diff --git a/.gitattributes b/.gitattributes index 7994c7c6..4c97d548 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,6 +1,7 @@ *.sh text eol=lf .github/workflows/broken_links_checker.yml linguist-generated=true .github/workflows/dependencies_check.yml linguist-generated=true +.github/workflows/dependencies_update.yml linguist-generated=true .github/workflows/release_droid_print_quick_checksum.yml linguist-generated=true .settings/org.eclipse.jdt.core.prefs linguist-generated=true .settings/org.eclipse.jdt.ui.prefs linguist-generated=true diff --git a/.github/workflows/broken_links_checker.yml b/.github/workflows/broken_links_checker.yml index 82ec1cd5..0fbcad58 100644 --- a/.github/workflows/broken_links_checker.yml +++ b/.github/workflows/broken_links_checker.yml @@ -1,3 +1,5 @@ +# Generated by Project Keeper +# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/broken_links_checker.yml name: Broken Links Checker on: diff --git a/.github/workflows/ci-build-next-java.yml b/.github/workflows/ci-build-next-java.yml index b9c4278f..bc5cdb41 100644 --- a/.github/workflows/ci-build-next-java.yml +++ b/.github/workflows/ci-build-next-java.yml @@ -1,5 +1,4 @@ name: CI Build next Java - on: push: branches: @@ -25,9 +24,10 @@ jobs: cache: "maven" - name: Run tests and build with Maven run: | - mvn --batch-mode --update-snapshots clean javadoc:javadoc -DtrimStackTrace=false \ + mvn --batch-mode --update-snapshots clean javadoc:javadoc -DtrimStackTrace=false \ + -Djava.version=17 \ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn - - name: Publish Test Report + - name: Publish Test Report for Java 17 uses: scacap/action-surefire-report@v1 if: ${{ always() && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]' }} with: diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml index 4bc1a6f9..8ab9549b 100644 --- a/.github/workflows/ci-build.yml +++ b/.github/workflows/ci-build.yml @@ -14,9 +14,9 @@ jobs: strategy: fail-fast: false matrix: - exasol_db_version: ["8.23.1", "7.1.24"] + exasol_db_version: ["8.24.0", "7.1.25"] env: - DEFAULT_EXASOL_DB_VERSION: "8.23.1" + DEFAULT_EXASOL_DB_VERSION: "8.24.0" steps: - name: Free Disk Space run: | @@ -26,16 +26,16 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up JDK 11 & 17 + - name: Set up JDKs uses: actions/setup-java@v4 with: distribution: "temurin" java-version: | - 17 11 + 17 cache: "maven" - name: Cache SonarCloud packages - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: ~/.sonar/cache key: ${{ runner.os }}-sonar @@ -44,7 +44,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v4 with: - go-version: "1.21" + go-version: "1.22" cache: false - name: Cache Go modules @@ -64,23 +64,21 @@ jobs: run: mvn --batch-mode clean compile test-compile scalastyle:check scalafix:scalafix spotless:check - name: Build extension run: | - mvn package -DskipTests + mvn --batch-mode package -DskipTests cd extension npm ci npm run build npm run test npm run lint - name: Run tests and build with Maven - run: > - JAVA_HOME=$JAVA_HOME_11_X64 - mvn --batch-mode verify - -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn - -DtrimStackTrace=false - -Dcom.exasol.dockerdb.image=${{ matrix.exasol_db_version }} + run: | + mvn --batch-mode verify \ + -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ + -DtrimStackTrace=false \ + -Dcom.exasol.dockerdb.image=${{ matrix.exasol_db_version }} env: - # Passing system property via -Dcom.exasol.dockerdb.image does not work because the scalatest plugin does - # not forward it to the test. So we use this environment variable, - # see BaseIntegrationTest.scala.getExasolDockerImageVersion() + # Set additional environment variable as in scala projects the scalatest plugin does not forward + # the system property -Dcom.exasol.dockerdb.image to the test's implementation. EXASOL_DB_VERSION: ${{ matrix.exasol_db_version }} - name: Publish Test Report for Exasol ${{ matrix.exasol_db_version }} uses: scacap/action-surefire-report@v1 @@ -89,14 +87,11 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN }} - name: Sonar analysis if: ${{ env.SONAR_TOKEN != null && matrix.exasol_db_version == env.DEFAULT_EXASOL_DB_VERSION }} - run: > - JAVA_HOME=$JAVA_HOME_17_X64 - mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar - -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn - -DtrimStackTrace=false - -Dsonar.organization=exasol - -Dsonar.host.url=https://sonarcloud.io - -Dsonar.token=$SONAR_TOKEN + run: | + mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \ + -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ + -DtrimStackTrace=false \ + -Dsonar.token=$SONAR_TOKEN env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/dependencies_check.yml b/.github/workflows/dependencies_check.yml index 4b6eadf6..6926e55c 100644 --- a/.github/workflows/dependencies_check.yml +++ b/.github/workflows/dependencies_check.yml @@ -1,5 +1,6 @@ -name: Report Security Issues for Repository - +# Generated by Project Keeper +# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/dependencies_check.yml +name: Report Security Issues on: workflow_dispatch: schedule: @@ -9,27 +10,55 @@ jobs: report_security_issues: runs-on: ubuntu-latest permissions: + contents: read issues: write - + outputs: + created-issues: ${{ steps.security-issues.outputs.created-issues }} steps: - uses: actions/checkout@v4 - - name: Set up JDK 11 - uses: actions/setup-java@v3 + + - name: Set up JDKs + uses: actions/setup-java@v4 with: distribution: "temurin" - java-version: 11 + java-version: | + 11 + 17 cache: "maven" - name: Generate ossindex report run: | - mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:audit \ + mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit \ org.sonatype.ossindex.maven:ossindex-maven-plugin:audit-aggregate \ -Dossindex.reportFile=$(pwd)/ossindex-report.json \ -Dossindex.fail=false - name: Report Security Issues + id: security-issues uses: exasol/python-toolbox/.github/actions/security-issues@main with: format: "maven" command: "cat ossindex-report.json" github-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Output security issues (Debugging) + run: | + echo "$CREATED_ISSUES" > test.jsonl + cat test.jsonl + env: + CREATED_ISSUES: ${{ steps.security-issues.outputs.created-issues }} + + start_dependency_udpate: + needs: report_security_issues + if: ${{ needs.report_security_issues.outputs.created-issues }} + concurrency: + cancel-in-progress: true + group: "dependency_update" + # Workflow needs secret INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK + secrets: inherit + permissions: + contents: write + pull-requests: write + uses: ./.github/workflows/dependencies_update.yml + with: + vulnerability_issues: ${{ needs.report_security_issues.outputs.created-issues }} diff --git a/.github/workflows/dependencies_update.yml b/.github/workflows/dependencies_update.yml new file mode 100644 index 00000000..58222ba5 --- /dev/null +++ b/.github/workflows/dependencies_update.yml @@ -0,0 +1,169 @@ +# Generated by Project Keeper +# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/dependencies_update.yml +name: Update dependencies +on: + workflow_call: + inputs: + vulnerability_issues: + description: "GitHub issues for vulnerable dependencies as JSONL" + required: true + type: string + workflow_dispatch: + +jobs: + update_dependencies: + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up JDKs + uses: actions/setup-java@v4 + with: + distribution: "temurin" + java-version: | + 11 + 17 + cache: "maven" + + - name: Print issues + run: | + echo "Issues from Action input: $ISSUES" + env: + ISSUES: ${{ inputs.vulnerability_issues }} + + - name: Fail if not running on a branch + if: ${{ !startsWith(github.ref, 'refs/heads/') }} + uses: actions/github-script@v7 + with: + script: | + core.setFailed('Not running on a branch, github.ref is ${{ github.ref }}. Please start this workflow only on main or a branch') + + - name: Update dependencies + run: | + mvn --batch-mode com.exasol:project-keeper-maven-plugin:update-dependencies --projects . \ + -Dproject-keeper:vulnerabilities="$CREATED_ISSUES" + env: + CREATED_ISSUES: ${{ inputs.vulnerability_issues }} + + - name: Project Keeper Fix + run: | + mvn --batch-mode com.exasol:project-keeper-maven-plugin:fix --projects . + + - name: Project Keeper Fix for updated Project Keeper version + # Calling PK fix a second time is necessary because the first invocation potentially updated PK itself. + # So we need to run PK fix again with the latest PK version. + # [impl->dsn~dependency-updater.workflow.start-pk-fix~1] + run: | + mvn --batch-mode com.exasol:project-keeper-maven-plugin:fix --projects . + + - name: Generate Pull Request comment + id: pr-comment + # [impl->dsn~dependency-updater.workflow.pull-request-trigger-ci-build~1] + run: | + echo 'comment<> "$GITHUB_OUTPUT" + echo 'This Pull Request was created by [`dependencies_update.yml`](https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/dependencies_update.yml) workflow.' >> "$GITHUB_OUTPUT" + if [ -n "$CREATED_ISSUES" ]; then + echo 'It updates dependencies to fix the following vulnerabilities:' >> "$GITHUB_OUTPUT" + echo $CREATED_ISSUES | jq --raw-output '. | "* Closes " + .issue_url + " (" + .cve + ")"' >> "$GITHUB_OUTPUT" + else + echo 'It updates dependencies.' >> "$GITHUB_OUTPUT" + fi + echo >> "$GITHUB_OUTPUT" + echo '# ⚠️ This PR does not trigger CI workflows by default ⚠️' >> "$GITHUB_OUTPUT" + echo 'Please click the **Close pull request** button and then **Reopen pull request** to trigger running checks.' >> "$GITHUB_OUTPUT" + echo 'See https://github.com/exasol/project-keeper/issues/534 for details.' >> "$GITHUB_OUTPUT" + echo 'EOF' >> "$GITHUB_OUTPUT" + + cat "$GITHUB_OUTPUT" + env: + CREATED_ISSUES: ${{ inputs.vulnerability_issues }} + + - name: Generate Pull Request Title + id: pr-title + run: | + if [ -n "$CREATED_ISSUES" ]; then + echo "Security issues are available" + echo "title=🔐 Update dependencies to fix vulnerabilities" >> "$GITHUB_OUTPUT" + else + echo "Security issues are not available" + echo "title=Update dependencies" >> "$GITHUB_OUTPUT" + fi + + cat "$GITHUB_OUTPUT" + env: + CREATED_ISSUES: ${{ inputs.vulnerability_issues }} + + - name: Configure git + run: | + git config --global user.email "opensource@exasol.com" + git config --global user.name "Automatic Dependency Updater" + + - name: Create branch + if: ${{ github.ref == 'refs/heads/main' }} + run: | + branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")" + echo "Creating branch $branch_name" + git checkout -b "$branch_name" + + - name: Commit changes & push + if: ${{ startsWith(github.ref, 'refs/heads/' ) }} + run: | + branch_name=$(git rev-parse --abbrev-ref HEAD) + echo "Current branch: $branch_name" + echo "git diff --stat" + git diff --stat + echo "git diff --numstat" + git diff --numstat + echo "git diff --name-status" + git diff --name-status + echo "Adding untracked files:" + git add . --verbose --all + echo "Committing changes..." + git commit --message "$TITLE" + echo "Pushing branch $branch_name..." + git push --set-upstream origin "$branch_name" + echo "Done." + env: + TITLE: ${{ steps.pr-title.outputs.title }} + + - name: Create pull request + id: create-pr + if: ${{ github.ref == 'refs/heads/main' }} + run: | + pr_url=$(gh pr create --base main --title "$TITLE" --body "$COMMENT") + echo "Created Pull Request: $pr_url" + echo "pr_url=$pr_url" >> "$GITHUB_OUTPUT" + env: + COMMENT: ${{ steps.pr-comment.outputs.comment }} + TITLE: ${{ steps.pr-title.outputs.title }} + GH_TOKEN: ${{ github.token }} + + - name: Report failure Status to Slack channel + # Also run this step in case of failures + if: ${{ always() }} + uses: ravsamhq/notify-slack-action@v2 + with: + status: ${{ job.status }} + token: ${{ secrets.GITHUB_TOKEN }} + notification_title: "Dependency check in {repo} has {status_message}" + message_format: "{emoji} *{workflow}* {status_message} in <{repo_url}|{repo}>" + notify_when: "failure,cancelled,warnings" + env: + SLACK_WEBHOOK_URL: ${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }} + + - name: Report new Pull Request to Slack channel + if: ${{ steps.create-pr.outputs.pr_url }} + uses: ravsamhq/notify-slack-action@v2 + with: + status: ${{ job.status }} + token: ${{ secrets.GITHUB_TOKEN }} + notification_title: "Dependency update for {repo} created a Pull Request" + message_format: "{workflow} created Pull Request ${{ steps.create-pr.outputs.pr_url }}" + env: + SLACK_WEBHOOK_URL: ${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }} diff --git a/.github/workflows/release_droid_prepare_original_checksum.yml b/.github/workflows/release_droid_prepare_original_checksum.yml index c2328a26..133dd02e 100644 --- a/.github/workflows/release_droid_prepare_original_checksum.yml +++ b/.github/workflows/release_droid_prepare_original_checksum.yml @@ -1,5 +1,4 @@ name: Release Droid - Prepare Original Checksum - on: workflow_dispatch: @@ -15,16 +14,18 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up JDK 11 + - name: Set up JDKs uses: actions/setup-java@v4 with: distribution: "temurin" - java-version: 11 + java-version: | + 11 + 17 cache: "maven" - name: Set up Go uses: actions/setup-go@v3 with: - go-version: "1.21" + go-version: "1.22" - name: Enable testcontainer reuse run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties" - name: Run tests and build with Maven @@ -32,7 +33,7 @@ jobs: - name: Prepare checksum run: find target -maxdepth 1 -name *.jar -exec sha256sum "{}" + > original_checksum - name: Upload checksum to the artifactory - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: original_checksum retention-days: 5 diff --git a/.github/workflows/release_droid_print_quick_checksum.yml b/.github/workflows/release_droid_print_quick_checksum.yml index aed44449..86979cd0 100644 --- a/.github/workflows/release_droid_print_quick_checksum.yml +++ b/.github/workflows/release_droid_print_quick_checksum.yml @@ -1,5 +1,6 @@ +# Generated by Project Keeper +# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/release_droid_print_quick_checksum.yml name: Release Droid - Print Quick Checksum - on: workflow_dispatch: @@ -11,11 +12,13 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up JDK 11 - uses: actions/setup-java@v3 + - name: Set up JDKs + uses: actions/setup-java@v4 with: distribution: "temurin" - java-version: 11 + java-version: | + 11 + 17 cache: "maven" - name: Build with Maven skipping tests run: mvn --batch-mode clean verify -DskipTests diff --git a/.github/workflows/release_droid_upload_github_release_assets.yml b/.github/workflows/release_droid_upload_github_release_assets.yml index 2320ca3f..94187c61 100644 --- a/.github/workflows/release_droid_upload_github_release_assets.yml +++ b/.github/workflows/release_droid_upload_github_release_assets.yml @@ -1,5 +1,4 @@ name: Release Droid - Upload GitHub Release Assets - on: workflow_dispatch: inputs: @@ -15,11 +14,13 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up JDK 11 + - name: Set up JDKs uses: actions/setup-java@v4 with: distribution: "temurin" - java-version: 11 + java-version: | + 11 + 17 cache: "maven" - name: Build with Maven skipping tests run: mvn --batch-mode clean verify -DskipTests diff --git a/.project-keeper.yml b/.project-keeper.yml index 8ea690d6..b513b8ed 100644 --- a/.project-keeper.yml +++ b/.project-keeper.yml @@ -10,6 +10,8 @@ version: fromSource: pom.xml linkReplacements: excludes: + # Customization needed to build and release extension + - "W-PK-CORE-153: Project-keeper version 4.1.0 is outdated. Please update project-keeper to latest version 4.2.0." - "E-PK-CORE-18: Outdated content: '.github/workflows/ci-build.yml'" - "E-PK-CORE-18: Outdated content: '.github/workflows/ci-build-next-java.yml'" - "E-PK-CORE-18: Outdated content: '.github/workflows/release_droid_upload_github_release_assets.yml'" @@ -18,5 +20,5 @@ build: runnerOs: ubuntu-20.04 freeDiskSpace: false exasolDbVersions: - - "8.23.1" - - "7.1.24" + - "8.24.0" + - "7.1.25" diff --git a/dependencies.md b/dependencies.md index 1cb7f744..52a4df34 100644 --- a/dependencies.md +++ b/dependencies.md @@ -31,71 +31,73 @@ | [ORC Core][24] | [Apache License, Version 2.0][3] | | [Apache Avro][25] | [Apache-2.0][3] | | [Apache Commons Compress][26] | [Apache-2.0][3] | -| [delta-core][27] | [Apache-2.0][28] | -| [Spark Project SQL][29] | [Apache 2.0 License][30] | -| [Apache Ivy][31] | [The Apache Software License, Version 2.0][5] | -| [Parquet for Java][32] | [MIT License][33] | -| [JUL to SLF4J bridge][34] | [MIT License][35] | -| [Apache Log4j API][36] | [Apache-2.0][3] | -| [Apache Log4j 1.x Compatibility API][37] | [Apache-2.0][3] | -| [Apache Log4j Core][38] | [Apache-2.0][3] | -| [scala-logging][39] | [Apache 2.0 License][30] | +| [Nimbus JOSE+JWT][27] | [The Apache Software License, Version 2.0][3] | +| [delta-core][28] | [Apache-2.0][29] | +| [Spark Project SQL][30] | [Apache 2.0 License][31] | +| [Apache Ivy][32] | [The Apache Software License, Version 2.0][5] | +| [Parquet for Java][33] | [MIT License][34] | +| [JUL to SLF4J bridge][35] | [MIT License][36] | +| [Apache Log4j API][37] | [Apache-2.0][3] | +| [Apache Log4j 1.x Compatibility API][38] | [Apache-2.0][3] | +| [Apache Log4j Core][39] | [Apache-2.0][3] | +| [scala-logging][40] | [Apache 2.0 License][31] | ### Test Dependencies | Dependency | License | | ------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------- | -| [scalatest][40] | [the Apache License, ASL Version 2.0][28] | -| [scalatestplus-mockito][41] | [Apache-2.0][28] | -| [mockito-core][42] | [MIT][43] | -| [Hamcrest][44] | [BSD License 3][45] | -| [testcontainers-scala-scalatest][46] | [The MIT License (MIT)][43] | -| [Testcontainers :: Localstack][47] | [MIT][48] | -| [Test containers for Exasol on Docker][49] | [MIT License][50] | -| [Test Database Builder for Java][51] | [MIT License][52] | -| [Matcher for SQL Result Sets][53] | [MIT License][54] | -| [EqualsVerifier \| release normal jar][55] | [Apache License, Version 2.0][3] | -| [JUnit Jupiter Engine][56] | [Eclipse Public License v2.0][57] | -| [Maven Project Version Getter][58] | [MIT License][59] | -| [Extension integration tests library][60] | [MIT License][61] | -| [jersey-core-common][62] | [EPL 2.0][63]; [The GNU General Public License (GPL), Version 2, With Classpath Exception][64]; [Apache License, 2.0][30]; [Public Domain][65] | +| [scalatest][41] | [the Apache License, ASL Version 2.0][29] | +| [scalatestplus-mockito][42] | [Apache-2.0][29] | +| [mockito-core][43] | [MIT][44] | +| [Hamcrest][45] | [BSD License 3][46] | +| [testcontainers-scala-scalatest][47] | [The MIT License (MIT)][44] | +| [Testcontainers :: Localstack][48] | [MIT][49] | +| [Test containers for Exasol on Docker][50] | [MIT License][51] | +| [Test Database Builder for Java][52] | [MIT License][53] | +| [Matcher for SQL Result Sets][54] | [MIT License][55] | +| [EqualsVerifier \| release normal jar][56] | [Apache License, Version 2.0][3] | +| [JUnit Jupiter Engine][57] | [Eclipse Public License v2.0][58] | +| [Maven Project Version Getter][59] | [MIT License][60] | +| [Extension integration tests library][61] | [MIT License][62] | +| [jersey-core-common][63] | [EPL 2.0][64]; [The GNU General Public License (GPL), Version 2, With Classpath Exception][65]; [Apache License, 2.0][31]; [Public Domain][66] | ### Runtime Dependencies | Dependency | License | | ---------------------------- | ----------------------------------------------------------------------------- | -| [Logback Classic Module][66] | [Eclipse Public License - v 1.0][67]; [GNU Lesser General Public License][68] | -| [Logback Core Module][69] | [Eclipse Public License - v 1.0][67]; [GNU Lesser General Public License][68] | +| [Logback Classic Module][67] | [Eclipse Public License - v 1.0][68]; [GNU Lesser General Public License][69] | +| [Logback Core Module][70] | [Eclipse Public License - v 1.0][68]; [GNU Lesser General Public License][69] | ### Plugin Dependencies | Dependency | License | | ------------------------------------------------------- | --------------------------------------------- | -| [SonarQube Scanner for Maven][70] | [GNU LGPL 3][71] | -| [Apache Maven Compiler Plugin][72] | [Apache-2.0][3] | -| [Apache Maven Enforcer Plugin][73] | [Apache-2.0][3] | -| [Maven Flatten Plugin][74] | [Apache Software Licenese][3] | -| [org.sonatype.ossindex.maven:ossindex-maven-plugin][75] | [ASL2][5] | -| [scala-maven-plugin][76] | [Public domain (Unlicense)][77] | -| [ScalaTest Maven Plugin][78] | [the Apache License, ASL Version 2.0][28] | -| [Apache Maven Javadoc Plugin][79] | [Apache-2.0][3] | -| [Maven Surefire Plugin][80] | [Apache-2.0][3] | -| [Versions Maven Plugin][81] | [Apache License, Version 2.0][3] | -| [duplicate-finder-maven-plugin Maven Mojo][82] | [Apache License 2.0][30] | -| [Apache Maven Assembly Plugin][83] | [Apache-2.0][3] | -| [Apache Maven JAR Plugin][84] | [Apache License, Version 2.0][3] | -| [Artifact reference checker and unifier][85] | [MIT License][86] | -| [Maven Failsafe Plugin][87] | [Apache-2.0][3] | -| [JaCoCo :: Maven Plugin][88] | [Eclipse Public License 2.0][89] | -| [error-code-crawler-maven-plugin][90] | [MIT License][91] | -| [Reproducible Build Maven Plugin][92] | [Apache 2.0][5] | -| [Project Keeper Maven plugin][93] | [The MIT License][94] | -| [OpenFastTrace Maven Plugin][95] | [GNU General Public License v3.0][96] | -| [Scalastyle Maven Plugin][97] | [Apache 2.0][30] | -| [spotless-maven-plugin][98] | [The Apache Software License, Version 2.0][3] | -| [scalafix-maven-plugin][99] | [BSD-3-Clause][21] | -| [Exec Maven Plugin][100] | [Apache License 2][3] | -| [Apache Maven Clean Plugin][101] | [Apache-2.0][3] | +| [SonarQube Scanner for Maven][71] | [GNU LGPL 3][72] | +| [Apache Maven Toolchains Plugin][73] | [Apache License, Version 2.0][3] | +| [Apache Maven Compiler Plugin][74] | [Apache-2.0][3] | +| [Apache Maven Enforcer Plugin][75] | [Apache-2.0][3] | +| [Maven Flatten Plugin][76] | [Apache Software Licenese][3] | +| [org.sonatype.ossindex.maven:ossindex-maven-plugin][77] | [ASL2][5] | +| [scala-maven-plugin][78] | [Public domain (Unlicense)][79] | +| [ScalaTest Maven Plugin][80] | [the Apache License, ASL Version 2.0][29] | +| [Apache Maven Javadoc Plugin][81] | [Apache-2.0][3] | +| [Maven Surefire Plugin][82] | [Apache-2.0][3] | +| [Versions Maven Plugin][83] | [Apache License, Version 2.0][3] | +| [duplicate-finder-maven-plugin Maven Mojo][84] | [Apache License 2.0][31] | +| [Apache Maven Assembly Plugin][85] | [Apache-2.0][3] | +| [Apache Maven JAR Plugin][86] | [Apache License, Version 2.0][3] | +| [Artifact reference checker and unifier][87] | [MIT License][88] | +| [Maven Failsafe Plugin][89] | [Apache-2.0][3] | +| [JaCoCo :: Maven Plugin][90] | [Eclipse Public License 2.0][91] | +| [error-code-crawler-maven-plugin][92] | [MIT License][93] | +| [Reproducible Build Maven Plugin][94] | [Apache 2.0][5] | +| [Project Keeper Maven plugin][95] | [The MIT License][96] | +| [OpenFastTrace Maven Plugin][97] | [GNU General Public License v3.0][98] | +| [Scalastyle Maven Plugin][99] | [Apache 2.0][31] | +| [spotless-maven-plugin][100] | [The Apache Software License, Version 2.0][3] | +| [scalafix-maven-plugin][101] | [BSD-3-Clause][21] | +| [Exec Maven Plugin][102] | [Apache License 2][3] | +| [Apache Maven Clean Plugin][103] | [Apache-2.0][3] | ## Extension @@ -103,7 +105,7 @@ | Dependency | License | | ------------------------------------------ | ------- | -| [@exasol/extension-manager-interface][102] | MIT | +| [@exasol/extension-manager-interface][104] | MIT | [0]: https://www.scala-lang.org/ [1]: https://www.apache.org/licenses/LICENSE-2.0 @@ -132,79 +134,81 @@ [24]: https://orc.apache.org/orc-core [25]: https://avro.apache.org [26]: https://commons.apache.org/proper/commons-compress/ -[27]: https://delta.io/ -[28]: http://www.apache.org/licenses/LICENSE-2.0 -[29]: https://spark.apache.org/ -[30]: http://www.apache.org/licenses/LICENSE-2.0.html -[31]: http://ant.apache.org/ivy/ -[32]: https://github.com/exasol/parquet-io-java/ -[33]: https://github.com/exasol/parquet-io-java/blob/main/LICENSE -[34]: http://www.slf4j.org -[35]: http://www.opensource.org/licenses/mit-license.php -[36]: https://logging.apache.org/log4j/2.x/log4j/log4j-api/ -[37]: https://logging.apache.org/log4j/2.x/log4j/log4j-1.2-api/ -[38]: https://logging.apache.org/log4j/2.x/log4j/log4j-core/ -[39]: https://github.com/lightbend/scala-logging -[40]: http://www.scalatest.org -[41]: https://github.com/scalatest/scalatestplus-mockito -[42]: https://github.com/mockito/mockito -[43]: https://opensource.org/licenses/MIT -[44]: http://hamcrest.org/JavaHamcrest/ -[45]: http://opensource.org/licenses/BSD-3-Clause -[46]: https://github.com/testcontainers/testcontainers-scala -[47]: https://java.testcontainers.org -[48]: http://opensource.org/licenses/MIT -[49]: https://github.com/exasol/exasol-testcontainers/ -[50]: https://github.com/exasol/exasol-testcontainers/blob/main/LICENSE -[51]: https://github.com/exasol/test-db-builder-java/ -[52]: https://github.com/exasol/test-db-builder-java/blob/main/LICENSE -[53]: https://github.com/exasol/hamcrest-resultset-matcher/ -[54]: https://github.com/exasol/hamcrest-resultset-matcher/blob/main/LICENSE -[55]: https://www.jqno.nl/equalsverifier -[56]: https://junit.org/junit5/ -[57]: https://www.eclipse.org/legal/epl-v20.html -[58]: https://github.com/exasol/maven-project-version-getter/ -[59]: https://github.com/exasol/maven-project-version-getter/blob/main/LICENSE -[60]: https://github.com/exasol/extension-manager/ -[61]: https://github.com/exasol/extension-manager/blob/main/LICENSE -[62]: https://projects.eclipse.org/projects/ee4j.jersey/jersey-common -[63]: http://www.eclipse.org/legal/epl-2.0 -[64]: https://www.gnu.org/software/classpath/license.html -[65]: https://creativecommons.org/publicdomain/zero/1.0/ -[66]: http://logback.qos.ch/logback-classic -[67]: http://www.eclipse.org/legal/epl-v10.html -[68]: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html -[69]: http://logback.qos.ch/logback-core -[70]: http://sonarsource.github.io/sonar-scanner-maven/ -[71]: http://www.gnu.org/licenses/lgpl.txt -[72]: https://maven.apache.org/plugins/maven-compiler-plugin/ -[73]: https://maven.apache.org/enforcer/maven-enforcer-plugin/ -[74]: https://www.mojohaus.org/flatten-maven-plugin/ -[75]: https://sonatype.github.io/ossindex-maven/maven-plugin/ -[76]: http://github.com/davidB/scala-maven-plugin -[77]: http://unlicense.org/ -[78]: https://www.scalatest.org/user_guide/using_the_scalatest_maven_plugin -[79]: https://maven.apache.org/plugins/maven-javadoc-plugin/ -[80]: https://maven.apache.org/surefire/maven-surefire-plugin/ -[81]: https://www.mojohaus.org/versions/versions-maven-plugin/ -[82]: https://basepom.github.io/duplicate-finder-maven-plugin -[83]: https://maven.apache.org/plugins/maven-assembly-plugin/ -[84]: https://maven.apache.org/plugins/maven-jar-plugin/ -[85]: https://github.com/exasol/artifact-reference-checker-maven-plugin/ -[86]: https://github.com/exasol/artifact-reference-checker-maven-plugin/blob/main/LICENSE -[87]: https://maven.apache.org/surefire/maven-failsafe-plugin/ -[88]: https://www.jacoco.org/jacoco/trunk/doc/maven.html -[89]: https://www.eclipse.org/legal/epl-2.0/ -[90]: https://github.com/exasol/error-code-crawler-maven-plugin/ -[91]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE -[92]: http://zlika.github.io/reproducible-build-maven-plugin -[93]: https://github.com/exasol/project-keeper/ -[94]: https://github.com/exasol/project-keeper/blob/main/LICENSE -[95]: https://github.com/itsallcode/openfasttrace-maven-plugin -[96]: https://www.gnu.org/licenses/gpl-3.0.html -[97]: http://www.scalastyle.org -[98]: https://github.com/diffplug/spotless -[99]: https://github.com/evis/scalafix-maven-plugin -[100]: https://www.mojohaus.org/exec-maven-plugin -[101]: https://maven.apache.org/plugins/maven-clean-plugin/ -[102]: https://registry.npmjs.org/@exasol/extension-manager-interface/-/extension-manager-interface-0.4.1.tgz +[27]: https://bitbucket.org/connect2id/nimbus-jose-jwt +[28]: https://delta.io/ +[29]: http://www.apache.org/licenses/LICENSE-2.0 +[30]: https://spark.apache.org/ +[31]: http://www.apache.org/licenses/LICENSE-2.0.html +[32]: http://ant.apache.org/ivy/ +[33]: https://github.com/exasol/parquet-io-java/ +[34]: https://github.com/exasol/parquet-io-java/blob/main/LICENSE +[35]: http://www.slf4j.org +[36]: http://www.opensource.org/licenses/mit-license.php +[37]: https://logging.apache.org/log4j/2.x/log4j/log4j-api/ +[38]: https://logging.apache.org/log4j/2.x/log4j/log4j-1.2-api/ +[39]: https://logging.apache.org/log4j/2.x/log4j/log4j-core/ +[40]: https://github.com/lightbend/scala-logging +[41]: http://www.scalatest.org +[42]: https://github.com/scalatest/scalatestplus-mockito +[43]: https://github.com/mockito/mockito +[44]: https://opensource.org/licenses/MIT +[45]: http://hamcrest.org/JavaHamcrest/ +[46]: http://opensource.org/licenses/BSD-3-Clause +[47]: https://github.com/testcontainers/testcontainers-scala +[48]: https://java.testcontainers.org +[49]: http://opensource.org/licenses/MIT +[50]: https://github.com/exasol/exasol-testcontainers/ +[51]: https://github.com/exasol/exasol-testcontainers/blob/main/LICENSE +[52]: https://github.com/exasol/test-db-builder-java/ +[53]: https://github.com/exasol/test-db-builder-java/blob/main/LICENSE +[54]: https://github.com/exasol/hamcrest-resultset-matcher/ +[55]: https://github.com/exasol/hamcrest-resultset-matcher/blob/main/LICENSE +[56]: https://www.jqno.nl/equalsverifier +[57]: https://junit.org/junit5/ +[58]: https://www.eclipse.org/legal/epl-v20.html +[59]: https://github.com/exasol/maven-project-version-getter/ +[60]: https://github.com/exasol/maven-project-version-getter/blob/main/LICENSE +[61]: https://github.com/exasol/extension-manager/ +[62]: https://github.com/exasol/extension-manager/blob/main/LICENSE +[63]: https://projects.eclipse.org/projects/ee4j.jersey/jersey-common +[64]: http://www.eclipse.org/legal/epl-2.0 +[65]: https://www.gnu.org/software/classpath/license.html +[66]: https://creativecommons.org/publicdomain/zero/1.0/ +[67]: http://logback.qos.ch/logback-classic +[68]: http://www.eclipse.org/legal/epl-v10.html +[69]: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html +[70]: http://logback.qos.ch/logback-core +[71]: http://sonarsource.github.io/sonar-scanner-maven/ +[72]: http://www.gnu.org/licenses/lgpl.txt +[73]: https://maven.apache.org/plugins/maven-toolchains-plugin/ +[74]: https://maven.apache.org/plugins/maven-compiler-plugin/ +[75]: https://maven.apache.org/enforcer/maven-enforcer-plugin/ +[76]: https://www.mojohaus.org/flatten-maven-plugin/ +[77]: https://sonatype.github.io/ossindex-maven/maven-plugin/ +[78]: http://github.com/davidB/scala-maven-plugin +[79]: http://unlicense.org/ +[80]: https://www.scalatest.org/user_guide/using_the_scalatest_maven_plugin +[81]: https://maven.apache.org/plugins/maven-javadoc-plugin/ +[82]: https://maven.apache.org/surefire/maven-surefire-plugin/ +[83]: https://www.mojohaus.org/versions/versions-maven-plugin/ +[84]: https://basepom.github.io/duplicate-finder-maven-plugin +[85]: https://maven.apache.org/plugins/maven-assembly-plugin/ +[86]: https://maven.apache.org/plugins/maven-jar-plugin/ +[87]: https://github.com/exasol/artifact-reference-checker-maven-plugin/ +[88]: https://github.com/exasol/artifact-reference-checker-maven-plugin/blob/main/LICENSE +[89]: https://maven.apache.org/surefire/maven-failsafe-plugin/ +[90]: https://www.jacoco.org/jacoco/trunk/doc/maven.html +[91]: https://www.eclipse.org/legal/epl-2.0/ +[92]: https://github.com/exasol/error-code-crawler-maven-plugin/ +[93]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE +[94]: http://zlika.github.io/reproducible-build-maven-plugin +[95]: https://github.com/exasol/project-keeper/ +[96]: https://github.com/exasol/project-keeper/blob/main/LICENSE +[97]: https://github.com/itsallcode/openfasttrace-maven-plugin +[98]: https://www.gnu.org/licenses/gpl-3.0.html +[99]: http://www.scalastyle.org +[100]: https://github.com/diffplug/spotless +[101]: https://github.com/evis/scalafix-maven-plugin +[102]: https://www.mojohaus.org/exec-maven-plugin +[103]: https://maven.apache.org/plugins/maven-clean-plugin/ +[104]: https://registry.npmjs.org/@exasol/extension-manager-interface/-/extension-manager-interface-0.4.1.tgz diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md index 73821593..4400e3a5 100644 --- a/doc/changes/changelog.md +++ b/doc/changes/changelog.md @@ -1,5 +1,6 @@ # Changes +* [2.7.10](changes_2.7.10.md) * [2.7.9](changes_2.7.9.md) * [2.7.8](changes_2.7.8.md) * [2.7.7](changes_2.7.7.md) diff --git a/doc/changes/changes_2.7.10.md b/doc/changes/changes_2.7.10.md new file mode 100644 index 00000000..67d4d0f8 --- /dev/null +++ b/doc/changes/changes_2.7.10.md @@ -0,0 +1,31 @@ +# Cloud Storage Extension 2.7.10, released 2024-03-15 + +Code name: Security fixes in transitive dependencies + +## Summary +Fix CVEs in transitive dependencies, upgrade of PK to 4.1.0 + +## Features + +* #294: CVE-2023-52428: com.nimbusds:nimbus-jose-jwt:jar:9.8.1:compile +* #295: CVE-2024-25710: org.apache.commons:commons-compress +* #296: CVE-2024-26308: org.apache.commons:commons-compress + +## Dependency Updates + +### Cloud Storage Extension + +#### Compile Dependency Updates + +* Added `com.nimbusds:nimbus-jose-jwt:9.37.3` +* Updated `org.apache.commons:commons-compress:1.25.0` to `1.26.0` + +#### Plugin Dependency Updates + +* Updated `com.exasol:error-code-crawler-maven-plugin:1.3.1` to `2.0.0` +* Updated `com.exasol:project-keeper-maven-plugin:2.9.17` to `4.1.0` +* Updated `org.apache.maven.plugins:maven-compiler-plugin:3.11.0` to `3.12.1` +* Updated `org.apache.maven.plugins:maven-failsafe-plugin:3.2.2` to `3.2.5` +* Updated `org.apache.maven.plugins:maven-surefire-plugin:3.2.2` to `3.2.5` +* Added `org.apache.maven.plugins:maven-toolchains-plugin:3.1.0` +* Updated `org.codehaus.mojo:flatten-maven-plugin:1.5.0` to `1.6.0` diff --git a/doc/user_guide/user_guide.md b/doc/user_guide/user_guide.md index 817d91a2..c3d6005b 100644 --- a/doc/user_guide/user_guide.md +++ b/doc/user_guide/user_guide.md @@ -150,7 +150,7 @@ downloaded jar file is the same as the checksum provided in the releases. To check the SHA256 result of the local jar, run the command: ```sh -sha256sum exasol-cloud-storage-extension-2.7.9.jar +sha256sum exasol-cloud-storage-extension-2.7.10.jar ``` ### Building From Source @@ -180,7 +180,7 @@ mvn clean package -DskipTests=true ``` The assembled jar file should be located at -`target/exasol-cloud-storage-extension-2.7.9.jar`. +`target/exasol-cloud-storage-extension-2.7.10.jar`. ### Create an Exasol Bucket @@ -202,7 +202,7 @@ for the HTTP protocol. Upload the jar file using curl command: ```sh -curl -X PUT -T exasol-cloud-storage-extension-2.7.9.jar \ +curl -X PUT -T exasol-cloud-storage-extension-2.7.10.jar \ http://w:@exasol.datanode.domain.com:2580// ``` @@ -234,7 +234,7 @@ OPEN SCHEMA CLOUD_STORAGE_EXTENSION; CREATE OR REPLACE JAVA SET SCRIPT IMPORT_PATH(...) EMITS (...) AS %scriptclass com.exasol.cloudetl.scriptclasses.FilesImportQueryGenerator; - %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.9.jar; + %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.10.jar; / CREATE OR REPLACE JAVA SCALAR SCRIPT IMPORT_METADATA(...) EMITS ( @@ -244,12 +244,12 @@ CREATE OR REPLACE JAVA SCALAR SCRIPT IMPORT_METADATA(...) EMITS ( end_index DECIMAL(36, 0) ) AS %scriptclass com.exasol.cloudetl.scriptclasses.FilesMetadataReader; - %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.9.jar; + %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.10.jar; / CREATE OR REPLACE JAVA SET SCRIPT IMPORT_FILES(...) EMITS (...) AS %scriptclass com.exasol.cloudetl.scriptclasses.FilesDataImporter; - %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.9.jar; + %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.10.jar; / ``` @@ -268,12 +268,12 @@ OPEN SCHEMA CLOUD_STORAGE_EXTENSION; CREATE OR REPLACE JAVA SET SCRIPT EXPORT_PATH(...) EMITS (...) AS %scriptclass com.exasol.cloudetl.scriptclasses.TableExportQueryGenerator; - %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.9.jar; + %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.10.jar; / CREATE OR REPLACE JAVA SET SCRIPT EXPORT_TABLE(...) EMITS (ROWS_AFFECTED INT) AS %scriptclass com.exasol.cloudetl.scriptclasses.TableDataExporter; - %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.9.jar; + %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.10.jar; / ``` @@ -407,13 +407,13 @@ CREATE OR REPLACE JAVA SCALAR SCRIPT IMPORT_METADATA(...) EMITS ( ) AS %jvmoption -DHTTPS_PROXY=http://username:password@10.10.1.10:1180 %scriptclass com.exasol.cloudetl.scriptclasses.FilesMetadataReader; - %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.9.jar; + %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.10.jar; / CREATE OR REPLACE JAVA SET SCRIPT IMPORT_FILES(...) EMITS (...) AS %jvmoption -DHTTPS_PROXY=http://username:password@10.10.1.10:1180 %scriptclass com.exasol.cloudetl.scriptclasses.FilesDataImporter; - %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.9.jar; + %jar /buckets/bfsdefault//exasol-cloud-storage-extension-2.7.10.jar; / ``` diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom index 67e46bbd..5d42a051 100644 --- a/pk_generated_parent.pom +++ b/pk_generated_parent.pom @@ -3,12 +3,14 @@ 4.0.0 com.exasol cloud-storage-extension-generated-parent - 2.7.9 + 2.7.10 pom UTF-8 UTF-8 11 + exasol + https://sonarcloud.io @@ -39,10 +41,29 @@ sonar-maven-plugin 3.10.0.2594 + + org.apache.maven.plugins + maven-toolchains-plugin + 3.1.0 + + + + toolchain + + + + + + + ${java.version} + + + + org.apache.maven.plugins maven-compiler-plugin - 3.11.0 + 3.12.1 ${java.version} ${java.version} @@ -69,6 +90,9 @@ 3.6.3 + + 17 + @@ -77,7 +101,7 @@ org.codehaus.mojo flatten-maven-plugin - 1.5.0 + 1.6.0 true oss @@ -116,7 +140,7 @@ org.apache.maven.plugins maven-surefire-plugin - 3.2.2 + 3.2.5 @@ -140,6 +164,17 @@ file:///${project.basedir}/versionsMavenPluginRules.xml + false + true + true + true + false + true + true + true + false + true + true @@ -220,7 +255,7 @@ org.apache.maven.plugins maven-failsafe-plugin - 3.2.2 + 3.2.5 -Djava.util.logging.config.file=src/test/resources/logging.properties ${argLine} @@ -281,7 +316,7 @@ com.exasol error-code-crawler-maven-plugin - 1.3.1 + 2.0.0 verify diff --git a/pom.xml b/pom.xml index fc5e0f22..3412e66d 100644 --- a/pom.xml +++ b/pom.xml @@ -3,14 +3,14 @@ 4.0.0 com.exasol cloud-storage-extension - 2.7.9 + 2.7.10 Cloud Storage Extension Exasol Cloud Storage Import And Export Extension https://github.com/exasol/cloud-storage-extension/ cloud-storage-extension-generated-parent com.exasol - 2.7.9 + 2.7.10 pk_generated_parent.pom @@ -425,10 +425,16 @@ - + org.apache.commons commons-compress - 1.25.0 + 1.26.0 + + + + com.nimbusds + nimbus-jose-jwt + 9.37.3 io.delta @@ -677,7 +683,7 @@ 2.2.0 . - -Djava.util.logging.config.file=src/test/resources/logging.properties ${argLine} + -Djava.util.logging.config.file=src/test/resources/logging.properties --add-exports java.base/sun.nio.ch=ALL-UNNAMED ${argLine} @@ -727,12 +733,16 @@ none + + false + org.apache.maven.plugins maven-failsafe-plugin false + --add-exports java.base/sun.nio.ch=ALL-UNNAMED @@ -775,14 +785,13 @@ .*\.properties$ .*\.proto$ - - + com.exasol project-keeper-maven-plugin - 2.9.17 + 4.1.0 diff --git a/src/test/scala/com/exasol/cloudetl/it/BaseIntegrationTest.scala b/src/test/scala/com/exasol/cloudetl/it/BaseIntegrationTest.scala index 57d5664b..7faabc54 100644 --- a/src/test/scala/com/exasol/cloudetl/it/BaseIntegrationTest.scala +++ b/src/test/scala/com/exasol/cloudetl/it/BaseIntegrationTest.scala @@ -16,7 +16,7 @@ import org.scalatest.funsuite.AnyFunSuite trait BaseIntegrationTest extends AnyFunSuite with BeforeAndAfterAll with LazyLogging { private[this] val JAR_NAME_PATTERN = "exasol-cloud-storage-extension-" - val DEFAULT_EXASOL_DOCKER_IMAGE = "8.23.1" + val DEFAULT_EXASOL_DOCKER_IMAGE = "8.24.0" val network = DockerNamedNetwork("it-tests", true) val exasolContainer = { val c: ExasolContainer[_] = new ExasolContainer(getExasolDockerImageVersion())