From a3d9f2e86d29b3baa20d15cb143c71ab15c1f06a Mon Sep 17 00:00:00 2001 From: Usman Saleem Date: Mon, 16 Oct 2023 12:45:08 +1000 Subject: [PATCH 01/11] Upgrade Azure libraries to fix CVE-2023-36415 -- suppress CVE for azure-identity 1.10.2 to 1.10.9 as it is only applicable on 1.10.1 and lower. --- gradle/owasp-suppression.xml | 7 +++++++ gradle/versions.gradle | 8 ++++++++ 2 files changed, 15 insertions(+) diff --git a/gradle/owasp-suppression.xml b/gradle/owasp-suppression.xml index db08b7a7..bcaf2a79 100644 --- a/gradle/owasp-suppression.xml +++ b/gradle/owasp-suppression.xml @@ -1,6 +1,13 @@ + + + ^pkg:maven/com\.azure/azure\-identity@1\.10\.[2-9]$ + CVE-2023-36415 + Date: Mon, 16 Oct 2023 12:52:36 +1000 Subject: [PATCH 02/11] Upgrade web3j core version to 4.10.3 --- gradle/versions.gradle | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/gradle/versions.gradle b/gradle/versions.gradle index e8efd45a..86e6ec3e 100644 --- a/gradle/versions.gradle +++ b/gradle/versions.gradle @@ -74,10 +74,11 @@ dependencyManagement { entry 'mockito-junit-jupiter' } - dependencySet(group: 'org.web3j', version: '4.9.4') { + dependencySet(group: 'org.web3j', version: '4.10.2') { entry 'besu' entry ('core') { exclude group: 'com.github.jnr', name: 'jnr-unixsocket' + exclude group: 'org.bouncycastle', name: 'bcprov-jdk15on' } entry ('crypto') { exclude group: 'org.bouncycastle', name: 'bcprov-jdk15on' From bee30ca86caea775c26d846a537f1a53360bf44b Mon Sep 17 00:00:00 2001 From: Usman Saleem Date: Mon, 16 Oct 2023 13:06:16 +1000 Subject: [PATCH 03/11] Upgrade web3j core version to 4.10.3 --- gradle/versions.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle/versions.gradle b/gradle/versions.gradle index 86e6ec3e..19e29dda 100644 --- a/gradle/versions.gradle +++ b/gradle/versions.gradle @@ -74,7 +74,7 @@ dependencyManagement { entry 'mockito-junit-jupiter' } - dependencySet(group: 'org.web3j', version: '4.10.2') { + dependencySet(group: 'org.web3j', version: '4.10.3') { entry 'besu' entry ('core') { exclude group: 'com.github.jnr', name: 'jnr-unixsocket' From 11465b757e9bbaf9910fb4dfe5f375739e33b350 Mon Sep 17 00:00:00 2001 From: Usman Saleem Date: Mon, 16 Oct 2023 13:21:26 +1000 Subject: [PATCH 04/11] Use Java 17. -- Update spotless plugin -- Fix javadoc -- Update circleci -- Update dockerfile --- .circleci/config.yml | 10 ++++------ CHANGELOG.md | 3 +++ build.gradle | 13 ++++++------- docker/Dockerfile | 2 +- .../tech/pegasys/ethsigner/core/util/ByteUtils.java | 2 +- 5 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 3887e234..2374a6f3 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -7,7 +7,7 @@ orbs: executors: executor_med: # 2cpu, 4G ram docker: - - image: cimg/openjdk:11.0 + - image: cimg/openjdk:17.0 auth: username: $DOCKER_USER_RO password: $DOCKER_PASSWORD_RO @@ -19,7 +19,7 @@ executors: executor_large: # 4cpu, 8G ram docker: - - image: cimg/openjdk:11.0 + - image: cimg/openjdk:17.0 auth: username: $DOCKER_USER_RO password: $DOCKER_PASSWORD_RO @@ -154,8 +154,7 @@ jobs: executor: executor_med steps: - prepare - - setup_remote_docker: - version: 20.10.11 + - setup_remote_docker - attach_workspace: at: ~/project - run: @@ -190,8 +189,7 @@ jobs: executor: executor_med steps: - prepare - - setup_remote_docker: - version: 20.10.11 + - setup_remote_docker - attach_workspace: at: ~/project - run: diff --git a/CHANGELOG.md b/CHANGELOG.md index 063823fa..fe2d4984 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,10 +3,13 @@ ## Next release ## Features Added +- Build and docker image to use Java 17 - Updated Docker image to use the latest Ubuntu LTS image ### Bugs Fixed - Update grpc to version 1.57.2 to fix CVE-2023-33953 +- Update Azure libraries to fix CVE-2023-36415 +- Update web3j core to 4.10.3 to fix okhttp logging interceptor version to fix CVE-2023-0833 ## 23.6.0 diff --git a/build.gradle b/build.gradle index 11cb2466..c0db6f86 100644 --- a/build.gradle +++ b/build.gradle @@ -30,7 +30,7 @@ buildscript { } plugins { - id 'com.diffplug.spotless' version '6.2.0' + id 'com.diffplug.spotless' version '6.22.0' id 'com.github.jk1.dependency-license-report' version '2.0' id 'io.spring.dependency-management' version '1.0.11.RELEASE' id 'me.champeau.gradle.jmh' version '0.5.3' apply false @@ -43,8 +43,8 @@ String repositoryName = projectName.toLowerCase() String projectHome = projectName.toUpperCase() + "_HOME" -if (!JavaVersion.current().java11Compatible) { - throw new GradleException("Java 11 or later is required to build " + projectName + ".\n" + +if (!JavaVersion.current().isCompatibleWith(JavaVersion.VERSION_17)) { + throw new GradleException("Java 17 or later is required to build Web3Signer.\n" + " Detected version ${JavaVersion.current()}") } @@ -115,8 +115,8 @@ allprojects { from javadoc.destinationDir } - sourceCompatibility = 11 - targetCompatibility = 11 + sourceCompatibility = 17 + targetCompatibility = 17 repositories { mavenCentral() @@ -135,7 +135,7 @@ allprojects { exclude '**/.gradle/**' } removeUnusedImports() - googleJavaFormat('1.7') + googleJavaFormat('1.10.0') importOrder 'tech.pegasys', 'java', '' trimTrailingWhitespace() endWithNewline() @@ -250,7 +250,6 @@ allprojects { options.addStringOption('Xwerror', '-html5') options.encoding = 'UTF-8' } - } task deploy() {} diff --git a/docker/Dockerfile b/docker/Dockerfile index 1a06387c..9875e0c7 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,4 +1,4 @@ -FROM eclipse-temurin:11 as jre-build +FROM eclipse-temurin:17 as jre-build # Create a custom Java runtime RUN JAVA_TOOL_OPTIONS="-Djdk.lang.Process.launchMechanism=vfork" "$JAVA_HOME/bin/jlink" \ diff --git a/ethsigner/core/src/main/java/tech/pegasys/ethsigner/core/util/ByteUtils.java b/ethsigner/core/src/main/java/tech/pegasys/ethsigner/core/util/ByteUtils.java index 88b11851..b0145ddf 100644 --- a/ethsigner/core/src/main/java/tech/pegasys/ethsigner/core/util/ByteUtils.java +++ b/ethsigner/core/src/main/java/tech/pegasys/ethsigner/core/util/ByteUtils.java @@ -19,7 +19,7 @@ public class ByteUtils { /** * Omitting sign indication byte.
*
- * Instead of {@link org.bouncycastle.util.BigIntegers#asUnsignedByteArray(BigInteger)}
+ * Instead of org.bouncycastle.util.BigIntegers#asUnsignedByteArray(BigInteger)
* we use this custom method to avoid an empty array in case of BigInteger.ZERO * * @param value - any big integer number. A null-value will return null From ec67606f247f9ceaa8dd7abb3ac1596b2a4c5179 Mon Sep 17 00:00:00 2001 From: Usman Saleem Date: Mon, 16 Oct 2023 13:30:55 +1000 Subject: [PATCH 05/11] Use Java 17 in trivy github action --- .github/workflows/trivy-analysis.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy-analysis.yml b/.github/workflows/trivy-analysis.yml index c15eec3a..51024782 100644 --- a/.github/workflows/trivy-analysis.yml +++ b/.github/workflows/trivy-analysis.yml @@ -20,8 +20,11 @@ jobs: runs-on: "ubuntu-20.04" steps: - name: Checkout code - uses: actions/checkout@v2 - + uses: actions/checkout@v3 + - uses: actions/setup-java@v3 + with: + distribution: 'temurin' + java-version: '17' - name: Build an image from Dockerfile run: | ./gradlew --no-daemon --parallel build -x test distDocker From f9f3897004edec25505a917043be77f5464a0372 Mon Sep 17 00:00:00 2001 From: Usman Saleem Date: Mon, 16 Oct 2023 13:38:43 +1000 Subject: [PATCH 06/11] Update codeql analysis github workflow --- .github/workflows/codeql-analysis.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ed697104..5638b222 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -38,11 +38,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@v2 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -53,7 +53,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@v2 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -67,4 +67,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@v2 From d4435d03b9a9b9a90565b53bb066dcd547884dcf Mon Sep 17 00:00:00 2001 From: Usman Saleem Date: Mon, 16 Oct 2023 13:54:55 +1000 Subject: [PATCH 07/11] web3j 4.10.2 --- ethsigner/core/build.gradle | 1 + gradle/versions.gradle | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ethsigner/core/build.gradle b/ethsigner/core/build.gradle index da92f0e0..08761e51 100644 --- a/ethsigner/core/build.gradle +++ b/ethsigner/core/build.gradle @@ -69,6 +69,7 @@ dependencies { integrationTestImplementation 'org.mockito:mockito-core' integrationTestImplementation 'org.mockito:mockito-junit-jupiter' integrationTestImplementation 'org.awaitility:awaitility' + integrationTestImplementation 'org.web3j:crypto' integrationTestRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine' } diff --git a/gradle/versions.gradle b/gradle/versions.gradle index 19e29dda..86e6ec3e 100644 --- a/gradle/versions.gradle +++ b/gradle/versions.gradle @@ -74,7 +74,7 @@ dependencyManagement { entry 'mockito-junit-jupiter' } - dependencySet(group: 'org.web3j', version: '4.10.3') { + dependencySet(group: 'org.web3j', version: '4.10.2') { entry 'besu' entry ('core') { exclude group: 'com.github.jnr', name: 'jnr-unixsocket' From a29ad2326683f53df02c69fc3c341be6156035ec Mon Sep 17 00:00:00 2001 From: Usman Saleem Date: Mon, 16 Oct 2023 13:57:48 +1000 Subject: [PATCH 08/11] okhttp logging-interceptor override --- gradle/versions.gradle | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/gradle/versions.gradle b/gradle/versions.gradle index 86e6ec3e..9f14b355 100644 --- a/gradle/versions.gradle +++ b/gradle/versions.gradle @@ -23,6 +23,11 @@ dependencyManagement { dependency 'com.google.guava:guava:32.0.1-jre' dependency 'com.squareup.okhttp3:okhttp:4.11.0' + /* + com.squareup.okhttp3:logging-interceptor:4.9.0 // CVE-2023-0833 + \--- org.web3j:core:4.10.2 + */ + dependency 'com.squareup.okhttp3:logging-interceptor:4.11.0' dependency 'commons-io:commons-io:2.11.0' From fd890716cabddf80508dea26344be9f228e88483 Mon Sep 17 00:00:00 2001 From: Usman Saleem Date: Mon, 16 Oct 2023 14:29:46 +1000 Subject: [PATCH 09/11] changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fe2d4984..c82c035b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ ### Bugs Fixed - Update grpc to version 1.57.2 to fix CVE-2023-33953 - Update Azure libraries to fix CVE-2023-36415 -- Update web3j core to 4.10.3 to fix okhttp logging interceptor version to fix CVE-2023-0833 +- Update okhttp logging interceptor version to fix CVE-2023-0833 ## 23.6.0 From a7d4c9bb0f2c098b98178e53896f26c8a686989a Mon Sep 17 00:00:00 2001 From: Usman Saleem Date: Mon, 16 Oct 2023 14:30:54 +1000 Subject: [PATCH 10/11] reverting core build.gradle --- ethsigner/core/build.gradle | 1 - 1 file changed, 1 deletion(-) diff --git a/ethsigner/core/build.gradle b/ethsigner/core/build.gradle index 08761e51..da92f0e0 100644 --- a/ethsigner/core/build.gradle +++ b/ethsigner/core/build.gradle @@ -69,7 +69,6 @@ dependencies { integrationTestImplementation 'org.mockito:mockito-core' integrationTestImplementation 'org.mockito:mockito-junit-jupiter' integrationTestImplementation 'org.awaitility:awaitility' - integrationTestImplementation 'org.web3j:crypto' integrationTestRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine' } From 7b830570035dd04daa3dc6487b18ce369faee8df Mon Sep 17 00:00:00 2001 From: Usman Saleem Date: Mon, 16 Oct 2023 21:53:19 +1000 Subject: [PATCH 11/11] Add web3j in changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c82c035b..99d21954 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ ## Features Added - Build and docker image to use Java 17 - Updated Docker image to use the latest Ubuntu LTS image +- Updated web3j library to 4.10.2 ### Bugs Fixed - Update grpc to version 1.57.2 to fix CVE-2023-33953