From 7283423c63040f976bbef0303d9ecc9f9de10d5c Mon Sep 17 00:00:00 2001
From: Simon Dudley <simon.dudley@consensys.net>
Date: Fri, 27 Oct 2023 12:59:44 +1000
Subject: [PATCH] Re-add suppression in for false positive CVE-2023-4586

---
 build.gradle                 |  2 +-
 gradle/owasp-suppression.xml | 14 +++++++++++++-
 gradle/versions.gradle       |  2 +-
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/build.gradle b/build.gradle
index cb287d77..eaeb4c89 100644
--- a/build.gradle
+++ b/build.gradle
@@ -25,7 +25,7 @@ buildscript {
   dependencies {
     // custom license-reporter used by com.github.jk1.dependency-license-report plugin
     classpath 'tech.pegasys.internal.license.reporter:license-reporter:1.0.1'
-    classpath 'org.owasp:dependency-check-gradle:8.4.0'
+    classpath 'org.owasp:dependency-check-gradle:8.4.2'
   }
 }
 
diff --git a/gradle/owasp-suppression.xml b/gradle/owasp-suppression.xml
index 43d872f5..ab9a1820 100644
--- a/gradle/owasp-suppression.xml
+++ b/gradle/owasp-suppression.xml
@@ -1,9 +1,21 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <!-- See https://jeremylong.github.io/DependencyCheck/general/suppression.html for examples -->
-    <suppress until="2023-12-16">
+    <suppress until="2024-01-16">
+        <notes><![CDATA[
+        Temporary suppression, as it's arguably a false positive: https://github.com/netty/netty/issues/8537#issuecomment-1527896917
+        The correct thing to do is ensure hostname verification is enabled: https://codetinkering.com/enable-hostname-verification-netty/
+        This is indeed the case for Azure, which is the netty-handler: https://github.com/Azure/azure-sdk-for-java/issues/18286#issuecomment-947958978
+        The other vulnerable lib is besu-metrics, which might want looking at, will see if this CVE gets flagged in besu first
+        file name: netty-handler-4.1.100.Final.jar
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/io\.netty/netty*@*.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
+    </suppress>
+    <suppress until="2024-01-16">
         <notes><![CDATA[
         Suppress CVE-2023-36415 as this should only be applicable on version up to but excluding 1.10.2.
+        https://github.com/jeremylong/DependencyCheck/issues/5992
         ]]></notes>
         <packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@1\.10\.[2-9]$</packageUrl>
         <vulnerabilityName>CVE-2023-36415</vulnerabilityName>
diff --git a/gradle/versions.gradle b/gradle/versions.gradle
index 8ee62a10..14c7f867 100644
--- a/gradle/versions.gradle
+++ b/gradle/versions.gradle
@@ -112,7 +112,7 @@ dependencyManagement {
       entry 'protobuf-java'
       entry 'protobuf-java-util'
     }
-    dependencySet(group: 'io.grpc', version: '1.57.2') {
+    dependencySet(group: 'io.grpc', version: '1.59.0') {
       entry 'grpc-api'
       entry 'grpc-context'
       entry 'grpc-core'