Update dependencies to address CVE-2020-7768, CVE-2023-32732

Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>

Author: bestbeforetoday

fabric-chaincode-shim/build.gradle

@@ -47,24 +47,25 @@ dependencies {
     implementation 'io.github.classgraph:classgraph:4.8.161'
     implementation group: 'com.github.everit-org.json-schema', name: 'org.everit.json.schema', version: '1.14.1'
     implementation 'org.json:json:20220320'
-    implementation group: 'com.google.protobuf', name: 'protobuf-java-util', version: '3.19.6'
+    implementation group: 'com.google.protobuf', name: 'protobuf-java-util', version: '3.22.5'
 
     // Required if using Java 11+ as no longer bundled in the core libraries
     testImplementation group: 'javax.xml.bind', name: 'jaxb-api', version: '2.3.1'
-    implementation 'io.grpc:grpc-netty-shaded:1.45.4'
-    implementation 'io.grpc:grpc-protobuf:1.45.4'
-    implementation 'io.grpc:grpc-stub:1.45.4'
+    implementation 'io.grpc:grpc-netty-shaded:1.56.1'
+    implementation 'io.grpc:grpc-protobuf:1.56.1'
+    implementation 'io.grpc:grpc-stub:1.56.1'
 
-    implementation platform("io.opentelemetry:opentelemetry-bom:1.6.0")
+    implementation platform("io.opentelemetry:opentelemetry-bom:1.28.0")
+    implementation platform("io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom-alpha:1.28.0-alpha")
 
     implementation "io.opentelemetry:opentelemetry-api"
-    implementation "io.opentelemetry:opentelemetry-proto:1.6.0-alpha"
+    implementation "io.opentelemetry:opentelemetry-proto:1.7.1-alpha"
     implementation "io.opentelemetry:opentelemetry-sdk"
-    implementation "io.opentelemetry:opentelemetry-sdk-extension-autoconfigure:1.6.0-alpha"
+    implementation "io.opentelemetry:opentelemetry-sdk-extension-autoconfigure"
     implementation "io.opentelemetry:opentelemetry-sdk-trace"
     implementation 'io.opentelemetry:opentelemetry-exporter-otlp'
-    implementation 'io.opentelemetry:opentelemetry-extension-trace-propagators:1.6.0'
-    implementation "io.opentelemetry.instrumentation:opentelemetry-grpc-1.6:1.5.3-alpha"
+    implementation 'io.opentelemetry:opentelemetry-extension-trace-propagators'
+    implementation "io.opentelemetry.instrumentation:opentelemetry-grpc-1.6"
 }
 
 dependencyCheck {

fabric-chaincode-shim/src/main/java/org/hyperledger/fabric/traces/impl/OpenTelemetryTracesProvider.java

@@ -11,8 +11,8 @@
 import io.opentelemetry.api.trace.SpanKind;
 import io.opentelemetry.api.trace.Tracer;
 import io.opentelemetry.context.Context;
-import io.opentelemetry.instrumentation.grpc.v1_6.GrpcTracing;
-import io.opentelemetry.sdk.autoconfigure.OpenTelemetrySdkAutoConfiguration;
+import io.opentelemetry.instrumentation.grpc.v1_6.GrpcTelemetry;
+import io.opentelemetry.sdk.autoconfigure.AutoConfiguredOpenTelemetrySdk;
 import io.opentelemetry.semconv.resource.attributes.ResourceAttributes;
 import org.hyperledger.fabric.shim.ChaincodeStub;
 import org.hyperledger.fabric.traces.TracesProvider;
@@ -26,17 +26,18 @@ public final class OpenTelemetryTracesProvider implements TracesProvider {
     private static final String CORE_CHAINCODE_ID_NAME = "CORE_CHAINCODE_ID_NAME";
 
     private Tracer tracer;
-    private GrpcTracing grpcTracer;
+    private GrpcTelemetry grpcTracer;
 
     @Override
     public void initialize(final Properties props) {
         String serviceName = props.getProperty(CORE_CHAINCODE_ID_NAME, "unknown");
         props.setProperty(ResourceAttributes.SERVICE_NAME.getKey(), serviceName);
 
-        OpenTelemetry openTelemetry = OpenTelemetrySdkAutoConfiguration.initialize(false,
-                new OpenTelemetryProperties(System.getenv(), System.getProperties(), props));
+        OpenTelemetry openTelemetry = AutoConfiguredOpenTelemetrySdk.builder()
+                .build()
+                .getOpenTelemetrySdk();
         tracer = openTelemetry.getTracerProvider().get("org.hyperledger.traces");
-        grpcTracer = GrpcTracing.newBuilder(openTelemetry).build();
+        grpcTracer = GrpcTelemetry.create(openTelemetry);
     }
 
     @Override