From c76921c4f71854ac27da4543e8f82db9d889df38 Mon Sep 17 00:00:00 2001
From: Dhamodhar Reddy  Dakannagari <dhamodhar@Dhamodhars-MacBook-Pro.local>
Date: Mon, 15 Apr 2024 14:07:48 +0530
Subject: [PATCH 1/6] updated servie framework version

---
 query-service-factory/build.gradle.kts | 2 +-
 query-service-impl/build.gradle.kts    | 2 +-
 query-service/build.gradle.kts         | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/query-service-factory/build.gradle.kts b/query-service-factory/build.gradle.kts
index 7a867d1f..295ec962 100644
--- a/query-service-factory/build.gradle.kts
+++ b/query-service-factory/build.gradle.kts
@@ -3,7 +3,7 @@ plugins {
 }
 
 dependencies {
-  api("org.hypertrace.core.serviceframework:platform-grpc-service-framework:0.1.64")
+  api("org.hypertrace.core.serviceframework:platform-grpc-service-framework:0.1.71")
 
   implementation(project(":query-service-impl"))
   implementation("com.google.inject:guice:5.0.1")
diff --git a/query-service-impl/build.gradle.kts b/query-service-impl/build.gradle.kts
index a38c3bae..3b082311 100644
--- a/query-service-impl/build.gradle.kts
+++ b/query-service-impl/build.gradle.kts
@@ -74,7 +74,7 @@ dependencies {
   }
   implementation("org.slf4j:slf4j-api:2.0.11")
   implementation("commons-codec:commons-codec:1.15")
-  implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.64")
+  implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.71")
   implementation("com.google.protobuf:protobuf-java-util:3.22.0")
   implementation("com.google.guava:guava:32.1.2-jre")
   implementation("io.reactivex.rxjava3:rxjava:3.0.11")
diff --git a/query-service/build.gradle.kts b/query-service/build.gradle.kts
index 24c1c841..0b5fe04f 100644
--- a/query-service/build.gradle.kts
+++ b/query-service/build.gradle.kts
@@ -11,7 +11,7 @@ plugins {
 dependencies {
   implementation(project(":query-service-factory"))
   implementation("org.hypertrace.core.grpcutils:grpc-server-utils:0.13.1")
-  implementation("org.hypertrace.core.serviceframework:platform-grpc-service-framework:0.1.64")
+  implementation("org.hypertrace.core.serviceframework:platform-grpc-service-framework:0.1.71")
   implementation("org.slf4j:slf4j-api:2.0.11")
   implementation("com.typesafe:config:1.4.1")
 
@@ -22,7 +22,7 @@ dependencies {
   integrationTestImplementation("org.testcontainers:testcontainers:1.16.2")
   integrationTestImplementation("org.testcontainers:junit-jupiter:1.16.2")
   integrationTestImplementation("org.testcontainers:kafka:1.16.2")
-  integrationTestImplementation("org.hypertrace.core.serviceframework:integrationtest-service-framework:0.1.64")
+  integrationTestImplementation("org.hypertrace.core.serviceframework:integrationtest-service-framework:0.1.71")
   integrationTestImplementation("com.github.stefanbirkner:system-lambda:1.2.0")
 
   integrationTestImplementation("org.apache.kafka:kafka-clients:7.2.1-ccs")

From d0d649481fc617c847d036c336bad5dc80927e62 Mon Sep 17 00:00:00 2001
From: Dhamodhar <56181018+Dhamodhar-DDR@users.noreply.github.com>
Date: Mon, 22 Apr 2024 13:54:01 +0530
Subject: [PATCH 2/6] Update postgresql version

update postgresql version to 42.4.4 to resolve CVE-2024-1597 vulnerability
---
 query-service-impl/build.gradle.kts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/query-service-impl/build.gradle.kts b/query-service-impl/build.gradle.kts
index 3b082311..3e954d06 100644
--- a/query-service-impl/build.gradle.kts
+++ b/query-service-impl/build.gradle.kts
@@ -79,7 +79,7 @@ dependencies {
   implementation("com.google.guava:guava:32.1.2-jre")
   implementation("io.reactivex.rxjava3:rxjava:3.0.11")
   implementation("com.squareup.okhttp3:okhttp:4.11.0")
-  implementation("org.postgresql:postgresql:42.4.3")
+  implementation("org.postgresql:postgresql:42.4.4")
   implementation("io.trino:trino-jdbc:423")
 
   annotationProcessor("org.projectlombok:lombok:1.18.30")

From dd05e934e61592b83bcb5981bac2251b3ad5ab1f Mon Sep 17 00:00:00 2001
From: Dhamodhar <56181018+Dhamodhar-DDR@users.noreply.github.com>
Date: Mon, 22 Apr 2024 16:45:30 +0530
Subject: [PATCH 3/6] Update org.apache.commons version

update org.apache.commons version to 1.26.0 to resolve CVE-2024-25710 and CVE-2024-26308 vulnerabilities
---
 query-service-impl/build.gradle.kts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/query-service-impl/build.gradle.kts b/query-service-impl/build.gradle.kts
index 3e954d06..bc6da3e0 100644
--- a/query-service-impl/build.gradle.kts
+++ b/query-service-impl/build.gradle.kts
@@ -25,8 +25,8 @@ dependencies {
     implementation("org.apache.avro:avro:1.11.3") {
       because("CVE-2023-39410")
     }
-    implementation("org.apache.commons:commons-compress:1.24.0") {
-      because("CVE-2023-42503")
+    implementation("org.apache.commons:commons-compress:1.26.0") {
+      because("CVE-2024-25710")
     }
     implementation("org.apache.helix:helix-core:1.3.0") {
       because("CVE-2022-47500")

From 9420fa3c84f24c28f236f67cd2917b9f1be43065 Mon Sep 17 00:00:00 2001
From: Dhamodhar <56181018+Dhamodhar-DDR@users.noreply.github.com>
Date: Mon, 22 Apr 2024 17:05:01 +0530
Subject: [PATCH 4/6] updated org.apache.zookeeper version

updated to org.apache.zookeeper:zookeeper to 3.8.4 to resolve CVE-2024-23944 vulnerability
---
 query-service-impl/build.gradle.kts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/query-service-impl/build.gradle.kts b/query-service-impl/build.gradle.kts
index bc6da3e0..7fe05b42 100644
--- a/query-service-impl/build.gradle.kts
+++ b/query-service-impl/build.gradle.kts
@@ -31,8 +31,8 @@ dependencies {
     implementation("org.apache.helix:helix-core:1.3.0") {
       because("CVE-2022-47500")
     }
-    implementation("org.apache.zookeeper:zookeeper:3.7.2") {
-      because("CVE-2023-44981")
+    implementation("org.apache.zookeeper:zookeeper:3.8.4") {
+      because("CVE-2024-23944")
     }
     implementation("org.webjars:swagger-ui:5.1.0") {
       because("CVE-2019-16728,CVE-2020-26870")

From 888cb2aa842379c3bfe219473a604cb13d2bc4c6 Mon Sep 17 00:00:00 2001
From: Dhamodhar <dhamodhar.reddy@iiitb.ac.in>
Date: Thu, 25 Apr 2024 13:03:52 +0530
Subject: [PATCH 5/6] updated grpc-utils to 0.13.2

---
 query-service-client/build.gradle.kts | 2 +-
 query-service-impl/build.gradle.kts   | 6 +++---
 query-service/build.gradle.kts        | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/query-service-client/build.gradle.kts b/query-service-client/build.gradle.kts
index 61e183bc..55e9fb4b 100644
--- a/query-service-client/build.gradle.kts
+++ b/query-service-client/build.gradle.kts
@@ -7,7 +7,7 @@ plugins {
 
 dependencies {
   api(project(":query-service-api"))
-  implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.13.1")
+  implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.13.2")
 
   // Logging
   implementation("org.slf4j:slf4j-api:2.0.11")
diff --git a/query-service-impl/build.gradle.kts b/query-service-impl/build.gradle.kts
index 7fe05b42..951e103e 100644
--- a/query-service-impl/build.gradle.kts
+++ b/query-service-impl/build.gradle.kts
@@ -60,9 +60,9 @@ dependencies {
   }
   api(project(":query-service-api"))
   api("com.typesafe:config:1.4.1")
-  implementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.13.1")
-  implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.13.1")
-  implementation("org.hypertrace.core.grpcutils:grpc-server-rx-utils:0.13.1")
+  implementation("org.hypertrace.core.grpcutils:grpc-context-utils:0.13.2")
+  implementation("org.hypertrace.core.grpcutils:grpc-client-utils:0.13.2")
+  implementation("org.hypertrace.core.grpcutils:grpc-server-rx-utils:0.13.2")
   implementation("org.hypertrace.core.attribute.service:attribute-service-api:0.14.26")
   implementation("org.hypertrace.core.attribute.service:attribute-projection-registry:0.14.26")
   implementation("org.hypertrace.core.attribute.service:caching-attribute-service-client:0.14.26")
diff --git a/query-service/build.gradle.kts b/query-service/build.gradle.kts
index 0b5fe04f..2b110136 100644
--- a/query-service/build.gradle.kts
+++ b/query-service/build.gradle.kts
@@ -10,7 +10,7 @@ plugins {
 
 dependencies {
   implementation(project(":query-service-factory"))
-  implementation("org.hypertrace.core.grpcutils:grpc-server-utils:0.13.1")
+  implementation("org.hypertrace.core.grpcutils:grpc-server-utils:0.13.2")
   implementation("org.hypertrace.core.serviceframework:platform-grpc-service-framework:0.1.71")
   implementation("org.slf4j:slf4j-api:2.0.11")
   implementation("com.typesafe:config:1.4.1")

From 36818fc6dca6e8e441d5bd901df330cf30301efd Mon Sep 17 00:00:00 2001
From: Dhamodhar <dhamodhar.reddy@iiitb.ac.in>
Date: Thu, 25 Apr 2024 13:07:16 +0530
Subject: [PATCH 6/6] added suppressions for CVE-2024-29133 and CVE-2024-29133

---
 owasp-suppressions.xml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
index b56c6bd5..62093c19 100644
--- a/owasp-suppressions.xml
+++ b/owasp-suppressions.xml
@@ -34,4 +34,13 @@
     <packageUrl regex="true">^pkg:maven/com\.jayway\.jsonpath/json\-path@2.9.0$</packageUrl>
     <vulnerabilityName>CVE-2023-51074</vulnerabilityName>
   </suppress>
+  <suppress>
+    <notes><![CDATA[
+   CVE-2024-29133, CVE-2024-29131 only impacts commons-configuration 2+, which is already fixed. Commons configuration 1 is a different artifact and unimpacted.
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/commons\-configuration/commons\-configuration@1\..*$
+    </packageUrl>
+    <vulnerabilityName>CVE-2024-29133</vulnerabilityName>
+    <vulnerabilityName>CVE-2024-29131</vulnerabilityName>
+  </suppress>
 </suppressions>