Bump armeria + grpc + protobuf to fix CVE-2024-7254 (#5891)

Bump armeria + grpc + protobuf to fix CVE-2024-7254

Upgrades protobuf dependencies with versions that fix
Fixes CVE-2024-7254.

Use inline mocks in DnsPeerListProviderCreationTest to support mocking final classes. Updates to the GrpcRequestExceptionHandlerTest required by the update to the Armeria test library. Enforce a consistent JUnit version across the project to avoid JUnit consistency issues.

Signed-off-by: Karsten Schnitter <k.schnitter@sap.com>
Signed-off-by: David Venable <dlv@amazon.com>
Co-authored-by: David Venable <dlv@amazon.com>

Author: KarstenSchnitter

build.gradle

@@ -242,6 +242,9 @@ subprojects {
                 def java8Name = details.requested.name.replace('-jdk15on', '-jdk18on')
                 details.useTarget group: 'org.bouncycastle', name: java8Name, version: libs.bouncycastle.bcprov.get().version
                 details.because 'Use only the Java 8 artifacts of BouncyCastle'
+            } else if (details.requested.group == 'org.junit.jupiter') {
+                details.useTarget group: details.requested.group, name: details.requested.name, version: testLibs.versions.junit.get()
+                details.because 'Use the defined JUnit of the Data Prepper project to ensure consistent versions.'
             }
         }
     }

data-prepper-core/src/test/java/org/opensearch/dataprepper/core/peerforwarder/discovery/DnsPeerListProviderCreationTest.java

@@ -11,6 +11,7 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mock;
+import org.mockito.MockMakers;
 import org.mockito.MockedStatic;
 import org.mockito.Mockito;
 import org.mockito.junit.jupiter.MockitoExtension;
@@ -33,9 +34,9 @@ class DnsPeerListProviderCreationTest {
     private static final String VALID_ENDPOINT = "VALID.ENDPOINT";
     private static final String INVALID_ENDPOINT = "INVALID_ENDPOINT_";
 
-    @Mock
+    @Mock(mockMaker = MockMakers.INLINE)
     private DnsAddressEndpointGroupBuilder dnsAddressEndpointGroupBuilder;
-    @Mock
+    @Mock(mockMaker = MockMakers.INLINE)
     private DnsAddressEndpointGroup dnsAddressEndpointGroup;
 
     private PeerForwarderConfiguration peerForwarderConfiguration;

data-prepper-plugins/armeria-common/src/test/java/org/opensearch/dataprepper/GrpcRequestExceptionHandlerTest.java

@@ -85,11 +85,11 @@ public void testHandleBadRequestException() {
         final String exceptionMessage = UUID.randomUUID().toString();
         final BadRequestException badRequestExceptionWithMessage = new BadRequestException(exceptionMessage, new IOException());
 
-        final Status noMessageStatus = grpcRequestExceptionHandler.apply(requestContext, badRequestExceptionNoMessage, metadata);
+        final Status noMessageStatus = grpcRequestExceptionHandler.apply(requestContext, Status.INVALID_ARGUMENT, badRequestExceptionNoMessage, metadata);
         assertThat(noMessageStatus.getCode(), equalTo(Status.Code.INVALID_ARGUMENT));
         assertThat(noMessageStatus.getDescription(), equalTo(Status.Code.INVALID_ARGUMENT.name()));
 
-        final Status messageStatus = grpcRequestExceptionHandler.apply(requestContext, badRequestExceptionWithMessage, metadata);
+        final Status messageStatus = grpcRequestExceptionHandler.apply(requestContext, Status.INVALID_ARGUMENT, badRequestExceptionWithMessage, metadata);
         assertThat(messageStatus.getCode(), equalTo(Status.Code.INVALID_ARGUMENT));
         assertThat(messageStatus.getDescription(), equalTo(exceptionMessage));
 
@@ -102,11 +102,11 @@ public void testHandleTimeoutException() {
         final String exceptionMessage = UUID.randomUUID().toString();
         final BufferWriteException timeoutExceptionWithMessage = new BufferWriteException(exceptionMessage, new TimeoutException(exceptionMessage));
 
-        final Status noMessageStatus = grpcRequestExceptionHandler.apply(requestContext, timeoutExceptionNoMessage, metadata);
+        final Status noMessageStatus = grpcRequestExceptionHandler.apply(requestContext, Status.DEADLINE_EXCEEDED, timeoutExceptionNoMessage, metadata);
         assertThat(noMessageStatus.getCode(), equalTo(Status.Code.RESOURCE_EXHAUSTED));
         assertThat(noMessageStatus.getDescription(), equalTo(Status.Code.RESOURCE_EXHAUSTED.name()));
 
-        final Status messageStatus = grpcRequestExceptionHandler.apply(requestContext, timeoutExceptionWithMessage, metadata);
+        final Status messageStatus = grpcRequestExceptionHandler.apply(requestContext, Status.DEADLINE_EXCEEDED, timeoutExceptionWithMessage, metadata);
         assertThat(messageStatus.getCode(), equalTo(Status.Code.RESOURCE_EXHAUSTED));
         assertThat(messageStatus.getDescription(), equalTo(exceptionMessage));
 
@@ -123,7 +123,7 @@ public void testHandleTimeoutException() {
     public void testHandleArmeriaTimeoutException() {
         final RequestTimeoutException timeoutExceptionNoMessage = RequestTimeoutException.get();
 
-        final Status noMessageStatus = grpcRequestExceptionHandler.apply(requestContext, timeoutExceptionNoMessage, metadata);
+        final Status noMessageStatus = grpcRequestExceptionHandler.apply(requestContext, Status.DEADLINE_EXCEEDED, timeoutExceptionNoMessage, metadata);
         assertThat(noMessageStatus.getCode(), equalTo(Status.Code.RESOURCE_EXHAUSTED));
         assertThat(noMessageStatus.getDescription(), equalTo(ARMERIA_REQUEST_TIMEOUT_MESSAGE));
 
@@ -136,11 +136,11 @@ public void testHandleSizeOverflowException() {
         final String exceptionMessage = UUID.randomUUID().toString();
         final BufferWriteException sizeOverflowExceptionWithMessage = new BufferWriteException(exceptionMessage, new SizeOverflowException(exceptionMessage));
 
-        final Status noMessageStatus = grpcRequestExceptionHandler.apply(requestContext, sizeOverflowExceptionNoMessage, metadata);
+        final Status noMessageStatus = grpcRequestExceptionHandler.apply(requestContext, Status.INVALID_ARGUMENT, sizeOverflowExceptionNoMessage, metadata);
         assertThat(noMessageStatus.getCode(), equalTo(Status.Code.RESOURCE_EXHAUSTED));
         assertThat(noMessageStatus.getDescription(), equalTo(Status.Code.RESOURCE_EXHAUSTED.name()));
 
-        final Status messageStatus = grpcRequestExceptionHandler.apply(requestContext, sizeOverflowExceptionWithMessage, metadata);
+        final Status messageStatus = grpcRequestExceptionHandler.apply(requestContext, Status.INVALID_ARGUMENT, sizeOverflowExceptionWithMessage, metadata);
         assertThat(messageStatus.getCode(), equalTo(Status.Code.RESOURCE_EXHAUSTED));
         assertThat(messageStatus.getDescription(), equalTo(exceptionMessage));
 
@@ -153,11 +153,11 @@ public void testHandleRequestCancelledException() {
         final String exceptionMessage = UUID.randomUUID().toString();
         final RequestCancelledException requestCancelledExceptionWithMessage = new RequestCancelledException(exceptionMessage);
 
-        final Status noMessageStatus = grpcRequestExceptionHandler.apply(requestContext, requestCancelledExceptionNoMessage, metadata);
+        final Status noMessageStatus = grpcRequestExceptionHandler.apply(requestContext, Status.CANCELLED, requestCancelledExceptionNoMessage, metadata);
         assertThat(noMessageStatus.getCode(), equalTo(Status.Code.CANCELLED));
         assertThat(noMessageStatus.getDescription(), equalTo(Status.Code.CANCELLED.name()));
 
-        final Status messageStatus = grpcRequestExceptionHandler.apply(requestContext, requestCancelledExceptionWithMessage, metadata);
+        final Status messageStatus = grpcRequestExceptionHandler.apply(requestContext, Status.CANCELLED, requestCancelledExceptionWithMessage, metadata);
         assertThat(messageStatus.getCode(), equalTo(Status.Code.CANCELLED));
         assertThat(messageStatus.getDescription(), equalTo(exceptionMessage));
 
@@ -170,11 +170,11 @@ public void testHandleInternalServerException() {
         final String exceptionMessage = UUID.randomUUID().toString();
         final RuntimeException runtimeExceptionWithMessage = new RuntimeException(exceptionMessage);
 
-        final Status noMessageStatus = grpcRequestExceptionHandler.apply(requestContext, runtimeExceptionNoMessage, metadata);
+        final Status noMessageStatus = grpcRequestExceptionHandler.apply(requestContext, Status.INTERNAL, runtimeExceptionNoMessage, metadata);
         assertThat(noMessageStatus.getCode(), equalTo(Status.Code.INTERNAL));
         assertThat(noMessageStatus.getDescription(), equalTo(Status.Code.INTERNAL.name()));
 
-        final Status messageStatus = grpcRequestExceptionHandler.apply(requestContext, runtimeExceptionWithMessage, metadata);
+        final Status messageStatus = grpcRequestExceptionHandler.apply(requestContext, Status.INTERNAL, runtimeExceptionWithMessage, metadata);
         assertThat(messageStatus.getCode(), equalTo(Status.Code.INTERNAL));
         assertThat(messageStatus.getDescription(), equalTo(exceptionMessage));
 

settings.gradle

@@ -30,13 +30,13 @@ dependencyResolutionManagement {
         libs {
             version('slf4j', '2.0.6')
             library('slf4j-api', 'org.slf4j', 'slf4j-api').versionRef('slf4j')
-            version('armeria', '1.29.0')
+            version('armeria', '1.32.5')
             library('armeria-core', 'com.linecorp.armeria', 'armeria').versionRef('armeria')
             library('armeria-grpc', 'com.linecorp.armeria', 'armeria-grpc').versionRef('armeria')
             library('armeria-junit', 'com.linecorp.armeria', 'armeria-junit5').versionRef('armeria')
-            version('grpc', '1.63.0')
+            version('grpc', '1.70.0')
             library('grpc-inprocess', 'io.grpc', 'grpc-inprocess').versionRef('grpc')
-            version('protobuf', '3.24.3')
+            version('protobuf', '3.25.5')
             library('protobuf-core', 'com.google.protobuf', 'protobuf-java').versionRef('protobuf')
             library('protobuf-util', 'com.google.protobuf', 'protobuf-java-util').versionRef('protobuf')
             version('opentelemetry', '1.3.2-alpha')