Java SDK vulnerabilities in 12.1

[alicejgibbons]

Four vulnerabilities found in the latest Java SDK 1.12.1.

SDK sub component	module	cvssScore	version	Fixed in	link to CVE
dapr-sdk-autogen	com.google.protobuf:protobuf-java	8.7 (high)	3.25.0	3.25.5;4.27.5;4.28.2	Snyk CVE-2024-7254
dapr-sdk	com.squareup.okhttp3:okhttp	4.8 (med)	4.9.0	4.9.2	SnykCVE-2023-0833
dapr-sdk	org.jetbrains.kotlin:kotlin-stdlib	5.3 (med)	1.4.10	1.6.0	Snyk CVE-2022-24329
dapr-sdk	org.jetbrains.kotlin:kotlin-stdlib	3.3 (low)	1.9.10	2.1.0	Snyk CVE-2020-29582

[salaboy]

Ok.. so.. it seems that this is the problem:

com.squareup.okhttp3:okhttp

[INFO] +- io.dapr:dapr-sdk-autogen:jar:1.13.0-SNAPSHOT:compile
[INFO] |  +- io.grpc:grpc-netty-shaded:jar:1.64.0:runtime
[INFO] |  |  +- com.google.errorprone:error_prone_annotations:jar:2.23.0:compile
[INFO] |  |  \- io.perfmark:perfmark-api:jar:0.26.0:runtime
[INFO] |  +- io.grpc:grpc-protobuf:jar:1.64.0:compile
[INFO] |  |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  |  +- com.google.protobuf:protobuf-java:jar:3.25.1:compile
[INFO] |  |  +- com.google.api.grpc:proto-google-common-protos:jar:2.29.0:compile
[INFO] |  |  \- io.grpc:grpc-protobuf-lite:jar:1.64.0:runtime
[INFO] |  \- io.grpc:grpc-stub:jar:1.64.0:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.15.1:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.15.1:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-core:jar:2.15.1:compile
[INFO] +- io.projectreactor:reactor-core:jar:3.5.0:compile
[INFO] |  \- org.reactivestreams:reactive-streams:jar:1.0.4:compile
[INFO] +- com.squareup.okhttp3:okhttp:jar:4.9.0:compile
[INFO] |  +- com.squareup.okio:okio:jar:2.8.0:compile
[INFO] |  |  \- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.4.0:compile
[INFO] |  \- org.jetbrains.kotlin:kotlin-stdlib:jar:1.4.10:compile
[INFO] |     \- org.jetbrains:annotations:jar:13.0:compile

[salaboy]

So. if we upgrade:

com.squareup.okhttp3:okhttp 

To 4.9.2 the issue with org.jetbrains.kotlin:kotlin-stdlib should be solved.

[salaboy]

Created a PR: #1163