-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update tool versions and dependencies #187
Conversation
bestbeforetoday
commented
Jun 2, 2023
•
edited
Loading
edited
- Remove several unnecessary dependencies from Java package.
- Update Makefile to latest toolchain and to work on Arm64 Mac.
- Add security vulnerability scan.
- Update dependencies to address CVE-2023-2976
cache: maven | ||
- name: Scan | ||
run: make scan-java | ||
- name: "Archive dependency-check report" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should Go and node also upload a scan report?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They don’t generate any report file, only outputting to the console, which can be viewed in the build log. Only the Java scan actually outputs a separate report with more information than output to the console.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aha, that makes sense then! :)
- Remove several unnecessary dependencies from Java package. - Update Makefile to latest toolchain and to work on Arm64 Mac. - Add security vulnerability scan. Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
9c1675e
to
15b440c
Compare
Use OSV-Scanner (on a generated SBOM) instead of the Maven dependency-check plugin, since OSV-Scanner seems to require less maintenance and produces fewer false positives. |
94ed26e
to
57d1671
Compare
@denyeart Please review this and merge once you are happy. It addresses security vulnerabilities so it will need to be back-ported to 0.2.x (for Fabric v2.5 LTS) and a release published to allow client APIs to pick it up. |
Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
57d1671
to
bcc5ba6
Compare
@@ -3,14 +3,14 @@ module github.com/hyperledger/fabric-protos-go-apiv2 | |||
go 1.17 | |||
|
|||
require ( | |||
google.golang.org/grpc v1.46.2 | |||
google.golang.org/protobuf v1.28.0 | |||
google.golang.org/grpc v1.57.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fabric core repository is having an issue with the grpc update, I meant to look into that before merging this one, let me go back and look into that further...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should not impact Fabric core. This is an update to fabric-protos-apiv2, which is not used by Fabric core. fabric-gateway does use this package, but fabric-gateway is also using the same gRPC version and tests are passing fine:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok cool, will merge.
I did find the issue with grpc update in core fabric so I will resolve that separately.