Update tool versions and dependencies #187
Conversation
bestbeforetoday
commented
Jun 2, 2023
•
bestbeforetoday
commented
- Remove several unnecessary dependencies from Java package.
- Update Makefile to latest toolchain and to work on Arm64 Mac.
- Add security vulnerability scan.
- Update dependencies to address CVE-2023-2976
| cache: maven | ||
| - name: Scan | ||
| run: make scan-java | ||
| - name: "Archive dependency-check report" |
There was a problem hiding this comment.
Should Go and node also upload a scan report?
There was a problem hiding this comment.
They don’t generate any report file, only outputting to the console, which can be viewed in the build log. Only the Java scan actually outputs a separate report with more information than output to the console.
- Remove several unnecessary dependencies from Java package. - Update Makefile to latest toolchain and to work on Arm64 Mac. - Add security vulnerability scan. Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
bestbeforetoday
force-pushed
the
dependencies
branch
from
9c1675e
to
15b440c
Compare
|
Use OSV-Scanner (on a generated SBOM) instead of the Maven dependency-check plugin, since OSV-Scanner seems to require less maintenance and produces fewer false positives. |
bestbeforetoday
force-pushed
the
dependencies
branch
from
94ed26e
to
57d1671
Compare
|
@denyeart Please review this and merge once you are happy. It addresses security vulnerabilities so it will need to be back-ported to 0.2.x (for Fabric v2.5 LTS) and a release published to allow client APIs to pick it up. |
Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
bestbeforetoday
force-pushed
the
dependencies
branch
from
57d1671
to
bcc5ba6
Compare
| @@ -3,14 +3,14 @@ module github.com/hyperledger/fabric-protos-go-apiv2 | |||
| go 1.17 | |||
|
|
|||
| require ( | |||
| google.golang.org/grpc v1.46.2 | |||
| google.golang.org/protobuf v1.28.0 | |||
| google.golang.org/grpc v1.57.0 | |||
There was a problem hiding this comment.
Fabric core repository is having an issue with the grpc update, I meant to look into that before merging this one, let me go back and look into that further...
There was a problem hiding this comment.
This should not impact Fabric core. This is an update to fabric-protos-apiv2, which is not used by Fabric core. fabric-gateway does use this package, but fabric-gateway is also using the same gRPC version and tests are passing fine:
There was a problem hiding this comment.
Ok cool, will merge.
I did find the issue with grpc update in core fabric so I will resolve that separately.
