2.x Upgrade google-api-client

dependencies/pom.xml

@@ -53,8 +53,8 @@
         <version.lib.el-impl>3.0.4</version.lib.el-impl>
         <version.lib.etcd4j>2.18.0</version.lib.etcd4j>
         <version.lib.failsafe>2.3.1</version.lib.failsafe>
-        <version.lib.google-api-client>1.32.2</version.lib.google-api-client>
-        <version.lib.google-oauth-client>1.32.1</version.lib.google-oauth-client>
+        <version.lib.google-api-client>1.34.1</version.lib.google-api-client>
+        <version.lib.google-oauth-client>1.33.3</version.lib.google-oauth-client>
         <version.lib.google-error-prone>2.3.3</version.lib.google-error-prone>
         <version.lib.google-protobuf>3.19.2</version.lib.google-protobuf>
         <version.lib.graalvm>21.3.0</version.lib.graalvm>
@@ -576,16 +576,21 @@
                     </exclusion>
                 </exclusions>
             </dependency>
-            <!-- For dependency converge only -->
+            <!-- For dependency converge and force uppgrade of oauth-client -->
             <dependency>
                 <groupId>com.google.oauth-client</groupId>
                 <artifactId>google-oauth-client</artifactId>
                 <version>${version.lib.google-oauth-client}</version>
+                <!-- Defer to versions from google-api-client -->
                 <exclusions>
                     <exclusion>
                         <groupId>com.google.http-client</groupId>
                         <artifactId>google-http-client</artifactId>
                     </exclusion>
+                    <exclusion>
+                        <groupId>com.google.http-client</groupId>
+                        <artifactId>google-http-client-gson</artifactId>
+                    </exclusion>
                 </exclusions>
             </dependency>
 

etc/dependency-check-suppression.xml

@@ -159,6 +159,20 @@
    <cve>CVE-2021-34371</cve>
 </suppress>
 
+<!-- Neo4j driver bundles some netty components. This CVE "only impacts applications
+     running on Java version 6". We require Java 11 or newer.
+     Helidon's Netty version has already been upgraded to 4.1.77.Final (or newer) which does
+     not contain this CVE.
+-->
+<suppress>
+   <notes><![CDATA[
+   file name: neo4j-java-driver-4.4.3.jar (shaded: io.netty:netty-transport:4.1.73.Final)
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/io\.netty/netty\-.*@4.1.73.Final$</packageUrl>
+   <cve>CVE-2022-24823</cve>
+</suppress>
+
+
 <!-- This CVE was fixed in the EL implementations com.sun.el:el-ri:3.0.4 and org.glassfish:jakarta.el:3.0.4
      which we have upgraded to. But the scan triggers a false positive on the API: jakarta.el:jakarta.el-api:3.0.3
 -->
@@ -182,4 +196,16 @@
    <cpe>cpe:/a:netty:netty</cpe>
 </suppress>
 
+<!-- This package was being detected as an old version of com.google.code.gson:gson. The version 
+     of com.google.cod.gson:gson that is brought in transitively is 2.8.9 which does not 
+     contain this CVE.
+-->
+<suppress>
+   <notes><![CDATA[
+   file name: google-http-client-gson-1.41.8.jar
+   ]]></notes>
+   <packageUrl regex="true">^pkg:maven/com\.google\.http\-client/google\-http\-client\-gson@.*$</packageUrl>
+   <cve>CVE-2022-25647</cve>
+</suppress>
+
 </suppressions>