CORDA-351: force update dependencies and suppress vulnerabilities not… (#1944)

* CORDA-351: force update dependencies and suppress vulnerabilities not affecting corda

* CORDA-351: force update dependencies and suppress vulnerabilities not affecting corda

.ci/dependency-checker/suppressedLibraries.xml

@@ -10,5 +10,22 @@
       <cpe>cpe:/a:apache:struts:2.0.0</cpe>
    </suppress>
     -->
-
+    <suppress>
+        <!-- Vulnerability when using SSLv2 Hello messages. Corda uses TLS1.2-->
+        <notes><![CDATA[file name: catalyst-netty-1.1.2.jar]]></notes>
+        <gav regex="true">^io\.atomix\.catalyst:catalyst-netty:.*$</gav>
+        <cve>CVE-2014-3488</cve>
+    </suppress>
+    <suppress>
+        <!-- Vulnerability to LDAP poisoning attacks. Corda doesn't use LDAP-->
+        <notes><![CDATA[file name: groovy-all-1.8.9.jar]]></notes>
+        <gav regex="true">^commons-cli:commons-cli:.*$</gav>
+        <cve>CVE-2016-6497</cve>
+    </suppress>
+    <suppress>
+        <!-- Java objects serialization disabled in Corda -->
+        <notes><![CDATA[file name: groovy-all-1.8.9.jar]]></notes>
+        <gav regex="true">^commons-cli:commons-cli:.*$</gav>
+        <cve>CVE-2015-3253</cve>
+    </suppress>
 </suppressions>

build.gradle

@@ -22,19 +22,19 @@ buildscript {
 
     ext.asm_version = '0.5.3'
     ext.artemis_version = '2.1.0'
-    ext.jackson_version = '2.8.5'
+    ext.jackson_version = '2.9.2'
-    ext.jetty_version = '9.3.9.v20160517'
+    ext.jetty_version = '9.4.7.v20170914'
     ext.jersey_version = '2.25'
     ext.jolokia_version = '2.0.0-M3'
-    ext.assertj_version = '3.6.1'
+    ext.assertj_version = '3.8.0'
     ext.slf4j_version = '1.7.25'
-    ext.log4j_version = '2.7'
+    ext.log4j_version = '2.9.1'
     ext.bouncycastle_version = constants.getProperty("bouncycastleVersion")
     ext.guava_version = constants.getProperty("guavaVersion")
     ext.okhttp_version = '3.5.0'
     ext.netty_version = '4.1.9.Final'
     ext.typesafe_config_version = constants.getProperty("typesafeConfigVersion")
-    ext.fileupload_version = '1.3.2'
+    ext.fileupload_version = '1.3.3'
     ext.junit_version = '4.12'
     ext.mockito_version = '2.10.0'
     ext.jopt_simple_version = '5.0.2'
@@ -46,6 +46,8 @@ buildscript {
     ext.dokka_version = '0.9.14'
     ext.eddsa_version = '0.2.0'
     ext.dependency_checker_version = '3.0.1'
+    ext.commons_collections_version = '4.1'
+    ext.beanutils_version = '1.9.3'
 
     // Update 121 is required for ObjectInputFilter and at time of writing 131 was latest:
     ext.java8_minUpdateVersion = '131'

client/jfx/build.gradle

@@ -37,6 +37,9 @@ dependencies {
     compile 'org.fxmisc.easybind:easybind:1.0.3'
 
     // Artemis Client: ability to connect to an Artemis broker and control it.
+    // TODO: remove the forced update of commons-collections and beanutils when artemis updates them
+    compile "org.apache.commons:commons-collections4:${commons_collections_version}"
+    compile "commons-beanutils:commons-beanutils:${beanutils_version}"
     compile "org.apache.activemq:artemis-core-client:${artemis_version}"
 
     // Unit testing helpers.

node-api/build.gradle

@@ -11,6 +11,10 @@ dependencies {
     compile "org.jetbrains.kotlin:kotlin-stdlib-jre8:$kotlin_version"
     compile "org.jetbrains.kotlin:kotlin-reflect:$kotlin_version"
     testCompile "org.jetbrains.kotlin:kotlin-test:$kotlin_version"
+
+    // TODO: remove the forced update of commons-collections and beanutils when artemis updates them
+    compile "org.apache.commons:commons-collections4:${commons_collections_version}"
+    compile "commons-beanutils:commons-beanutils:${beanutils_version}"
     compile "org.apache.activemq:artemis-core-client:${artemis_version}"
     compile "org.apache.activemq:artemis-commons:${artemis_version}"
 

node/build.gradle

@@ -95,6 +95,9 @@ dependencies {
     compile "net.sf.jopt-simple:jopt-simple:$jopt_simple_version"
 
     // Artemis: for reliable p2p message queues.
+    // TODO: remove the forced update of commons-collections and beanutils when artemis updates them
+    compile "org.apache.commons:commons-collections4:${commons_collections_version}"
+    compile "commons-beanutils:commons-beanutils:${beanutils_version}"
     compile "org.apache.activemq:artemis-server:${artemis_version}"
     compile "org.apache.activemq:artemis-core-client:${artemis_version}"
     runtime ("org.apache.activemq:artemis-amqp-protocol:${artemis_version}") {

verifier/build.gradle

@@ -33,6 +33,10 @@ dependencies {
     compile "org.jetbrains.kotlin:kotlin-stdlib-jre8:$kotlin_version"
     compile "org.jetbrains.kotlin:kotlin-reflect:$kotlin_version"
     testCompile "org.jetbrains.kotlin:kotlin-test:$kotlin_version"
+
+    // TODO: remove the forced update of commons-collections and beanutils when artemis updates them
+    compile "org.apache.commons:commons-collections4:${commons_collections_version}"
+    compile "commons-beanutils:commons-beanutils:${beanutils_version}"
     compile "org.apache.activemq:artemis-core-client:${artemis_version}"
 
     // Log4J: logging framework (with SLF4J bindings)

webserver/build.gradle

@@ -49,6 +49,9 @@ dependencies {
     compile "net.sf.jopt-simple:jopt-simple:$jopt_simple_version"
 
     // Jersey for JAX-RS implementation for use in Jetty
+    // TODO: remove force upgrade when jersey catches up
+    compile "org.eclipse.jetty:jetty-continuation:${jetty_version}"
+
     compile "org.glassfish.jersey.core:jersey-server:$jersey_version"
     compile "org.glassfish.jersey.containers:jersey-container-servlet-core:$jersey_version"
     compile "org.glassfish.jersey.containers:jersey-container-jetty-http:$jersey_version"