These insecure dependencies are brought in by io.grpc:grpc-netty:1.17.1.
Override the io.netty dependencies and add exclusions where version is mandated.
Resulting dependencies in policy/models/models-interactions on master*
$ mvn dependency:tree -Dverbose| grep io.netty
[INFO] +- io.netty:netty-codec-http2:jar:4.1.39.Final:compile
[INFO] | +- io.netty:netty-common:jar:4.1.39.Final:compile
[INFO] | +- io.netty:netty-buffer:jar:4.1.39.Final:compile
[INFO] | +- io.netty:netty-transport:jar:4.1.39.Final:compile
[INFO] | | \- io.netty:netty-resolver:jar:4.1.39.Final:compile
[INFO] | +- io.netty:netty-codec:jar:4.1.39.Final:compile
[INFO] | +- io.netty:netty-handler:jar:4.1.39.Final:compile
[INFO] | \- io.netty:netty-codec-http:jar:4.1.39.Final:compile
[INFO] +- io.netty:netty-handler-proxy:jar:4.1.39.Final:compile
[INFO] | \- io.netty:netty-codec-socks:jar:4.1.39.Final:compile
[INFO] | +- io.netty:netty-codec-http2:jar:4.1.39.Final:provided
[INFO] | | +- io.netty:netty-common:jar:4.1.39.Final:provided
[INFO] | | +- io.netty:netty-buffer:jar:4.1.39.Final:provided
[INFO] | | +- io.netty:netty-transport:jar:4.1.39.Final:provided
[INFO] | | | \- io.netty:netty-resolver:jar:4.1.39.Final:provided
[INFO] | | +- io.netty:netty-codec:jar:4.1.39.Final:provided
[INFO] | | +- io.netty:netty-handler:jar:4.1.39.Final:provided
[INFO] | | \- io.netty:netty-codec-http:jar:4.1.39.Final:provided
[INFO] | +- io.netty:netty-handler-proxy:jar:4.1.39.Final:provided
[INFO] | | \- io.netty:netty-codec-socks:jar:4.1.39.Final:provided
Issue-ID: POLICY-2072
Signed-off-by: Rashmi Pujar <rashmi.pujar@bell.ca>
Change-Id: Ib3706e1c67e33fe73ebbfc80a6b474021b4a2679
<properties>
<grpc.version>1.17.1</grpc.version>
<protobuf.version>3.6.1</protobuf.version>
<properties>
<grpc.version>1.17.1</grpc.version>
<protobuf.version>3.6.1</protobuf.version>
- <grpc.netty.version>4.1.30.Final</grpc.netty.version>
+ <grpc.netty.version>4.1.39.Final</grpc.netty.version>
<ccsdk.version>0.4.4</ccsdk.version>
</properties>
<ccsdk.version>0.4.4</ccsdk.version>
</properties>
</dependency>
<!-- gRPC dependencies -->
</dependency>
<!-- gRPC dependencies -->
+ <!-- io.netty artifacts have security issues and are transitive dependencies from io.grpc:grpc-netty:1.17.1.
+ Override io.netty dependencies and add exclusions to io.grpc:grpc-netty where io.netty version is mandated. -->
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-codec-http2</artifactId>
+ <version>${grpc.netty.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-handler-proxy</artifactId>
+ <version>${grpc.netty.version}</version>
+ </dependency>
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-protobuf</artifactId>
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-protobuf</artifactId>
<groupId>io.grpc</groupId>
<artifactId>grpc-netty</artifactId>
<version>${grpc.version}</version>
<groupId>io.grpc</groupId>
<artifactId>grpc-netty</artifactId>
<version>${grpc.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-codec-http2</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
<groupId>io.grpc</groupId>
</dependency>
<dependency>
<groupId>io.grpc</groupId>