Bump up gRPC/protobuf to fix CVE-2021-22569 (#8405)

* Bump up gRPC/protobuf to fix CVE-2021-2256

Bump up gRPC/protobuf to fix CVE-2021-22569 (#8405)
* Bump up gRPC/protobuf to fix CVE-2021-2256
0d5a289c · wu-sheng · GitHub · 14e74ad9 · 0d5a289c · 0d5a289c
6 changed file
--- a/.github/workflows/ci-it.yaml
+++ b/.github/workflows/ci-it.yaml
@@ -83,7 +83,7 @@ jobs:
        run: ./mvnw -q --batch-mode -P"backend,ui,dist" clean verify install
      - uses: actions/upload-artifact@v2
        if: env.SKIP_CI != 'true' && matrix.os == 'ubuntu' && matrix.java-version == '8'
-        name: Upload Agent
+        name: Upload OAP Server Binary
        with:
          name: dist
          path: dist

--- a/CHANGES.md
+++ b/CHANGES.md
@@ -24,6 +24,7 @@ Release Notes.
 * Extend column name override mechanism working for `ValueColumnMetadata`.
 * Introduce new concept `Layer` and removed `NodeType`. More details refer to [v9-version-upgrade](https://skywalking.apache.org/docs/main/latest/en/faq/v9-version-upgrade/).
 * Fix query sort metrics failure in H2 Storage.
+* Bump up grpc to 1.43.2 and protobuf to 3.19.2 to fix CVE-2021-22569.

 #### UI


--- a/dist-material/release-docs/LICENSE
+++ b/dist-material/release-docs/LICENSE
@@ -229,7 +229,7 @@ The text of each license is the standard Apache 2.0 license.
    Google: guava 28.1: https://github.com/google/guava , Apache 2.0
    Google: guice 4.1.0: https://github.com/google/guice , Apache 2.0
    Google: gson 2.8.6: https://github.com/google/gson , Apache 2.0
-    Google: proto-google-common-protos 2.0.1: https://github.com/googleapis/googleapis , Apache 2.0
+    Google: proto-google-common-protos 2.0.1: https://github.com/googleapis/java-common-protos , Apache 2.0
    Google: jsr305 3.0.2: http://central.maven.org/maven2/com/google/code/findbugs/jsr305/3.0.0/jsr305-3.0.0.pom , Apache 2.0
    Google: flatbuffers-java 1.12.0: https://github.com/google/flatbuffers/ , Apache 2.0
    Eclipse (Jetty) 9.4.40.v20210413: https://www.eclipse.org/jetty/ , Apache 2.0 and Eclipse Public License 1.0
@@ -330,7 +330,8 @@ The text of each license is the standard Apache 2.0 license.
    iotdb-thrift 0.12.3: https://github.com/apache/iotdb, Apache 2.0
    service-rpc 0.12.3: https://github.com/apache/iotdb, Apache 2.0
    tsfile 0.12.3 https://github.com/apache/iotdb Apache 2.0
-    libthrift 0.14.1: https://github.com/apache/thrift, Apache 2.0
+    libthrift 0.14.1: https://github.com/apache/thrift Apache 2.0
+    j2objc 1.3: https://github.com/google/j2objc Apache 2.0

 ========================================================================
 MIT licenses
@@ -366,8 +367,8 @@ The text of each license is also included at licenses/LICENSE-[project].txt.

    asm 9.0:https://gitlab.ow2.org , BSD-3-Clause
    antlr4-runtime 4.5.1: http://www.antlr.org/license.html, BSD-3-Clause
-    Google: protobuf-java 3.17.3: https://github.com/google/protobuf/blob/master/java/pom.xml , BSD-3-Clause
-    Google: protobuf-java-util 3.17.3: https://github.com/google/protobuf/blob/master/java/pom.xml , BSD-3-Clause
+    Google: protobuf-java 3.19.2: https://github.com/google/protobuf/blob/master/java/pom.xml , BSD-3-Clause
+    Google: protobuf-java-util 3.19.2: https://github.com/google/protobuf/blob/master/java/pom.xml , BSD-3-Clause
    reflectasm 1.11.7: https://github.com/EsotericSoftware/reflectasm , BSD-3-Clause

    zstd-jni 1.4.3-1: https://github.com/luben/zstd-jni, BSD-3-Clause

--- a/oap-server-bom/pom.xml
+++ b/oap-server-bom/pom.xml
@@ -39,8 +39,8 @@
        <zookeeper.version>3.5.7</zookeeper.version>
        <guava.version>28.1-jre</guava.version>
        <snakeyaml.version>1.28</snakeyaml.version>
-        <protobuf-java.version>3.17.3</protobuf-java.version>
-        <protobuf-java-util.version>3.17.3</protobuf-java-util.version>
+        <protobuf-java.version>3.19.2</protobuf-java.version>
+        <protobuf-java-util.version>3.19.2</protobuf-java-util.version>
        <commons-codec.version>1.11</commons-codec.version>
        <commons-lang3.version>3.12.0</commons-lang3.version>
        <commons-dbcp.version>1.4</commons-dbcp.version>

--- a/pom.xml
+++ b/pom.xml
@@ -176,7 +176,7 @@
        <lombok.version>1.18.20</lombok.version>

        <!-- core lib dependency -->
-        <grpc.version>1.42.1</grpc.version>
+        <grpc.version>1.43.2</grpc.version>
        <gson.version>2.8.6</gson.version>
        <os-maven-plugin.version>1.6.2</os-maven-plugin.version>
        <protobuf-maven-plugin.version>0.6.1</protobuf-maven-plugin.version>

--- a/tools/dependencies/known-oap-backend-dependencies.txt
+++ b/tools/dependencies/known-oap-backend-dependencies.txt
@@ -43,14 +43,14 @@ freemarker-2.3.28.jar
 graphql-java-8.0.jar
 graphql-java-tools-5.2.3.jar
 groovy-3.0.8.jar
-grpc-api-1.42.1.jar
-grpc-context-1.42.1.jar
-grpc-core-1.42.1.jar
-grpc-grpclb-1.42.1.jar
-grpc-netty-1.42.1.jar
-grpc-protobuf-1.42.1.jar
-grpc-protobuf-lite-1.42.1.jar
-grpc-stub-1.42.1.jar
+grpc-api-1.43.2.jar
+grpc-context-1.43.2.jar
+grpc-core-1.43.2.jar
+grpc-grpclb-1.43.2.jar
+grpc-netty-1.43.2.jar
+grpc-protobuf-1.43.2.jar
+grpc-protobuf-lite-1.43.2.jar
+grpc-stub-1.43.2.jar
 gson-2.8.6.jar
 gson-fire-1.8.5.jar
 guava-28.1-jre.jar
@@ -63,6 +63,7 @@ httpcore-nio-4.4.13.jar
 influxdb-java-2.15.jar
 iotdb-session-0.12.3.jar
 iotdb-thrift-0.12.3.jar
+j2objc-annotations-1.3.jar
 jackson-annotations-2.12.2.jar
 jackson-core-2.12.2.jar
 jackson-databind-2.12.2.jar
@@ -130,8 +131,8 @@ okio-1.17.2.jar
 perfmark-api-0.23.0.jar
 postgresql-42.2.18.jar
 proto-google-common-protos-2.0.1.jar
-protobuf-java-3.17.3.jar
-protobuf-java-util-3.17.3.jar
+protobuf-java-3.19.2.jar
+protobuf-java-util-3.19.2.jar
 reactive-streams-1.0.2.jar
 reflectasm-1.11.7.jar
 retrofit-2.5.0.jar