From 02a3c70c4af0e172a02cdb1abc4876e623f2e445 Mon Sep 17 00:00:00 2001
From: "Mark S. Lewis" <Mark.S.Lewis@outlook.com>
Date: Thu, 22 Feb 2024 08:47:06 +0000
Subject: [PATCH] Update dependencies to address CVE-2024-25710, CVE-2024-26308
 (#298)

- Address vulnerabilities in Apache commons-compress.
- Fix some minor compilation issues following dependency updates.

Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
---
 pom.xml                                       | 14 ++++----
 .../hyperledger/fabric/sdk/helper/Utils.java  | 36 +++++++++----------
 .../fabric/sdkintegration/Util.java           | 17 +++++----
 3 files changed, 33 insertions(+), 34 deletions(-)

diff --git a/pom.xml b/pom.xml
index c328f524..9cd46176 100644
--- a/pom.xml
+++ b/pom.xml
@@ -32,7 +32,7 @@
         <protobuf.version>3.24.4</protobuf.version> <!-- Must match version used by grpc-protobuf -->
         <bouncycastle.version>1.77</bouncycastle.version>
         <httpclient.version>4.5.14</httpclient.version>
-        <javadoc.version>3.6.2</javadoc.version>
+        <javadoc.version>3.6.3</javadoc.version>
         <skipITs>true</skipITs>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <jacoco.version>0.8.11</jacoco.version>
@@ -121,7 +121,7 @@
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-compress</artifactId>
-            <version>1.24.0</version>
+            <version>1.26.0</version>
         </dependency>
         <dependency>
             <groupId>commons-io</groupId>
@@ -255,7 +255,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
-                <version>3.2.2</version>
+                <version>3.2.5</version>
                 <configuration>
                     <argLine>${surefireArgLine}</argLine>
                     <includes>
@@ -267,7 +267,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-failsafe-plugin</artifactId>
-                <version>3.2.2</version>
+                <version>3.2.5</version>
                 <configuration>
                     <argLine>${failsafeArgLine}</argLine>
                     <includes>
@@ -314,7 +314,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.11.0</version>
+                <version>3.12.1</version>
                 <configuration>
                     <source>${javaVersion}</source>
                     <target>${javaVersion}</target>
@@ -619,7 +619,7 @@
                     <plugin>
                         <groupId>org.owasp</groupId>
                         <artifactId>dependency-check-maven</artifactId>
-                        <version>8.4.3</version>
+                        <version>9.0.9</version>
                         <configuration>
                             <skipProvidedScope>true</skipProvidedScope>
                             <skipTestScope>true</skipTestScope>
@@ -695,7 +695,7 @@
                         <dependency>
                             <groupId>com.puppycrawl.tools</groupId>
                             <artifactId>checkstyle</artifactId>
-                            <version>10.12.5</version>
+                            <version>10.13.0</version>
                         </dependency>
                     </dependencies>
                 </plugin>
diff --git a/src/main/java/org/hyperledger/fabric/sdk/helper/Utils.java b/src/main/java/org/hyperledger/fabric/sdk/helper/Utils.java
index ffae7fea..9fdbddc2 100644
--- a/src/main/java/org/hyperledger/fabric/sdk/helper/Utils.java
+++ b/src/main/java/org/hyperledger/fabric/sdk/helper/Utils.java
@@ -14,11 +14,27 @@
 
 package org.hyperledger.fabric.sdk.helper;
 
+import com.google.common.collect.ImmutableMap;
+import com.google.protobuf.ByteString;
+import com.google.protobuf.Timestamp;
+import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
+import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
+import org.apache.commons.compress.compressors.gzip.GzipCompressorOutputStream;
+import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.digests.SHA3Digest;
+import org.bouncycastle.util.Arrays;
+import org.bouncycastle.util.encoders.Hex;
+
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.UncheckedIOException;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.math.BigDecimal;
@@ -41,22 +57,6 @@
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 
-import com.google.common.collect.ImmutableMap;
-import com.google.protobuf.ByteString;
-import com.google.protobuf.Timestamp;
-import org.apache.commons.compress.archivers.ArchiveEntry;
-import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
-import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
-import org.apache.commons.compress.compressors.gzip.GzipCompressorOutputStream;
-import org.apache.commons.io.FilenameUtils;
-import org.apache.commons.io.IOUtils;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.bouncycastle.crypto.Digest;
-import org.bouncycastle.crypto.digests.SHA3Digest;
-import org.bouncycastle.util.Arrays;
-import org.bouncycastle.util.encoders.Hex;
-
 import static java.lang.String.format;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.apache.commons.codec.binary.Hex.encodeHexString;
@@ -144,7 +144,7 @@ public static String generateDirectoryHash(String rootDir, String chaincodeDir,
                         hashBuilder.setLength(0);
                         hashBuilder.append(Hex.toHexString(hash(toHash, new SHA3Digest())));
                     } catch (IOException ex) {
-                        throw new RuntimeException(format("Error while reading file %s", file.getAbsolutePath()), ex);
+                        throw new UncheckedIOException(format("Error while reading file %s", file.getAbsolutePath()), ex);
                     }
                 });
 
@@ -178,7 +178,7 @@ public static byte[] generateTarGz(File sourceDirectory, String pathPrefix, File
 
             Collection<File> childrenFiles = org.apache.commons.io.FileUtils.listFiles(sourceDirectory, null, true);
 
-            ArchiveEntry archiveEntry;
+            TarArchiveEntry archiveEntry;
             for (File childFile : childrenFiles) {
                 String childPath = childFile.getAbsolutePath();
                 String relativePath = childPath.substring((sourcePath.length() + 1));
diff --git a/src/test/java/org/hyperledger/fabric/sdkintegration/Util.java b/src/test/java/org/hyperledger/fabric/sdkintegration/Util.java
index f2acb97d..0983dfa1 100644
--- a/src/test/java/org/hyperledger/fabric/sdkintegration/Util.java
+++ b/src/test/java/org/hyperledger/fabric/sdkintegration/Util.java
@@ -16,6 +16,13 @@
 
 package org.hyperledger.fabric.sdkintegration;
 
+import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
+import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
+import org.apache.commons.compress.compressors.gzip.GzipCompressorOutputStream;
+import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.io.IOUtils;
+import org.hyperledger.fabric.sdk.helper.Utils;
+
 import java.io.BufferedOutputStream;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -25,14 +32,6 @@
 import java.io.InputStream;
 import java.util.Collection;
 
-import org.apache.commons.compress.archivers.ArchiveEntry;
-import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
-import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
-import org.apache.commons.compress.compressors.gzip.GzipCompressorOutputStream;
-import org.apache.commons.io.FilenameUtils;
-import org.apache.commons.io.IOUtils;
-import org.hyperledger.fabric.sdk.helper.Utils;
-
 import static java.lang.String.format;
 
 class Util {
@@ -64,7 +63,7 @@ public static InputStream generateTarGzInputStream(File src, String pathPrefix)
         try {
             Collection<File> childrenFiles = org.apache.commons.io.FileUtils.listFiles(sourceDirectory, null, true);
 
-            ArchiveEntry archiveEntry;
+            TarArchiveEntry archiveEntry;
             FileInputStream fileInputStream;
             for (File childFile : childrenFiles) {
                 String childPath = childFile.getAbsolutePath();