Suppress okthttp brotli CVE (#864)

Consensys · Jul 31, 2023 · 1f4a58f · 1f4a58f
1 parent 09ca080
commit 1f4a58f
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/gradle/owasp-suppression.xml b/gradle/owasp-suppression.xml
@@ -8,4 +8,11 @@
         <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
         <vulnerabilityName>CVE-2023-35116</vulnerabilityName>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+        Suppress CVE-2023-3782 as Web3Signer doesn't use brotli and the NVD is incorrectly applying against all okhttp packages instead of just brotli one. See discussion in https://github.com/square/okhttp/issues/7738
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.squareup\.okhttp3/.*$</packageUrl>
+        <cve>CVE-2023-3782</cve>
+    </suppress>
 </suppressions>
diff --git a/gradle/versions.gradle b/gradle/versions.gradle
@@ -176,7 +176,7 @@ dependencyManagement {
       com.squareup.okhttp3:logging-interceptor:4.9.0 // CVE-2021-0341
       \--- org.web3j:core:4.9.2
      */
-    dependency 'com.squareup.okhttp3:logging-interceptor:4.10.0'
+    dependency 'com.squareup.okhttp3:logging-interceptor:4.11.0'
 
     dependencySet(group: 'com.squareup.okhttp3', version: '4.11.0') {
       entry 'okhttp'