[BUG] CVE-2024-7254 in com.google.protobuf:protobuf-java (caused by com.linecorp.armeria:armeria-grpc)

[KarstenSchnitter]

Describe the bug
The current dependency on com.linecorp.armeria:armeria-grpc:1.29.0 introduces transitive dependency on com.google.protobuf:protobuf-java:3.25.1. This version is subject to CVE-2024-7254.

To Reproduce
Run ./gradlew allDeps and grep for protobuf-java.

Expected behavior

• Upgrade to latest library versions, which fix the CVE.
• Backport to 2.12.0.

Environment (please complete the following information):

• Version: current main + 2.12.0 and before

Additional context
I would have expected the automated dependency check to find this issue and provide an appropriate PR. It would be a good idea to investigate, why this did not happen.

[KarstenSchnitter]

I have tried to provide an upgrade with:

• armeria 1.29.0 -> 1.32.5
• grpc 1.63.0 -> 1.70.0
• protobuf 3.24.3 -> 3.25.5

But I am struggling with [DnsPeerListProviderCreationTest](

data-prepper/data-prepper-core/src/test/java/org/opensearch/dataprepper/core/peerforwarder/discovery/DnsPeerListProviderCreationTest.java

Lines 59 to 61 in 44b62a2

	when(dnsAddressEndpointGroupBuilder.build()).thenReturn(dnsAddressEndpointGroup);
	when(dnsAddressEndpointGroupBuilder.ttl(anyInt(), anyInt())).thenReturn(dnsAddressEndpointGroupBuilder);
	when(dnsAddressEndpointGroup.whenReady()).thenReturn(completableFuture);

.

The classes DnsAddressEndpointGroup and DnsAddressEndpointGroupBuilder are now final. That causes errors with Mockito. I would appreciate some pointers on how to go about that.

[KarstenSchnitter]

I provided #5891 as a draft with the library upgrades.

[dlvenable]

@KarstenSchnitter , I made some changes to #5891 to get it building and the tests passing so this is now merged.