#476 Fix vulnerability CVE-2023-4759 in dependency `org.eclipse.jgit:…

…org.eclipse.jgit` (#477)

.github/workflows/broken_links_checker.yml

@@ -15,7 +15,7 @@ jobs:
       group: ${{ github.workflow }}-${{ github.ref }}
       cancel-in-progress: true
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Configure broken links checker
         run: |
           mkdir -p ./target
@@ -27,6 +27,6 @@ jobs:
                ']}' > ./target/broken_links_checker.json
       - uses: gaurav-nelson/github-action-markdown-link-check@v1
         with:
-          use-quiet-mode: 'yes'
-          use-verbose-mode: 'yes'
+          use-quiet-mode: "yes"
+          use-verbose-mode: "yes"
           config-file: ./target/broken_links_checker.json

.github/workflows/ci-build-next-java.yml

@@ -14,15 +14,15 @@ jobs:
       cancel-in-progress: true
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up JDK 17
         uses: actions/setup-java@v3
         with:
-          distribution: 'temurin'
+          distribution: "temurin"
           java-version: 17
-          cache: 'maven'
+          cache: "maven"
       - name: Run tests and build with Maven
         run: |
           mvn --batch-mode --update-snapshots clean package -DtrimStackTrace=false \

.github/workflows/ci-build.yml

@@ -14,7 +14,7 @@ jobs:
       cancel-in-progress: true
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up JDK 11 & 17

.github/workflows/dependencies_check.yml

@@ -9,14 +9,14 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Set up JDK 11
         uses: actions/setup-java@v3
         with:
-          distribution: 'temurin'
+          distribution: "temurin"
           java-version: 11
-          cache: 'maven'
+          cache: "maven"
       - name: Install Projects
         run: mvn --batch-mode install -DskipTests # This fixes https://github.com/exasol/project-keeper/issues/330
       - name: Checking dependencies for vulnerabilities
-        run: mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f pom.xml
+        run: mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f pom.xml

.github/workflows/release_droid_prepare_original_checksum.yml

@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up JDK 11

.github/workflows/release_droid_print_quick_checksum.yml

@@ -8,17 +8,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up JDK 11
         uses: actions/setup-java@v3
         with:
-          distribution: 'temurin'
+          distribution: "temurin"
           java-version: 11
-          cache: 'maven'
+          cache: "maven"
       - name: Build with Maven skipping tests
         run: mvn --batch-mode clean verify -DskipTests
       - name: Print checksum
         run: echo 'checksum_start==';find target -maxdepth 1 -name *.jar -exec sha256sum "{}" + | xargs;echo '==checksum_end'
-

.github/workflows/release_droid_release_on_maven_central.yml

@@ -8,15 +8,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up Maven Central Repository
         uses: actions/setup-java@v3
         with:
-          distribution: 'temurin'
+          distribution: "temurin"
           java-version: 11
-          cache: 'maven'
+          cache: "maven"
           server-id: ossrh
           server-username: MAVEN_USERNAME
           server-password: MAVEN_PASSWORD

.github/workflows/release_droid_upload_github_release_assets.yml

@@ -4,23 +4,23 @@ on:
   workflow_dispatch:
     inputs:
       upload_url:
-        description: 'Assets upload URL'
+        description: "Assets upload URL"
         required: true
 
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up JDK 11
         uses: actions/setup-java@v3
         with:
-          distribution: 'temurin'
+          distribution: "temurin"
           java-version: 11
-          cache: 'maven'
+          cache: "maven"
       - name: Build with Maven skipping tests
         run: mvn --batch-mode clean verify -DskipTests
       - name: Generate sha256sum files

.github/workflows/test_linux_build_on_windows.yml

@@ -14,7 +14,7 @@ jobs:
       cancel-in-progress: true
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up JDK 11
@@ -65,7 +65,7 @@ jobs:
     needs: build-on-linux
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up JDK 11

.github/workflows/test_on_windows.yml

@@ -14,7 +14,7 @@ jobs:
       cancel-in-progress: true
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up JDK 11

README.md

@@ -234,7 +234,7 @@ For GitHub Actions you can solve this by adding `fetch-depth: 0` to the checkout
 
 ```yaml
 - name: Checkout the repository
-  uses: actions/checkout@v3
+  uses: actions/checkout@v4
   with:
     fetch-depth: 0
 ```

doc/changes/changes_2.9.12.md

@@ -0,0 +1,67 @@
+# Project Keeper 2.9.12, released 2023-09-25
+
+Code name: Fix vulnerability CVE-2023-4759
+
+## Summary
+
+This release fixes vulnerability CVE-2023-4759 in dependency `org.eclipse.jgit:org.eclipse.jgit`.
+
+## Security
+
+* #476: Fixed vulnerability CVE-2023-4759 in dependency `org.eclipse.jgit:org.eclipse.jgit`
+
+## Dependency Updates
+
+### Project-Keeper Shared Model Classes
+
+#### Compile Dependency Updates
+
+* Updated `org.eclipse.jgit:org.eclipse.jgit:6.6.0.202305301015-r` to `6.7.0.202309050840-r`
+
+#### Test Dependency Updates
+
+* Updated `nl.jqno.equalsverifier:equalsverifier:3.15.1` to `3.15.2`
+
+### Project Keeper Core
+
+#### Compile Dependency Updates
+
+* Updated `com.exasol:project-keeper-shared-model-classes:2.9.11` to `2.9.12`
+
+#### Runtime Dependency Updates
+
+* Updated `com.exasol:project-keeper-java-project-crawler:2.9.11` to `2.9.12`
+
+#### Test Dependency Updates
+
+* Updated `com.exasol:project-keeper-shared-test-setup:2.9.11` to `2.9.12`
+* Updated `nl.jqno.equalsverifier:equalsverifier:3.15.1` to `3.15.2`
+
+### Project Keeper Command Line Interface
+
+#### Compile Dependency Updates
+
+* Updated `com.exasol:project-keeper-core:2.9.11` to `2.9.12`
+
+#### Test Dependency Updates
+
+* Updated `com.exasol:project-keeper-shared-test-setup:2.9.11` to `2.9.12`
+
+### Project Keeper Maven Plugin
+
+#### Compile Dependency Updates
+
+* Updated `com.exasol:project-keeper-core:2.9.11` to `2.9.12`
+
+### Project Keeper Java Project Crawler
+
+#### Compile Dependency Updates
+
+* Updated `com.exasol:project-keeper-shared-model-classes:2.9.11` to `2.9.12`
+* Updated `org.eclipse.jgit:org.eclipse.jgit:6.6.0.202305301015-r` to `6.7.0.202309050840-r`
+
+### Project Keeper Shared Test Setup
+
+#### Compile Dependency Updates
+
+* Updated `com.exasol:project-keeper-shared-model-classes:2.9.11` to `2.9.12`

parent-pom/pom.xml

@@ -28,7 +28,7 @@
         </repository>
     </distributionManagement>
     <properties>
-        <revision>2.9.11</revision>
+        <revision>2.9.12</revision>
         <maven.version>3.9.4</maven.version>
         <junit.version>5.10.0</junit.version>
         <xmlunit.version>2.9.1</xmlunit.version>
@@ -104,7 +104,7 @@
             <dependency>
                 <groupId>org.eclipse.jgit</groupId>
                 <artifactId>org.eclipse.jgit</artifactId>
-                <version>6.6.0.202305301015-r</version>
+                <version>6.7.0.202309050840-r</version>
             </dependency>
             <dependency>
                 <groupId>net.steppschuh.markdowngenerator</groupId>
@@ -161,7 +161,7 @@
             <dependency>
                 <groupId>org.slf4j</groupId>
                 <artifactId>slf4j-jdk14</artifactId>
-                <version>1.7.36</version>
+                <version>1.7.36</version> <!-- Version 1.7.x required to fix error 'SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".' -->
                 <scope>test</scope>
             </dependency>
             <dependency>
@@ -197,7 +197,7 @@
             <dependency>
                 <groupId>nl.jqno.equalsverifier</groupId>
                 <artifactId>equalsverifier</artifactId>
-                <version>3.15.1</version>
+                <version>3.15.2</version>
                 <scope>test</scope>
             </dependency>
             <!-- overriding vulnerable version -->

project-keeper/src/main/resources/non_maven_templates/.github/workflows/project-keeper-verify.yml

@@ -14,7 +14,7 @@ jobs:
       cancel-in-progress: true
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 

project-keeper/src/main/resources/templates/.github/workflows/broken_links_checker.yml

@@ -15,7 +15,7 @@ jobs:
       group: ${{ github.workflow }}-${{ github.ref }}
       cancel-in-progress: true
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Configure broken links checker
         run: |
           mkdir -p ./target
@@ -27,6 +27,6 @@ jobs:
                ']}' > ./target/broken_links_checker.json
       - uses: gaurav-nelson/github-action-markdown-link-check@v1
         with:
-          use-quiet-mode: 'yes'
-          use-verbose-mode: 'yes'
+          use-quiet-mode: "yes"
+          use-verbose-mode: "yes"
           config-file: ./target/broken_links_checker.json

project-keeper/src/main/resources/templates/.github/workflows/ci-build-native-build.yml

@@ -21,7 +21,7 @@ jobs:
           sudo rm -rf /usr/local/lib/android
           sudo rm -rf /usr/share/dotnet
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - uses: graalvm/setup-graalvm@v1

project-keeper/src/main/resources/templates/.github/workflows/ci-build-next-java.yml

@@ -14,15 +14,15 @@ jobs:
       cancel-in-progress: true
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up JDK 17
         uses: actions/setup-java@v3
         with:
-          distribution: 'temurin'
+          distribution: "temurin"
           java-version: 17
-          cache: 'maven'
+          cache: "maven"
       - name: Run tests and build with Maven
         run: |
           mvn --batch-mode --update-snapshots clean package -DtrimStackTrace=false $skipNativeImage \

project-keeper/src/main/resources/templates/.github/workflows/ci-build.yml

@@ -18,7 +18,7 @@ jobs:
           sudo rm -rf /usr/local/lib/android
           sudo rm -rf /usr/share/dotnet
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up JDK 11 & 17

project-keeper/src/main/resources/templates/.github/workflows/dependencies_check.yml

@@ -9,12 +9,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Set up JDK 11
         uses: actions/setup-java@v3
         with:
-          distribution: 'temurin'
+          distribution: "temurin"
           java-version: 11
-          cache: 'maven'
+          cache: "maven"
       - name: Checking dependencies for vulnerabilities
-        run: mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f pom.xml
+        run: mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f pom.xml

project-keeper/src/main/resources/templates/.github/workflows/release_droid_prepare_original_checksum.yml

@@ -12,7 +12,7 @@ jobs:
           sudo rm -rf /usr/local/lib/android
           sudo rm -rf /usr/share/dotnet
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up JDK 11