Update dependencies to address CVE-2024-7254 (#240)

This vulnerability affects the Java bindings. Go and Node bindings are also updated; as are the tooling versions used to build the bindings. Note that the Node bindings are now built targeting Node 18, since this is the oldest currently supported LTS release. Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
hyperledger · Sep 23, 2024 · 8e482ea · 8e482ea
1 parent af35fc5
commit 8e482ea
Show file tree

Hide file tree

Showing 16 changed files with 340 additions and 2,928 deletions.
diff --git a/.github/workflows/ci-checks.yml b/.github/workflows/ci-checks.yml
@@ -45,8 +45,8 @@ jobs:
 
     - uses: actions/setup-java@v4
       with:
-        distribution: 'temurin'
-        java-version: '8'
+        distribution: temurin
+        java-version: 21
 
     - name: Check package.json version
       working-directory: bindings/node
@@ -74,7 +74,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: 1.21.6
+        go-version: stable
         cache: false
 
     - name: Cache build dependencies

diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml
@@ -42,7 +42,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: 1.21.6
+        go-version: stable
         cache: false
 
     - name: Run make

diff --git a/.github/workflows/go-bindings.yml b/.github/workflows/go-bindings.yml
@@ -60,7 +60,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: 1.21.6
+        go-version: stable
         check-latest: true
         cache: true
         cache-dependency-path: build/bindings/go-${{ matrix.apiver }}/go.sum

diff --git a/.github/workflows/java-bindings.yml b/.github/workflows/java-bindings.yml
@@ -35,14 +35,14 @@ jobs:
     - name: Set up Java for publishing to GitHub Packages
       uses: actions/setup-java@v4
       with:
-        distribution: 'temurin'
-        java-version: '8'
-        cache: 'maven'
+        distribution: temurin
+        java-version: 21
+        cache: maven
 
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: 1.21.6
+        go-version: stable
         cache: false
 
     - name: Run make
@@ -76,9 +76,9 @@ jobs:
       uses: actions/setup-java@v4
       if: needs.ci_checks.outputs.publish_release == 'true'
       with:
-        distribution: 'temurin'
-        java-version: '8'
-        cache: 'maven'
+        distribution: temurin
+        java-version: 21
+        cache: maven
         server-id: ossrh
         server-username: MAVEN_USERNAME
         server-password: MAVEN_PASSWORD

diff --git a/.github/workflows/node-bindings.yml b/.github/workflows/node-bindings.yml
@@ -34,15 +34,15 @@ jobs:
 
     - uses: actions/setup-node@v4
       with:
-        node-version: 16
-        cache: 'npm'
+        node-version: 20
+        cache: npm
         cache-dependency-path: bindings/node/package-lock.json
         registry-url: https://registry.npmjs.org/
 
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: 1.21.6
+        go-version: stable
         cache: false
 
     - name: Run make

diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml
@@ -2,35 +2,32 @@ name: "Security vulnerability scan"
 
 on:
   schedule:
-    - cron: "20 02 * * *"
+    - cron: "20 02 * * 0"
   workflow_dispatch:
 
 permissions:
   contents: read
 
-env:
-  GO_VERSION: '1.22'
-
 jobs:
   go:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version: stable
           check-latest: true
           cache: false
       - name: Scan
         run: make scan-go
 
   node:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version: stable
           cache: false
       - uses: actions/setup-node@v4
         with:
@@ -39,12 +36,12 @@ jobs:
         run: make scan-node
 
   java:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version: stable
           cache: false
       - uses: actions/setup-java@v4
         with:

diff --git a/.gitignore b/.gitignore
@@ -15,3 +15,4 @@
 /bindings/go-apiv2/**/*.pb.go
 /bindings/java/src
 /bindings/node/src
+/bindings/node/bom.json
diff --git a/Makefile b/Makefile
@@ -25,21 +25,21 @@ HTTPS_GIT := https://github.com/hyperledger/fabric-protos.git
 SSH_GIT := ssh://git@github.com/hyperledger/fabric-protos.git
 
 # This controls the version of buf to install and use.
-BUF_VERSION := 1.32.2
+BUF_VERSION := 1.42.0
 # If true, Buf is installed from source instead of from releases
 BUF_INSTALL_FROM_SOURCE := false
 
-PROTOC_VERSION := 25.3
+PROTOC_VERSION := 28.2
 PROTOC_GEN_DOC_VERSION := 1.5.1
-PROTOC_GEN_GO_VERSION := 1.33.0
-PROTOC_GEN_GO_GRPC_VERSION := 1.3.0
-PROTOC_GEN_GRPC_JAVA_VERSION := 1.63.0
-PROTOC_GEN_JS_VERSION := 3.21.2
+PROTOC_GEN_GO_VERSION := 1.34.2
+PROTOC_GEN_GO_GRPC_VERSION := 1.5.1
+PROTOC_GEN_GRPC_JAVA_VERSION := 1.68.0
+PROTOC_GEN_JS_VERSION := 3.21.4
 GRPC_TOOLS_VERSION := 1.12.4
 TS_PROTOC_GEN_VERSION := 0.15.0
 
 # This is the commit hash for the https://github.com/googleapis/googleapis repo
-GRPC_STATUS_VERSION := f36c65081b19e0758ef5696feca27c7dcee5475e
+GRPC_STATUS_VERSION := 3597f7db2191c00b100400991ef96e52d62f5841
 GRPC_STATUS_PROTO := google/rpc/status.proto
 
 ### Everything below this line is meant to be static, i.e. only adjust the above variables. ###
@@ -281,14 +281,16 @@ scan-go: genprotos
 	cd bindings/go-apiv2 && govulncheck ./...
 
 .PHONY: scan-java
-scan-java: javabindings
+scan-java:
 	go install github.com/google/osv-scanner/cmd/osv-scanner@latest
-	cd bindings/java && mvn --activate-profiles sbom -DskipTests install
-	osv-scanner --sbom=bindings/java/target/bom.json
+	osv-scanner scan --lockfile=bindings/java/pom.xml
 
 .PHONY: scan-node
 scan-node:
-	cd bindings/node && npm ci && npm audit --omit=dev
+	go install github.com/google/osv-scanner/cmd/osv-scanner@latest
+	cd bindings/node && \
+		npm sbom --omit dev --package-lock-only --sbom-format cyclonedx > bom.json && \
+		osv-scanner scan --sbom=bom.json
 
 # clean deletes any files not checked in and the cache for all platforms.
 

diff --git a/README.md b/README.md
@@ -3,6 +3,10 @@
 This repository contains the [grpc] service and [protocol buffer][protobuf] definitions for the Hyperledger Fabric project.
 Tools like `protoc` can transform these definitions into code that can be used by clients and libraries to interact with Fabric.
 
+Language bindings for Go, Node and Java are generated from the protocol buffer definitions within this repository, and published for use by other projects. For more information, please see the [documentation](https://hyperledger.github.io/fabric-protos/).
+
+Issues and pull requests related to any of the published language bindings should be raised in this repository.
+
 ## Building and testing
 
 ### Build using make

diff --git a/bindings/go-apiv2/go.mod b/bindings/go-apiv2/go.mod
@@ -1,15 +1,15 @@
 module github.com/hyperledger/fabric-protos-go-apiv2
 
-go 1.17
+go 1.21.0
 
 require (
-	google.golang.org/grpc v1.63.2
-	google.golang.org/protobuf v1.33.0
+	google.golang.org/grpc v1.67.0
+	google.golang.org/protobuf v1.34.2
 )
 
 require (
-	golang.org/x/net v0.24.0 // indirect
-	golang.org/x/sys v0.19.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240401170217-c3f982113cda // indirect
+	golang.org/x/net v0.28.0 // indirect
+	golang.org/x/sys v0.24.0 // indirect
+	golang.org/x/text v0.17.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 // indirect
 )