies {
   implementation(project(":hypertrace-view-generator:hypertrace-view-generator-api"))
   implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.54")
   implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.54")
-  implementation("org.hypertrace.core.kafkastreams.framework:kafka-streams-framework:0.2.14")
+  implementation("org.hypertrace.core.kafkastreams.framework:kafka-streams-framework:0.3.2")
 
   // open telemetry proto
   implementation("io.opentelemetry:opentelemetry-proto:1.7.1-alpha")

hypertrace-metrics-processor/hypertrace-metrics-processor/build.gradle.kts

@@ -31,7 +31,7 @@ dependencies {
   // frameworks
   implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.54")
   implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.53")
-  implementation("org.hypertrace.core.kafkastreams.framework:kafka-streams-framework:0.2.14")
+  implementation("org.hypertrace.core.kafkastreams.framework:kafka-streams-framework:0.3.2")
 
   // open telemetry proto
   implementation("io.opentelemetry:opentelemetry-proto:1.7.1-alpha")

hypertrace-trace-enricher/enriched-span-constants/build.gradle.kts

@@ -21,7 +21,7 @@ protobuf {
   }
   plugins {
     id("grpc_java") {
-      artifact = "io.grpc:protoc-gen-grpc-java:1.56.0"
+      artifact = "io.grpc:protoc-gen-grpc-java:1.57.2"
     }
 
     if (generateLocalGoGrpcFiles) {
@@ -69,7 +69,7 @@ dependencies {
   implementation(project(":span-normalizer:raw-span-constants"))
   implementation(project(":span-normalizer:span-normalizer-constants"))
   implementation(project(":semantic-convention-utils"))
-  implementation("org.hypertrace.entity.service:entity-service-api:0.8.75")
+  implementation("org.hypertrace.entity.service:entity-service-api:0.8.78")
   implementation("com.google.guava:guava:32.0.1-jre")
 
   testImplementation("org.junit.jupiter:junit-jupiter:5.9.0")

hypertrace-trace-enricher/hypertrace-trace-enricher-impl/build.gradle.kts

@@ -17,11 +17,11 @@ dependencies {
   implementation(project(":hypertrace-trace-enricher:trace-reader"))
 
   implementation("org.hypertrace.core.datamodel:data-model:0.1.27")
-  implementation("org.hypertrace.entity.service:entity-service-client:0.8.75")
+  implementation("org.hypertrace.entity.service:entity-service-client:0.8.78")
   implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.54")
-  implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.1")
+  implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.2")
   implementation("org.hypertrace.config.service:spaces-config-service-api:0.1.52")
-  implementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.12.1")
+  implementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.12.2")
 
   implementation("org.apache.commons:commons-lang3:3.12.0")
   implementation("org.slf4j:slf4j-api:1.7.30")

hypertrace-trace-enricher/hypertrace-trace-enricher/build.gradle.kts

@@ -34,10 +34,10 @@ dependencies {
   implementation("org.hypertrace.core.datamodel:data-model:0.1.27")
   implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.54")
   implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.54")
-  implementation("org.hypertrace.entity.service:entity-service-client:0.8.75")
+  implementation("org.hypertrace.entity.service:entity-service-client:0.8.78")
 
   implementation("com.google.guava:guava:32.0.1-jre")
-  implementation("org.hypertrace.core.kafkastreams.framework:kafka-streams-framework:0.2.14")
+  implementation("org.hypertrace.core.kafkastreams.framework:kafka-streams-framework:0.3.2")
 
   // Required for the GRPC clients.
   runtimeOnly("io.grpc:grpc-netty:1.56.0")

hypertrace-trace-enricher/trace-reader/build.gradle.kts

@@ -12,9 +12,9 @@ dependencies {
   api("org.hypertrace.entity.service:entity-data-service-rx-client:0.8.75")
   api("org.hypertrace.core.datamodel:data-model:0.1.27")
   implementation("org.hypertrace.core.attribute.service:attribute-projection-registry:0.14.26")
-  implementation("org.hypertrace.core.grpcutils:grpc-client-rx-utils:0.12.1")
-  implementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.12.1")
-  implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.1")
+  implementation("org.hypertrace.core.grpcutils:grpc-client-rx-utils:0.12.2")
+  implementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.12.2")
+  implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.2")
   implementation("io.reactivex.rxjava3:rxjava:3.0.11")
   implementation("com.google.guava:guava:32.0.1-jre")
 

hypertrace-view-generator/hypertrace-view-creator/build.gradle.kts

@@ -23,7 +23,7 @@ dependencies {
   }
 
   implementation(project(":hypertrace-view-generator:hypertrace-view-generator-api"))
-  implementation("org.hypertrace.core.viewcreator:view-creator-framework:0.4.15") {
+  implementation("org.hypertrace.core.viewcreator:view-creator-framework:0.4.16") {
     // excluding unused but vulnerable tpls
     exclude("org.apache.calcite.avatica")
     exclude("org.apache.calcite")

hypertrace-view-generator/hypertrace-view-generator/build.gradle.kts

@@ -37,7 +37,7 @@ dependencies {
   implementation("org.hypertrace.core.datamodel:data-model:0.1.27")
   implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.54")
 
-  implementation("org.hypertrace.entity.service:entity-service-api:0.8.75")
+  implementation("org.hypertrace.entity.service:entity-service-api:0.8.78")
 
   implementation("org.apache.avro:avro:1.11.1")
   implementation("org.apache.commons:commons-lang3:3.12.0")

owasp-suppressions.xml

@@ -75,4 +75,33 @@
     <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
     <cve>CVE-2023-35116</cve>
   </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: avro-partitioners-0.2.13.jar. Affects go based projects
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.hypertrace\.core\.kafkastreams\.framework/avro\-partitioners@.*$</packageUrl>
+    <cve>CVE-2023-37475</cve>
+  </suppress>
+  <suppress until="2023-08-30Z">
+    <notes><![CDATA[
+   Not yet fixed in quartz. file name: quartz-2.3.2.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.quartz\-scheduler/quartz@.*$</packageUrl>
+    <cve>CVE-2023-39017</cve>
+  </suppress>
+  <suppress until="2023-11-30Z">
+    <notes><![CDATA[
+   file name: json-20230618.jar
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
+    <cve>CVE-2022-45688</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+   file name: jackson-databind-2.15.2.jar https://github.com/FasterXML/jackson-databind/issues/3973 The maintainers
+   have rejected the CVE
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+    <cve>CVE-2023-35116</cve>
+  </suppress>
 </suppressions>

raw-spans-grouper/raw-spans-grouper/build.gradle.kts

@@ -37,13 +37,13 @@ dependencies {
   implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.54")
   implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.54")
 
-  implementation("org.hypertrace.core.kafkastreams.framework:kafka-streams-framework:0.2.14")
-  implementation("org.hypertrace.core.kafkastreams.framework:weighted-group-partitioner:0.2.14")
+  implementation("org.hypertrace.core.kafkastreams.framework:kafka-streams-framework:0.3.2")
+  implementation("org.hypertrace.core.kafkastreams.framework:weighted-group-partitioner:0.3.2")
   implementation("de.javakaffee:kryo-serializers:0.45")
   implementation("com.google.guava:guava:32.0.1-jre")
 
   // Required for the GRPC clients.
-  runtimeOnly("io.grpc:grpc-netty:1.56.0")
+  runtimeOnly("io.grpc:grpc-netty:1.57.2")
 
   // Logging
   implementation("org.slf4j:slf4j-api:1.7.30")

span-normalizer/raw-span-constants/build.gradle.kts

@@ -19,7 +19,7 @@ protobuf {
   }
   plugins {
     id("grpc_java") {
-      artifact = "io.grpc:protoc-gen-grpc-java:1.56.0"
+      artifact = "io.grpc:protoc-gen-grpc-java:1.57.2"
     }
 
     if (generateLocalGoGrpcFiles) {

span-normalizer/span-normalizer-api/build.gradle.kts

@@ -20,7 +20,7 @@ protobuf {
   }
   plugins {
     id("grpc_java") {
-      artifact = "io.grpc:protoc-gen-grpc-java:1.56.0"
+      artifact = "io.grpc:protoc-gen-grpc-java:1.57.2"
     }
 
     if (generateLocalGoGrpcFiles) {

span-normalizer/span-normalizer/build.gradle.kts

@@ -41,12 +41,12 @@ dependencies {
   implementation("org.hypertrace.core.kafkastreams.framework:weighted-group-partitioner:0.2.14")
   implementation("org.hypertrace.config.service:span-processing-config-service-api:0.1.52")
   implementation("org.hypertrace.config.service:span-processing-utils:0.1.52")
-  implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.1")
-  implementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.12.1")
+  implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.2")
+  implementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.12.2")
   implementation("com.google.guava:guava:32.0.1-jre")
 
   // Required for the GRPC clients.
-  runtimeOnly("io.grpc:grpc-netty:1.56.0")
+  runtimeOnly("io.grpc:grpc-netty:1.57.2")
   annotationProcessor("org.projectlombok:lombok:1.18.18")
   compileOnly("org.projectlombok:lombok:1.18.18")