From 67c24c4a6a1daee37d2299ead086f45c71eb87b7 Mon Sep 17 00:00:00 2001 From: Christoph Kuhnke Date: Tue, 24 Oct 2023 10:13:02 +0200 Subject: [PATCH] Fixed vulnerability CVE-2023-42503 (#111) Fixed vulnerability CVE-2023-42503 Integration tests showed deviations to V7. Delimiting current PR to exclude ticket 105. This will be done in a separate attempt. --- .gitattributes | 2 ++ .github/workflows/broken_links_checker.yml | 6 ++-- .github/workflows/ci-build-next-java.yml | 6 ++-- .github/workflows/ci-build.yml | 24 ++++++++------ .github/workflows/dependencies_check.yml | 8 ++--- ...elease_droid_prepare_original_checksum.yml | 14 +++++--- .../release_droid_print_quick_checksum.yml | 7 ++-- ...release_droid_release_on_maven_central.yml | 8 ++--- ...ase_droid_upload_github_release_assets.yml | 8 ++--- .gitignore | 3 ++ .project-keeper.yml | 1 + .settings/org.eclipse.core.resources.prefs | 6 ---- .settings/org.eclipse.jdt.core.prefs | 2 +- .settings/org.eclipse.m2e.core.prefs | 4 --- .settings/org.sonarlint.eclipse.core.prefs | 2 -- dependencies.md | 6 ++-- doc/changes/changelog.md | 1 + doc/changes/changes_7.1.5.md | 33 +++++++++++++++++++ doc/dialects/exasol.md | 2 +- pk_generated_parent.pom | 8 +++-- pom.xml | 22 ++++++------- .../exasol/IntegrationTestConfiguration.java | 2 +- 22 files changed, 106 insertions(+), 69 deletions(-) delete mode 100644 .settings/org.eclipse.core.resources.prefs delete mode 100644 .settings/org.eclipse.m2e.core.prefs delete mode 100644 .settings/org.sonarlint.eclipse.core.prefs create mode 100644 doc/changes/changes_7.1.5.md diff --git a/.gitattributes b/.gitattributes index b93bb8d..e6487b5 100644 --- a/.gitattributes +++ b/.gitattributes @@ -7,3 +7,5 @@ pk_generated_parent.pom linguist-genera .github/workflows/release_droid_prepare_original_checksum.yml linguist-generated=true .github/workflows/release_droid_print_quick_checksum.yml linguist-generated=true .github/workflows/release_droid_release_on_maven_central.yml linguist-generated=true +.settings/org.eclipse.jdt.core.prefs linguist-generated=true +.settings/org.eclipse.jdt.ui.prefs linguist-generated=true diff --git a/.github/workflows/broken_links_checker.yml b/.github/workflows/broken_links_checker.yml index f2079ec..82ec1cd 100644 --- a/.github/workflows/broken_links_checker.yml +++ b/.github/workflows/broken_links_checker.yml @@ -15,7 +15,7 @@ jobs: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Configure broken links checker run: | mkdir -p ./target @@ -27,6 +27,6 @@ jobs: ']}' > ./target/broken_links_checker.json - uses: gaurav-nelson/github-action-markdown-link-check@v1 with: - use-quiet-mode: 'yes' - use-verbose-mode: 'yes' + use-quiet-mode: "yes" + use-verbose-mode: "yes" config-file: ./target/broken_links_checker.json diff --git a/.github/workflows/ci-build-next-java.yml b/.github/workflows/ci-build-next-java.yml index e0c15cf..7cbab08 100644 --- a/.github/workflows/ci-build-next-java.yml +++ b/.github/workflows/ci-build-next-java.yml @@ -14,15 +14,15 @@ jobs: cancel-in-progress: true steps: - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up JDK 17 uses: actions/setup-java@v3 with: - distribution: 'temurin' + distribution: "temurin" java-version: 17 - cache: 'maven' + cache: "maven" - name: Run tests and build with Maven run: | mvn --batch-mode --update-snapshots clean package -DtrimStackTrace=false \ diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml index 669595a..e194739 100644 --- a/.github/workflows/ci-build.yml +++ b/.github/workflows/ci-build.yml @@ -8,25 +8,28 @@ on: jobs: build: + runs-on: ubuntu-20.04 # UDFs fail with "VM error: Internal error: VM crashed" on ubuntu-latest + concurrency: + group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.docker_db_version }} + cancel-in-progress: true strategy: fail-fast: false matrix: - docker_db_version: ["7.1.21"] + docker_db_version: ["7.1.23"] env: - DEFAULT_DB_VERSION: "7.1.21" - runs-on: ubuntu-latest - concurrency: - group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.docker_db_version }} + DEFAULT_DB_VERSION: "7.1.23" steps: - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up JDK 11 + - name: Set up JDK 11 & 17 uses: actions/setup-java@v3 with: distribution: "temurin" - java-version: 11 + java-version: | + 17 + 11 cache: "maven" - name: Cache SonarCloud packages uses: actions/cache@v3 @@ -38,7 +41,7 @@ jobs: run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties" - name: Run tests and build with Maven run: | - mvn --batch-mode clean verify \ + JAVA_HOME=$JAVA_HOME_11_X64 mvn --batch-mode clean verify \ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ -DtrimStackTrace=false \ -Dcom.exasol.dockerdb.image=${{ matrix.docker_db_version }} @@ -50,12 +53,13 @@ jobs: - name: Sonar analysis if: ${{ env.SONAR_TOKEN != null }} run: | + JAVA_HOME=$JAVA_HOME_17_X64 \ mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ -DtrimStackTrace=false \ -Dsonar.organization=exasol \ -Dsonar.host.url=https://sonarcloud.io \ - -Dsonar.login=$SONAR_TOKEN + -Dsonar.token=$SONAR_TOKEN env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/dependencies_check.yml b/.github/workflows/dependencies_check.yml index b2ab231..3059964 100644 --- a/.github/workflows/dependencies_check.yml +++ b/.github/workflows/dependencies_check.yml @@ -9,12 +9,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up JDK 11 uses: actions/setup-java@v3 with: - distribution: 'temurin' + distribution: "temurin" java-version: 11 - cache: 'maven' + cache: "maven" - name: Checking dependencies for vulnerabilities - run: mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f pom.xml \ No newline at end of file + run: mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f pom.xml diff --git a/.github/workflows/release_droid_prepare_original_checksum.yml b/.github/workflows/release_droid_prepare_original_checksum.yml index 4a980f8..843604c 100644 --- a/.github/workflows/release_droid_prepare_original_checksum.yml +++ b/.github/workflows/release_droid_prepare_original_checksum.yml @@ -5,18 +5,22 @@ on: jobs: build: - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 # UDFs fail with "VM error: Internal error: VM crashed" on ubuntu-latest steps: + - name: Free Disk Space + run: | + sudo rm -rf /usr/local/lib/android + sudo rm -rf /usr/share/dotnet - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up JDK 11 uses: actions/setup-java@v3 with: - distribution: 'temurin' + distribution: "temurin" java-version: 11 - cache: 'maven' + cache: "maven" - name: Enable testcontainer reuse run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties" - name: Run tests and build with Maven @@ -28,4 +32,4 @@ jobs: with: name: original_checksum retention-days: 5 - path: original_checksum \ No newline at end of file + path: original_checksum diff --git a/.github/workflows/release_droid_print_quick_checksum.yml b/.github/workflows/release_droid_print_quick_checksum.yml index 8add957..aed4444 100644 --- a/.github/workflows/release_droid_print_quick_checksum.yml +++ b/.github/workflows/release_droid_print_quick_checksum.yml @@ -8,17 +8,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up JDK 11 uses: actions/setup-java@v3 with: - distribution: 'temurin' + distribution: "temurin" java-version: 11 - cache: 'maven' + cache: "maven" - name: Build with Maven skipping tests run: mvn --batch-mode clean verify -DskipTests - name: Print checksum run: echo 'checksum_start==';find target -maxdepth 1 -name *.jar -exec sha256sum "{}" + | xargs;echo '==checksum_end' - diff --git a/.github/workflows/release_droid_release_on_maven_central.yml b/.github/workflows/release_droid_release_on_maven_central.yml index b467607..dfdbd6a 100644 --- a/.github/workflows/release_droid_release_on_maven_central.yml +++ b/.github/workflows/release_droid_release_on_maven_central.yml @@ -8,15 +8,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up Maven Central Repository uses: actions/setup-java@v3 with: - distribution: 'temurin' + distribution: "temurin" java-version: 11 - cache: 'maven' + cache: "maven" server-id: ossrh server-username: MAVEN_USERNAME server-password: MAVEN_PASSWORD @@ -27,4 +27,4 @@ jobs: env: MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }} MAVEN_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - MAVEN_GPG_PASSPHRASE: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} \ No newline at end of file + MAVEN_GPG_PASSPHRASE: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} diff --git a/.github/workflows/release_droid_upload_github_release_assets.yml b/.github/workflows/release_droid_upload_github_release_assets.yml index 7350faf..7ae8bbb 100644 --- a/.github/workflows/release_droid_upload_github_release_assets.yml +++ b/.github/workflows/release_droid_upload_github_release_assets.yml @@ -4,7 +4,7 @@ on: workflow_dispatch: inputs: upload_url: - description: 'Assets upload URL' + description: "Assets upload URL" required: true jobs: @@ -12,15 +12,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up JDK 11 uses: actions/setup-java@v3 with: - distribution: 'temurin' + distribution: "temurin" java-version: 11 - cache: 'maven' + cache: "maven" - name: Build with Maven skipping tests run: mvn --batch-mode clean verify -DskipTests - name: Generate sha256sum files diff --git a/.gitignore b/.gitignore index b0916b8..e5c78d1 100644 --- a/.gitignore +++ b/.gitignore @@ -2,7 +2,10 @@ /.project /.classpath +/.settings/org.eclipse.core.resources.prefs /.settings/org.eclipse.jdt.apt.core.prefs +/.settings/org.eclipse.m2e.core.prefs +/.settings/org.sonarlint.eclipse.core.prefs # .settings : we need Eclipse settings for code formatter and clean-up rules .cache dependency-reduced-pom.xml diff --git a/.project-keeper.yml b/.project-keeper.yml index 7e7e3c6..378fcd3 100644 --- a/.project-keeper.yml +++ b/.project-keeper.yml @@ -9,3 +9,4 @@ sources: linkReplacements: excludes: - "E-PK-CORE-18: Outdated content: '.github/workflows/ci-build.yml'" + - "E-PK-CORE-18: Outdated content: '.github/workflows/release_droid_prepare_original_checksum.yml'" diff --git a/.settings/org.eclipse.core.resources.prefs b/.settings/org.eclipse.core.resources.prefs deleted file mode 100644 index 29abf99..0000000 --- a/.settings/org.eclipse.core.resources.prefs +++ /dev/null @@ -1,6 +0,0 @@ -eclipse.preferences.version=1 -encoding//src/main/java=UTF-8 -encoding//src/main/resources=UTF-8 -encoding//src/test/java=UTF-8 -encoding//src/test/resources=UTF-8 -encoding/=UTF-8 diff --git a/.settings/org.eclipse.jdt.core.prefs b/.settings/org.eclipse.jdt.core.prefs index 8b5a9aa..bb40c3f 100644 --- a/.settings/org.eclipse.jdt.core.prefs +++ b/.settings/org.eclipse.jdt.core.prefs @@ -111,7 +111,7 @@ org.eclipse.jdt.core.compiler.problem.unusedPrivateMember=warning org.eclipse.jdt.core.compiler.problem.unusedTypeParameter=ignore org.eclipse.jdt.core.compiler.problem.unusedWarningToken=warning org.eclipse.jdt.core.compiler.problem.varargsArgumentNeedCast=warning -org.eclipse.jdt.core.compiler.processAnnotations=enabled +org.eclipse.jdt.core.compiler.processAnnotations=disabled org.eclipse.jdt.core.compiler.release=disabled org.eclipse.jdt.core.compiler.source=11 org.eclipse.jdt.core.formatter.align_assignment_statements_on_columns=false diff --git a/.settings/org.eclipse.m2e.core.prefs b/.settings/org.eclipse.m2e.core.prefs deleted file mode 100644 index f897a7f..0000000 --- a/.settings/org.eclipse.m2e.core.prefs +++ /dev/null @@ -1,4 +0,0 @@ -activeProfiles= -eclipse.preferences.version=1 -resolveWorkspaceProjects=true -version=1 diff --git a/.settings/org.sonarlint.eclipse.core.prefs b/.settings/org.sonarlint.eclipse.core.prefs deleted file mode 100644 index 4341a71..0000000 --- a/.settings/org.sonarlint.eclipse.core.prefs +++ /dev/null @@ -1,2 +0,0 @@ -autoEnabled=true -eclipse.preferences.version=1 diff --git a/dependencies.md b/dependencies.md index f618bee..6e48498 100644 --- a/dependencies.md +++ b/dependencies.md @@ -16,11 +16,11 @@ | [Virtual Schema Common JDBC][0] | [MIT License][1] | | [Hamcrest][6] | [BSD License 3][7] | | [JUnit Jupiter (Aggregator)][8] | [Eclipse Public License v2.0][9] | -| [mockito-junit-jupiter][10] | [The MIT License][11] | +| [mockito-junit-jupiter][10] | [MIT][11] | | [Test containers for Exasol on Docker][12] | [MIT License][13] | | [Testcontainers :: JUnit Jupiter Extension][14] | [MIT][15] | | [Matcher for SQL Result Sets][16] | [MIT License][17] | -| [SLF4J JDK14 Binding][18] | [MIT License][19] | +| [SLF4J JDK14 Provider][18] | [MIT License][19] | | [Test Database Builder for Java][20] | [MIT License][21] | | [Maven Project Version Getter][22] | [MIT License][23] | | [JaCoCo :: Agent][24] | [Eclipse Public License 2.0][25] | @@ -70,7 +70,7 @@ [11]: https://github.com/mockito/mockito/blob/main/LICENSE [12]: https://github.com/exasol/exasol-testcontainers/ [13]: https://github.com/exasol/exasol-testcontainers/blob/main/LICENSE -[14]: https://testcontainers.org +[14]: https://java.testcontainers.org [15]: http://opensource.org/licenses/MIT [16]: https://github.com/exasol/hamcrest-resultset-matcher/ [17]: https://github.com/exasol/hamcrest-resultset-matcher/blob/main/LICENSE diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md index bcf2613..f0ac69b 100644 --- a/doc/changes/changelog.md +++ b/doc/changes/changelog.md @@ -1,5 +1,6 @@ # Changes +* [7.1.5](changes_7.1.5.md) * [7.1.4](changes_7.1.4.md) * [7.1.3](changes_7.1.3.md) * [7.1.2](changes_7.1.2.md) diff --git a/doc/changes/changes_7.1.5.md b/doc/changes/changes_7.1.5.md new file mode 100644 index 0000000..156f0f9 --- /dev/null +++ b/doc/changes/changes_7.1.5.md @@ -0,0 +1,33 @@ +# Exasol Virtual Schema 7.1.5, released 2023-10-24 + +Code name: Dependency Upgrade + +## Summary + +This release fixes vulnerability CVE-2023-42503 in transitive test dependency to `org.apache.commons:commons-compress` via `exasol-testcontainers` by updating dependencies. + +## Security + +*#110: Fixed vulnerability CVE-2023-42503 in test dependency `org.apache.commons:commons-compress` + +## Dependency Updates + +### Compile Dependency Updates + +* Updated `com.exasol:virtual-schema-common-jdbc:11.0.1` to `11.0.2` + +### Test Dependency Updates + +* Updated `com.exasol:exasol-testcontainers:6.6.1` to `6.6.2` +* Updated `com.exasol:hamcrest-resultset-matcher:1.6.0` to `1.6.1` +* Updated `com.exasol:test-db-builder-java:3.4.2` to `3.5.1` +* Updated `com.exasol:virtual-schema-common-jdbc:11.0.1` to `11.0.2` +* Updated `org.junit.jupiter:junit-jupiter:5.9.3` to `5.10.0` +* Updated `org.mockito:mockito-junit-jupiter:5.4.0` to `5.6.0` +* Updated `org.slf4j:slf4j-jdk14:2.0.7` to `2.0.9` +* Updated `org.testcontainers:junit-jupiter:1.18.3` to `1.19.1` + +### Plugin Dependency Updates + +* Updated `com.exasol:project-keeper-maven-plugin:2.9.9` to `2.9.12` +* Updated `org.apache.maven.plugins:maven-enforcer-plugin:3.3.0` to `3.4.0` diff --git a/doc/dialects/exasol.md b/doc/dialects/exasol.md index dc073e6..5a7b203 100644 --- a/doc/dialects/exasol.md +++ b/doc/dialects/exasol.md @@ -17,7 +17,7 @@ The SQL statement below creates the adapter script, defines the Java class that ```sql CREATE JAVA ADAPTER SCRIPT SCHEMA_FOR_VS_SCRIPT.ADAPTER_SCRIPT_EXASOL AS %scriptclass com.exasol.adapter.RequestDispatcher; - %jar /buckets///virtual-schema-dist-11.0.1-exasol-7.1.4.jar; + %jar /buckets///virtual-schema-dist-11.0.2-exasol-7.1.5.jar; / ``` diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom index f95b7d4..a776242 100644 --- a/pk_generated_parent.pom +++ b/pk_generated_parent.pom @@ -3,7 +3,7 @@ 4.0.0 com.exasol exasol-virtual-schema-generated-parent - 7.1.4 + 7.1.5 pom UTF-8 @@ -70,7 +70,7 @@ org.apache.maven.plugins maven-enforcer-plugin - 3.3.0 + 3.4.0 enforce-maven @@ -176,7 +176,6 @@ true true false - true true false @@ -262,6 +261,9 @@ org.apache.maven.plugins maven-source-plugin + 3.2.1 diff --git a/pom.xml b/pom.xml index 29fb366..b9d97fa 100644 --- a/pom.xml +++ b/pom.xml @@ -2,12 +2,12 @@ 4.0.0 exasol-virtual-schema - 7.1.4 + 7.1.5 Exasol Virtual Schema This projects contains the Exasol dialect for Exasol's Virtual Schema https://github.com/exasol/exasol-virtual-schema/ - 11.0.1 + 11.0.2 @@ -43,44 +43,44 @@ org.junit.jupiter junit-jupiter - 5.9.3 + 5.10.0 test org.mockito mockito-junit-jupiter - 5.4.0 + 5.6.0 test com.exasol exasol-testcontainers - 6.6.1 + 6.6.2 test org.testcontainers junit-jupiter - 1.18.3 + 1.19.1 test com.exasol hamcrest-resultset-matcher - 1.6.0 + 1.6.1 test org.slf4j slf4j-jdk14 - 2.0.7 + 2.0.9 test com.exasol test-db-builder-java - 3.4.2 + 3.5.1 test @@ -95,7 +95,7 @@ com.exasol project-keeper-maven-plugin - 2.9.9 + 2.9.12 @@ -162,7 +162,7 @@ exasol-virtual-schema-generated-parent com.exasol - 7.1.4 + 7.1.5 pk_generated_parent.pom diff --git a/src/test/java/com/exasol/adapter/dialects/exasol/IntegrationTestConfiguration.java b/src/test/java/com/exasol/adapter/dialects/exasol/IntegrationTestConfiguration.java index b3fe9fb..9d7aa66 100644 --- a/src/test/java/com/exasol/adapter/dialects/exasol/IntegrationTestConfiguration.java +++ b/src/test/java/com/exasol/adapter/dialects/exasol/IntegrationTestConfiguration.java @@ -8,7 +8,7 @@ public final class IntegrationTestConfiguration { * Do not use MavenProjectVersionGetter here to enable reference checker to check if reference points to the latest * version. */ - public static final String VIRTUAL_SCHEMAS_JAR_NAME_AND_VERSION = "virtual-schema-dist-11.0.1-exasol-7.1.4.jar"; + public static final String VIRTUAL_SCHEMAS_JAR_NAME_AND_VERSION = "virtual-schema-dist-11.0.2-exasol-7.1.5.jar"; public static final Path PATH_TO_VIRTUAL_SCHEMAS_JAR = Path.of("target", VIRTUAL_SCHEMAS_JAR_NAME_AND_VERSION); private IntegrationTestConfiguration() {