Fix app container build, fix security vulnerabilities in dependencies (…

…#50)
eclipse-velocitas · May 24, 2023 · 1267845 · 1267845
1 parent 4cd4ba3
commit 1267845
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 18 deletions.
diff --git a/NOTICE-3RD-PARTY-CONTENT.md b/NOTICE-3RD-PARTY-CONTENT.md
@@ -30,12 +30,12 @@
 |PyJWT|2.7.0|MIT|
 |python-dateutil|2.8.2|Apache 2.0<br/>BSD|
 |PyYAML|6.0|MIT|
-|requests|2.30.0|Apache 2.0|
+|requests|2.31.0|Apache 2.0|
 |setuptools|58.1.0|MIT|
 |six|1.16.0|MIT|
 |toml|0.10.2|MIT|
 |tqdm|4.65.0|MIT<br/>Mozilla Public License 2.0 (MPL 2.0)|
-|urllib3|1.26.15|MIT|
+|urllib3|1.26.16|MIT|
 |virtualenv|20.23.0|MIT|
 ## Workflows
 | Dependency | Version | License |

diff --git a/NOTICE.md b/NOTICE.md
@@ -50,18 +50,18 @@ they are given here (manually added) for time being:
 
 | Dependency | Version | License |
 |:-----------|:-------:|--------:|
-|abseil|20211102.0|Apache 2.0|
-|c-ares|1.18.1|c-ares (MIT-style)|
-|cpr|1.9.0|MIT|
+|abseil|20220623.0|Apache 2.0|
+|c-ares|1.19.0|c-ares (MIT-style)|
+|cpr|1.9.3|MIT|
 |fmt|9.1.0|MIT|
-|googleapis|cci.20220711|Apache 2.0|
-|grpc|1.48.0|Apache 2.0|
+|googleapis|cci.20221108|Apache 2.0|
+|grpc|1.50.1|Apache 2.0|
 |grpc-proto|cci.20220627|Apache 2.0|
-|libcurl|7.84.0|CURL|
+|libcurl|7.87.0|CURL|
 |nlohmann_json|3.11.2|MIT|
-|openssl|1.1.1q|OpenSSL License AND SSLeay License|
+|openssl|1.1.1t|OpenSSL License AND SSLeay License|
 |paho-mqtt-c|1.3.9|EPL 2.0 AND EDL 1.0|
 |paho-mqtt-cpp|1.2.0|EPL 1.0 AND EDL 1.0|
-|protobuf|3.21.4|Google License|
-|re2|20220601|BSD-3-Clause|
-|zlib|1.2.12|zlib/libpng license|
+|protobuf|3.21.9|Google License|
+|re2|20230301|BSD-3-Clause|
+|zlib|1.2.13|zlib/libpng license|
diff --git a/conanfile.py b/conanfile.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Robert Bosch GmbH
+# Copyright (c) 2022-2023 Robert Bosch GmbH
 #
 # This program and the accompanying materials are made available under the
 # terms of the Apache License, Version 2.0 which is available at
@@ -19,12 +19,13 @@
 
 class VehicleAppCppSdkConan(ConanFile):
     name = "vehicle-app-sdk"
-    version = "0.1"
+    version = "0.2.2"
     license = "Apache-2.0"
     url = "https://github.com/eclipse-velocitas/vehicle-app-cpp-sdk"
     description = "The Vehicle App SDK for c++ allows to create Vehicle Apps from the Velocitas development model in the c++ programming language."
-    # Workaround: Pin recipe revision for transient dependency googleapis for enabling the container build
-    requires = "openssl/1.1.1q", "libcurl/7.84.0", "nlohmann_json/3.11.2", "paho-mqtt-cpp/1.2.0", "grpc/1.48.0", "protobuf/3.21.4", "cpr/1.9.0", "fmt/9.1.0", "zlib/1.2.13", "googleapis/cci.20221108@#e4bebdfa02f3b6f93bae1d5001b8d439"
+    # Workaround1: Pin recipe revision for transient dependency googleapis for enabling the container build
+    # Workaround2: Pin recipe revision for transient dependency paho-mqtt-c cause latest is pulling libanl which cannot be found
+    requires = "openssl/1.1.1t", "nlohmann_json/3.11.2", "paho-mqtt-cpp/1.2.0", "grpc/1.50.1", "protobuf/3.21.9", "cpr/1.9.3", "fmt/9.1.0", "googleapis/cci.20221108@#e4bebdfa02f3b6f93bae1d5001b8d439", "paho-mqtt-c/1.3.9@#0421671a9f4e8ccfa5fc678cfb160394"
     generators = "cmake"
     author = "Robert Bosch GmbH"
 
@@ -82,5 +83,6 @@ def imports(self):
 
     def build_requirements(self):
         # 'build' context (protoc.exe will be available)
-        self.tool_requires("protobuf/3.21.4")
-        self.tool_requires("grpc/1.48.0")
+        self.tool_requires("protobuf/3.21.9")
+        self.tool_requires("grpc/1.50.1")
+