From 2046c2b5b5b6a832178c1435f3d4be31fafe6126 Mon Sep 17 00:00:00 2001
From: Sidharth Jain <32795041+sidharth-jain23@users.noreply.github.com>
Date: Fri, 15 May 2026 20:59:47 +0530
Subject: [PATCH] Bump service-framework to 0.1.94 and remove temporary
 workarounds

- Upgrade hypertrace-framework from 0.1.93 to 0.1.94 (now uses Jetty 12
  EE10 coordinates)
- Restore service-framework deps in test-consumer (no longer pulls old
  org.eclipse.jetty:jetty-servlet coordinates)
- Remove CVE-2026-41417 OWASP suppression (service-framework 0.1.94 was
  built against BOM with netty 4.1.133.Final)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 gradle/libs.versions.toml      |  2 +-
 owasp-suppressions.xml         |  4 ----
 test-consumer/build.gradle.kts | 24 +++++++++++-------------
 3 files changed, 12 insertions(+), 18 deletions(-)

diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 6ec2abc..66e3bf6 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -1,7 +1,7 @@
 [versions]
 protoc = "3.25.8"
 grpc = "1.75.0"
-hypertrace-framework = "0.1.93"
+hypertrace-framework = "0.1.94"
 hypertrace-grpcutils = "0.13.23"
 hypertrace-kafka = "0.6.4"
 hypertrace-bom = "+"
diff --git a/owasp-suppressions.xml b/owasp-suppressions.xml
index 693e0ae..fbf9371 100644
--- a/owasp-suppressions.xml
+++ b/owasp-suppressions.xml
@@ -1,7 +1,3 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-  <suppress>
-    <notes><![CDATA[Temporary suppression until service-framework is published with Netty 4.1.133.Final]]></notes>
-    <cve>CVE-2026-41417</cve>
-  </suppress>
 </suppressions>
diff --git a/test-consumer/build.gradle.kts b/test-consumer/build.gradle.kts
index 6562069..5f37e93 100644
--- a/test-consumer/build.gradle.kts
+++ b/test-consumer/build.gradle.kts
@@ -9,13 +9,12 @@ dependencies {
   api(libs.hypertrace.grpcutils.server)
   api(libs.hypertrace.grpcutils.rx.client)
   api(libs.hypertrace.grpcutils.rx.server)
-  // TODO: uncomment after publishing service-framework with Jetty 12
-  // api(libs.hypertrace.framework.grpc)
-  // api(libs.hypertrace.framework.http)
-  // api(libs.hypertrace.framework.spi)
-  // api(libs.hypertrace.kafka.framework)
-  // api(libs.hypertrace.integrationtest.framework)
-  // api(libs.hypertrace.framework.documentstore.metrics)
+  api(libs.hypertrace.framework.grpc)
+  api(libs.hypertrace.framework.http)
+  api(libs.hypertrace.framework.spi)
+  api(libs.hypertrace.kafka.framework)
+  api(libs.hypertrace.integrationtest.framework)
+  api(libs.hypertrace.framework.documentstore.metrics)
   api(libs.hypertrace.documentstore)
   api(libs.hypertrace.eventstore)
   api(libs.hypertrace.attributeservice.api)
@@ -58,12 +57,11 @@ dependencies {
   api(libs.commons.text)
   api(libs.graphql.java)
   api(libs.jsr305)
-  // TODO: uncomment after publishing service-framework with Jetty 12
-  // api(libs.hypertrace.framework.grpc.jakarta)
-  // api(libs.hypertrace.framework.http.jakarta)
-  // api(libs.hypertrace.framework.spi.jakarta)
-  // api(libs.hypertrace.integrationtest.framework.jakarta)
-  // api(libs.hypertrace.framework.documentstore.metrics.jakarta)
+  api(libs.hypertrace.framework.grpc.jakarta)
+  api(libs.hypertrace.framework.http.jakarta)
+  api(libs.hypertrace.framework.spi.jakarta)
+  api(libs.hypertrace.integrationtest.framework.jakarta)
+  api(libs.hypertrace.framework.documentstore.metrics.jakarta)
   api(libs.apache.httpcomponents.httpclient)
   api(libs.awaitility)
   api(libs.jakarta.inject.api)