From 83419e199222009bdca18e065571bf137ef45893 Mon Sep 17 00:00:00 2001
From: Prerana Singhal <singhal.prerana@gmail.com>
Date: Thu, 19 Oct 2023 15:25:59 +0530
Subject: [PATCH 1/3] chore: upgraded hypertrace grpc-utils version

---
 hypertrace-core-graphql-platform/build.gradle.kts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hypertrace-core-graphql-platform/build.gradle.kts b/hypertrace-core-graphql-platform/build.gradle.kts
index 27c2a418..b8ce0428 100644
--- a/hypertrace-core-graphql-platform/build.gradle.kts
+++ b/hypertrace-core-graphql-platform/build.gradle.kts
@@ -13,9 +13,9 @@ dependencies {
   api(platform("com.fasterxml.jackson:jackson-bom:2.15.2"))
   constraints {
 
-    api("org.hypertrace.core.grpcutils:grpc-context-utils:0.12.2")
-    api("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.2")
-    api("org.hypertrace.core.grpcutils:grpc-client-rx-utils:0.12.2")
+    api("org.hypertrace.core.grpcutils:grpc-context-utils:0.12.6")
+    api("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.6")
+    api("org.hypertrace.core.grpcutils:grpc-client-rx-utils:0.12.6")
     api("org.hypertrace.gateway.service:gateway-service-api:0.3.2")
     api("org.hypertrace.core.attribute.service:caching-attribute-service-client:${attributeServiceVersion}")
     api("org.hypertrace.core.attribute.service:attribute-service-api:${attributeServiceVersion}")

From 93ec83d11cc484df7a88b68c05352982fe5196e2 Mon Sep 17 00:00:00 2001
From: Prerana Singhal <singhal.prerana@gmail.com>
Date: Thu, 19 Oct 2023 15:59:58 +0530
Subject: [PATCH 2/3] Updated versions

---
 hypertrace-core-graphql-platform/build.gradle.kts | 3 ++-
 hypertrace-core-graphql-service/build.gradle.kts  | 2 +-
 owasp-suppressions.xml                            | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/hypertrace-core-graphql-platform/build.gradle.kts b/hypertrace-core-graphql-platform/build.gradle.kts
index b8ce0428..7b81a2cb 100644
--- a/hypertrace-core-graphql-platform/build.gradle.kts
+++ b/hypertrace-core-graphql-platform/build.gradle.kts
@@ -9,7 +9,7 @@ javaPlatform {
 val attributeServiceVersion: String = "0.14.14"
 
 dependencies {
-  api(platform("io.grpc:grpc-bom:1.57.2"))
+  api(platform("io.grpc:grpc-bom:1.58.0"))
   api(platform("com.fasterxml.jackson:jackson-bom:2.15.2"))
   constraints {
 
@@ -17,6 +17,7 @@ dependencies {
     api("org.hypertrace.core.grpcutils:grpc-client-utils:0.12.6")
     api("org.hypertrace.core.grpcutils:grpc-client-rx-utils:0.12.6")
     api("org.hypertrace.gateway.service:gateway-service-api:0.3.2")
+    api("org.hypertrace.core.serviceframework:platform-http-service-framework:0.1.62")
     api("org.hypertrace.core.attribute.service:caching-attribute-service-client:${attributeServiceVersion}")
     api("org.hypertrace.core.attribute.service:attribute-service-api:${attributeServiceVersion}")
 
diff --git a/hypertrace-core-graphql-service/build.gradle.kts b/hypertrace-core-graphql-service/build.gradle.kts
index 43e703ba..77bb83fc 100644
--- a/hypertrace-core-graphql-service/build.gradle.kts
+++ b/hypertrace-core-graphql-service/build.gradle.kts
@@ -8,7 +8,7 @@ plugins {
 dependencies {
   implementation(platform(project(":hypertrace-core-graphql-platform")))
 
-  implementation("org.hypertrace.core.serviceframework:platform-http-service-framework:0.1.52")
+  implementation("org.hypertrace.core.serviceframework:platform-http-service-framework")
   implementation("org.slf4j:slf4j-api")
 
   implementation("com.graphql-java-kickstart:graphql-java-servlet")
diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
index 07948e5c..ae80288c 100644
--- a/owasp-suppressions.xml
+++ b/owasp-suppressions.xml
@@ -15,7 +15,7 @@
     <packageUrl regex="true">^pkg:maven/io\.github\.graphql\-java/graphql\-java\-annotations@.*$</packageUrl>
     <cpe>cpe:/a:graphql-java:graphql-java</cpe>
   </suppress>
-  <suppress until="2023-07-30Z">
+  <suppress until="2023-11-30Z">
     <notes><![CDATA[
    file name: jackson-databind-2.15.2.jar
    ]]></notes>

From 9f5662072683cb168250f747cfc9721e617ab6d4 Mon Sep 17 00:00:00 2001
From: Prerana Singhal <singhal.prerana@gmail.com>
Date: Thu, 19 Oct 2023 16:11:46 +0530
Subject: [PATCH 3/3] Added suppressions

---
 .../build.gradle.kts                          |  2 +-
 owasp-suppressions.xml                        | 22 +++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/hypertrace-core-graphql-platform/build.gradle.kts b/hypertrace-core-graphql-platform/build.gradle.kts
index 7b81a2cb..08afb5fc 100644
--- a/hypertrace-core-graphql-platform/build.gradle.kts
+++ b/hypertrace-core-graphql-platform/build.gradle.kts
@@ -9,7 +9,7 @@ javaPlatform {
 val attributeServiceVersion: String = "0.14.14"
 
 dependencies {
-  api(platform("io.grpc:grpc-bom:1.58.0"))
+  api(platform("io.grpc:grpc-bom:1.57.2"))
   api(platform("com.fasterxml.jackson:jackson-bom:2.15.2"))
   constraints {
 
diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
index ae80288c..bd273df4 100644
--- a/owasp-suppressions.xml
+++ b/owasp-suppressions.xml
@@ -15,6 +15,28 @@
     <packageUrl regex="true">^pkg:maven/io\.github\.graphql\-java/graphql\-java\-annotations@.*$</packageUrl>
     <cpe>cpe:/a:graphql-java:graphql-java</cpe>
   </suppress>
+  <suppress until="2023-11-30Z">
+    <notes><![CDATA[
+  This vulnerability is disputed, with the argument that SSL configuration is the responsibility of the client rather
+  than the transport. The change in default is under consideration for the next major Netty release, revisit then.
+  Regardless, our client (which is what brings in this dependency) enables the concerned feature, hostname verification
+  Ref:
+  https://github.com/grpc/grpc-java/issues/10033
+  https://github.com/netty/netty/issues/8537#issuecomment-1527896917
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/io\.netty/netty.*@.*$</packageUrl>
+    <vulnerabilityName>CVE-2023-4586</vulnerabilityName>
+  </suppress>
+  <suppress until="2023-11-30Z">
+    <notes><![CDATA[
+   This CVE is declared fixed from 9.4.52, but the vuln db is not reflecting that. Suppress that specific version until
+   db is updated.
+   Ref:
+   https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty\-servlets@9.4.53\..*$</packageUrl>
+    <vulnerabilityName>CVE-2023-36479</vulnerabilityName>
+  </suppress>
   <suppress until="2023-11-30Z">
     <notes><![CDATA[
    file name: jackson-databind-2.15.2.jar