From 4e4b4de6493664f95c41e47a1cde340a995d7958 Mon Sep 17 00:00:00 2001 From: Christoph Pirkl Date: Fri, 19 Jan 2024 09:17:47 +0100 Subject: [PATCH] #88: Fix CVE-2024-21634 in com.amazon.ion/ion-java@1.5.1 (#89) --- .gitattributes | 3 +- .github/workflows/broken_links_checker.yml | 2 + .github/workflows/ci-build-java8.yml | 15 ++-- .github/workflows/ci-build-next-java.yml | 18 +++-- .github/workflows/ci-build.yml | 59 ++++++++++------ .github/workflows/dependencies_check.yml | 11 +-- .../prepare_aws_marketplace_release.yml | 18 ++--- ...elease_droid_prepare_original_checksum.yml | 14 ++-- .../release_droid_print_quick_checksum.yml | 11 +-- ...ase_droid_upload_github_release_assets.yml | 11 +-- .project-keeper.yml | 9 ++- .settings/org.eclipse.jdt.core.prefs | 20 +++--- dependencies.md | 69 ++++++++++--------- doc/changes/changelog.md | 1 + doc/changes/changes_2.1.3.md | 36 ++++++++++ doc/developers_guide/developers_guide.md | 4 +- pk_generated_parent.pom | 30 +++++++- pom.xml | 47 ++++++++----- 18 files changed, 249 insertions(+), 129 deletions(-) create mode 100644 doc/changes/changes_2.1.3.md diff --git a/.gitattributes b/.gitattributes index b52b361..243feac 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,7 +1,8 @@ .github/workflows/broken_links_checker.yml linguist-generated=true .github/workflows/dependencies_check.yml linguist-generated=true -.github/workflows/prepare_aws_marketplace_release.yml linguist-generated=true +.github/workflows/ci-build.yml linguist-generated=true .github/workflows/release_droid_print_quick_checksum.yml linguist-generated=true +.github/workflows/release_droid_prepare_original_checksum.yml linguist-generated=true .github/workflows/release_droid_upload_github_release_assets.yml linguist-generated=true .settings/org.eclipse.jdt.core.prefs linguist-generated=true .settings/org.eclipse.jdt.ui.prefs linguist-generated=true diff --git a/.github/workflows/broken_links_checker.yml b/.github/workflows/broken_links_checker.yml index 82ec1cd..0fbcad5 100644 --- a/.github/workflows/broken_links_checker.yml +++ b/.github/workflows/broken_links_checker.yml @@ -1,3 +1,5 @@ +# Generated by Project Keeper +# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/broken_links_checker.yml name: Broken Links Checker on: diff --git a/.github/workflows/ci-build-java8.yml b/.github/workflows/ci-build-java8.yml index 0df5a7d..aa81c24 100644 --- a/.github/workflows/ci-build-java8.yml +++ b/.github/workflows/ci-build-java8.yml @@ -11,14 +11,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up JDK 8 - uses: actions/setup-java@v3 + - name: Set up JDKs + uses: actions/setup-java@v4 with: - distribution: 'temurin' - java-version: 8 + distribution: "temurin" + java-version: | + 8 + 17 + cache: "maven" - name: Cache local Maven repository uses: actions/cache@v3 with: @@ -28,6 +31,6 @@ jobs: ${{ runner.os }}-maven- - name: Run maven compile with Java 8 run: | - mvn --batch-mode --update-snapshots clean compile \ + mvn --batch-mode --update-snapshots -Dtoolchain.version=8 clean compile \ -DtrimStackTrace=false \ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn diff --git a/.github/workflows/ci-build-next-java.yml b/.github/workflows/ci-build-next-java.yml index 154f226..26261ce 100644 --- a/.github/workflows/ci-build-next-java.yml +++ b/.github/workflows/ci-build-next-java.yml @@ -1,5 +1,4 @@ name: CI Build next Java - on: push: branches: @@ -14,16 +13,23 @@ jobs: cancel-in-progress: true steps: - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up JDK 17 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: - distribution: 'temurin' + distribution: "temurin" java-version: 17 - cache: 'maven' + cache: "maven" - name: Run tests and build with Maven run: | - mvn --batch-mode --update-snapshots clean javadoc:javadoc -DtrimStackTrace=false \ + mvn --batch-mode --update-snapshots clean javadoc:javadoc -DtrimStackTrace=false \ + -Djava.version=17 -Dtoolchain.version=17 \ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn + - name: Publish Test Report for Java 17 + uses: scacap/action-surefire-report@v1 + if: ${{ always() && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]' }} + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + fail_if_no_tests: false diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml index cc9b23b..76adff4 100644 --- a/.github/workflows/ci-build.yml +++ b/.github/workflows/ci-build.yml @@ -1,5 +1,6 @@ +# Generated by Project Keeper +# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/ci-build-db-version-matrix.yml name: CI Build - on: push: branches: @@ -7,13 +8,20 @@ on: pull_request: jobs: - build: - runs-on: ubuntu-20.04 # UDFs fail with "VM error: Internal error: VM crashed" on ubuntu-latest + matrix-build: + runs-on: ubuntu-20.04 concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.exasol_db_version }} cancel-in-progress: true + strategy: + fail-fast: false + matrix: + exasol_db_version: ["7.1.25", "8.24.0"] + env: + DEFAULT_EXASOL_DB_VERSION: "7.1.25" steps: - name: Free Disk Space + if: ${{ false }} run: | sudo rm -rf /usr/local/lib/android sudo rm -rf /usr/share/dotnet @@ -21,13 +29,13 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up JDK 11 & 17 - uses: actions/setup-java@v3 + - name: Set up JDKs + uses: actions/setup-java@v4 with: distribution: "temurin" java-version: | - 17 11 + 17 cache: "maven" - name: Cache SonarCloud packages uses: actions/cache@v3 @@ -38,26 +46,33 @@ jobs: - name: Enable testcontainer reuse run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties" - name: Run tests and build with Maven - run: > - JAVA_HOME=$JAVA_HOME_11_X64 - mvn --batch-mode clean verify - -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn - -DtrimStackTrace=false - - name: Publish Test Report + run: | + mvn --batch-mode clean verify \ + -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ + -DtrimStackTrace=false \ + -Dcom.exasol.dockerdb.image=${{ matrix.exasol_db_version }} + env: + # Set additional environment variable as in scala projects the scalatest plugin does not forward + # the system property -Dcom.exasol.dockerdb.image to the test's implementation. + EXASOL_DB_VERSION: ${{ matrix.exasol_db_version }} + - name: Publish Test Report for Exasol ${{ matrix.exasol_db_version }} uses: scacap/action-surefire-report@v1 if: ${{ always() && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]' }} with: github_token: ${{ secrets.GITHUB_TOKEN }} - name: Sonar analysis - if: ${{ env.SONAR_TOKEN != null }} - run: > - JAVA_HOME=$JAVA_HOME_17_X64 - mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar - -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn - -DtrimStackTrace=false - -Dsonar.organization=exasol - -Dsonar.host.url=https://sonarcloud.io - -Dsonar.token=$SONAR_TOKEN + if: ${{ env.SONAR_TOKEN != null && matrix.exasol_db_version == env.DEFAULT_EXASOL_DB_VERSION }} + run: | + mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \ + -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ + -DtrimStackTrace=false \ + -Dsonar.token=$SONAR_TOKEN env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + + build: + needs: matrix-build + runs-on: ubuntu-latest + steps: + - run: echo "Build successful" diff --git a/.github/workflows/dependencies_check.yml b/.github/workflows/dependencies_check.yml index 4b6eadf..87b64ba 100644 --- a/.github/workflows/dependencies_check.yml +++ b/.github/workflows/dependencies_check.yml @@ -1,5 +1,6 @@ +# Generated by Project Keeper +# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/dependencies_check.yml name: Report Security Issues for Repository - on: workflow_dispatch: schedule: @@ -13,11 +14,13 @@ jobs: steps: - uses: actions/checkout@v4 - - name: Set up JDK 11 - uses: actions/setup-java@v3 + - name: Set up JDKs + uses: actions/setup-java@v4 with: distribution: "temurin" - java-version: 11 + java-version: | + 11 + 17 cache: "maven" - name: Generate ossindex report diff --git a/.github/workflows/prepare_aws_marketplace_release.yml b/.github/workflows/prepare_aws_marketplace_release.yml index 2e30e06..524255c 100644 --- a/.github/workflows/prepare_aws_marketplace_release.yml +++ b/.github/workflows/prepare_aws_marketplace_release.yml @@ -3,7 +3,7 @@ name: Prepare AWS Marketplace Release on: push: tags: - - '*' + - "*" workflow_dispatch: permissions: @@ -15,17 +15,19 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@v3 - - name: Set up JDK 11 - uses: actions/setup-java@v3 + uses: actions/checkout@v4 + - name: Set up JDKs + uses: actions/setup-java@v4 with: - distribution: 'temurin' - java-version: 11 - cache: 'maven' + distribution: "temurin" + java-version: | + 11 + 17 + cache: "maven" - name: Install xmlstarlet run: sudo apt install -y --no-install-recommends xmlstarlet - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: aws-access-key-id: ${{ secrets.MARKETPLACE_AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.MARKETPLACE_AWS_SECRET_ACCESS_KEY }} diff --git a/.github/workflows/release_droid_prepare_original_checksum.yml b/.github/workflows/release_droid_prepare_original_checksum.yml index 843604c..413274b 100644 --- a/.github/workflows/release_droid_prepare_original_checksum.yml +++ b/.github/workflows/release_droid_prepare_original_checksum.yml @@ -1,13 +1,15 @@ +# Generated by Project Keeper +# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/release_droid_prepare_original_checksum.yml name: Release Droid - Prepare Original Checksum - on: workflow_dispatch: jobs: build: - runs-on: ubuntu-20.04 # UDFs fail with "VM error: Internal error: VM crashed" on ubuntu-latest + runs-on: ubuntu-20.04 steps: - name: Free Disk Space + if: ${{ false }} run: | sudo rm -rf /usr/local/lib/android sudo rm -rf /usr/share/dotnet @@ -15,11 +17,13 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up JDK 11 - uses: actions/setup-java@v3 + - name: Set up JDKs + uses: actions/setup-java@v4 with: distribution: "temurin" - java-version: 11 + java-version: | + 11 + 17 cache: "maven" - name: Enable testcontainer reuse run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties" diff --git a/.github/workflows/release_droid_print_quick_checksum.yml b/.github/workflows/release_droid_print_quick_checksum.yml index aed4444..86979cd 100644 --- a/.github/workflows/release_droid_print_quick_checksum.yml +++ b/.github/workflows/release_droid_print_quick_checksum.yml @@ -1,5 +1,6 @@ +# Generated by Project Keeper +# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/release_droid_print_quick_checksum.yml name: Release Droid - Print Quick Checksum - on: workflow_dispatch: @@ -11,11 +12,13 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up JDK 11 - uses: actions/setup-java@v3 + - name: Set up JDKs + uses: actions/setup-java@v4 with: distribution: "temurin" - java-version: 11 + java-version: | + 11 + 17 cache: "maven" - name: Build with Maven skipping tests run: mvn --batch-mode clean verify -DskipTests diff --git a/.github/workflows/release_droid_upload_github_release_assets.yml b/.github/workflows/release_droid_upload_github_release_assets.yml index 7ae8bbb..b19f7cf 100644 --- a/.github/workflows/release_droid_upload_github_release_assets.yml +++ b/.github/workflows/release_droid_upload_github_release_assets.yml @@ -1,5 +1,6 @@ +# Generated by Project Keeper +# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/release_droid_upload_github_release_assets.yml name: Release Droid - Upload GitHub Release Assets - on: workflow_dispatch: inputs: @@ -15,11 +16,13 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up JDK 11 - uses: actions/setup-java@v3 + - name: Set up JDKs + uses: actions/setup-java@v4 with: distribution: "temurin" - java-version: 11 + java-version: | + 11 + 17 cache: "maven" - name: Build with Maven skipping tests run: mvn --batch-mode clean verify -DskipTests diff --git a/.project-keeper.yml b/.project-keeper.yml index 264ea08..e4f1e1b 100644 --- a/.project-keeper.yml +++ b/.project-keeper.yml @@ -5,8 +5,11 @@ sources: - jar_artifact - integration_tests linkReplacements: +build: + runnerOs: ubuntu-20.04 + freeDiskSpace: false + exasolDbVersions: + - "7.1.25" + - "8.24.0" excludes: - "E-PK-CORE-18: Outdated content: '.github/workflows/ci-build-next-java.yml'" - - "E-PK-CORE-18: Outdated content: '.settings/org.eclipse.jdt.core.prefs'" - - "E-PK-CORE-18: Outdated content: '.github/workflows/ci-build.yml'" - - "E-PK-CORE-18: Outdated content: '.github/workflows/release_droid_prepare_original_checksum.yml'" diff --git a/.settings/org.eclipse.jdt.core.prefs b/.settings/org.eclipse.jdt.core.prefs index fa81a44..a62964b 100644 --- a/.settings/org.eclipse.jdt.core.prefs +++ b/.settings/org.eclipse.jdt.core.prefs @@ -1,18 +1,18 @@ eclipse.preferences.version=1 org.eclipse.jdt.core.compiler.annotation.inheritNullAnnotations=disabled org.eclipse.jdt.core.compiler.annotation.missingNonNullByDefaultAnnotation=ignore -org.eclipse.jdt.core.compiler.annotation.nonnull=javax.annotation.Nonnull +org.eclipse.jdt.core.compiler.annotation.nonnull=org.eclipse.jdt.annotation.NonNull org.eclipse.jdt.core.compiler.annotation.nonnull.secondary= org.eclipse.jdt.core.compiler.annotation.nonnullbydefault=org.eclipse.jdt.annotation.NonNullByDefault org.eclipse.jdt.core.compiler.annotation.nonnullbydefault.secondary= -org.eclipse.jdt.core.compiler.annotation.nullable=javax.annotation.Nullable +org.eclipse.jdt.core.compiler.annotation.nullable=org.eclipse.jdt.annotation.Nullable org.eclipse.jdt.core.compiler.annotation.nullable.secondary= -org.eclipse.jdt.core.compiler.annotation.nullanalysis=enabled +org.eclipse.jdt.core.compiler.annotation.nullanalysis=disabled org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled org.eclipse.jdt.core.compiler.codegen.methodParameters=do not generate -org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.8 +org.eclipse.jdt.core.compiler.codegen.targetPlatform=8 org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve -org.eclipse.jdt.core.compiler.compliance=1.8 +org.eclipse.jdt.core.compiler.compliance=8 org.eclipse.jdt.core.compiler.debug.lineNumber=generate org.eclipse.jdt.core.compiler.debug.localVariable=generate org.eclipse.jdt.core.compiler.debug.sourceFile=generate @@ -56,15 +56,15 @@ org.eclipse.jdt.core.compiler.problem.noImplicitStringConversion=warning org.eclipse.jdt.core.compiler.problem.nonExternalizedStringLiteral=ignore org.eclipse.jdt.core.compiler.problem.nonnullParameterAnnotationDropped=warning org.eclipse.jdt.core.compiler.problem.nonnullTypeVariableFromLegacyInvocation=warning -org.eclipse.jdt.core.compiler.problem.nullAnnotationInferenceConflict=warning +org.eclipse.jdt.core.compiler.problem.nullAnnotationInferenceConflict=error org.eclipse.jdt.core.compiler.problem.nullReference=warning -org.eclipse.jdt.core.compiler.problem.nullSpecViolation=warning +org.eclipse.jdt.core.compiler.problem.nullSpecViolation=error org.eclipse.jdt.core.compiler.problem.nullUncheckedConversion=warning org.eclipse.jdt.core.compiler.problem.overridingPackageDefaultMethod=warning org.eclipse.jdt.core.compiler.problem.parameterAssignment=ignore org.eclipse.jdt.core.compiler.problem.pessimisticNullAnalysisForFreeTypeVariables=warning org.eclipse.jdt.core.compiler.problem.possibleAccidentalBooleanAssignment=ignore -org.eclipse.jdt.core.compiler.problem.potentialNullReference=warning +org.eclipse.jdt.core.compiler.problem.potentialNullReference=ignore org.eclipse.jdt.core.compiler.problem.potentiallyUnclosedCloseable=ignore org.eclipse.jdt.core.compiler.problem.rawTypeReference=warning org.eclipse.jdt.core.compiler.problem.redundantNullAnnotation=warning @@ -78,7 +78,7 @@ org.eclipse.jdt.core.compiler.problem.specialParameterHidingField=disabled org.eclipse.jdt.core.compiler.problem.staticAccessReceiver=warning org.eclipse.jdt.core.compiler.problem.suppressOptionalErrors=disabled org.eclipse.jdt.core.compiler.problem.suppressWarnings=enabled -org.eclipse.jdt.core.compiler.problem.syntacticNullAnalysisForFields=enabled +org.eclipse.jdt.core.compiler.problem.syntacticNullAnalysisForFields=disabled org.eclipse.jdt.core.compiler.problem.syntheticAccessEmulation=ignore org.eclipse.jdt.core.compiler.problem.terminalDeprecation=warning org.eclipse.jdt.core.compiler.problem.typeParameterHiding=warning @@ -113,7 +113,7 @@ org.eclipse.jdt.core.compiler.problem.unusedWarningToken=warning org.eclipse.jdt.core.compiler.problem.varargsArgumentNeedCast=warning org.eclipse.jdt.core.compiler.processAnnotations=disabled org.eclipse.jdt.core.compiler.release=disabled -org.eclipse.jdt.core.compiler.source=1.8 +org.eclipse.jdt.core.compiler.source=8 org.eclipse.jdt.core.formatter.align_assignment_statements_on_columns=false org.eclipse.jdt.core.formatter.align_fields_grouping_blank_lines=2147483647 org.eclipse.jdt.core.formatter.align_type_members_on_columns=false diff --git a/dependencies.md b/dependencies.md index ccaefb4..61b3c90 100644 --- a/dependencies.md +++ b/dependencies.md @@ -23,31 +23,32 @@ ## Test Dependencies -| Dependency | License | -| ----------------------------------------------- | --------------------------------- | -| [mockito-core][23] | [MIT][24] | -| [mockito-junit-jupiter][23] | [MIT][24] | -| [JUnit Jupiter (Aggregator)][25] | [Eclipse Public License v2.0][26] | -| [JUnit Jupiter API][25] | [Eclipse Public License v2.0][26] | -| [Hamcrest][27] | [BSD License 3][28] | -| [Testcontainers :: JUnit Jupiter Extension][29] | [MIT][30] | -| [Testcontainers :: Localstack][29] | [MIT][30] | -| [AWS Java SDK for Amazon S3][13] | [Apache License, Version 2.0][14] | -| AWSGlueETL | [Amazon Software License][31] | -| [Test containers for Exasol on Docker][32] | [MIT License][33] | -| [Test Database Builder for Java][34] | [MIT License][35] | -| [Test utilities for `java.util.logging`][36] | [MIT][24] | -| [Matcher for SQL Result Sets][37] | [MIT License][38] | -| [EqualsVerifier \| release normal jar][39] | [Apache License, Version 2.0][3] | -| [Apache Log4j API][40] | [Apache-2.0][3] | -| [Apache Log4j Core][41] | [Apache-2.0][3] | -| [SLF4J JDK14 Provider][42] | [MIT License][43] | +| Dependency | License | +| ----------------------------------------------- | ------------------------------------ | +| [mockito-core][23] | [MIT][24] | +| [mockito-junit-jupiter][23] | [MIT][24] | +| [JUnit Jupiter (Aggregator)][25] | [Eclipse Public License v2.0][26] | +| [JUnit Jupiter API][25] | [Eclipse Public License v2.0][26] | +| [Hamcrest][27] | [BSD License 3][28] | +| [Testcontainers :: JUnit Jupiter Extension][29] | [MIT][30] | +| [Testcontainers :: Localstack][29] | [MIT][30] | +| [AWS Java SDK for Amazon S3][13] | [Apache License, Version 2.0][14] | +| AWSGlueETL | [Amazon Software License][31] | +| [Ion Java][32] | [The Apache License, Version 2.0][3] | +| [Test containers for Exasol on Docker][33] | [MIT License][34] | +| [Test Database Builder for Java][35] | [MIT License][36] | +| [Test utilities for `java.util.logging`][37] | [MIT][24] | +| [Matcher for SQL Result Sets][38] | [MIT License][39] | +| [EqualsVerifier \| release normal jar][40] | [Apache License, Version 2.0][3] | +| [Apache Log4j API][41] | [Apache-2.0][3] | +| [Apache Log4j Core][42] | [Apache-2.0][3] | ## Plugin Dependencies | Dependency | License | | ------------------------------------------------------- | ------------------------------------- | -| [SonarQube Scanner for Maven][44] | [GNU LGPL 3][45] | +| [SonarQube Scanner for Maven][43] | [GNU LGPL 3][44] | +| [Apache Maven Toolchains Plugin][45] | [Apache License, Version 2.0][3] | | [Apache Maven Compiler Plugin][46] | [Apache-2.0][3] | | [Apache Maven Enforcer Plugin][47] | [Apache-2.0][3] | | [Maven Flatten Plugin][48] | [Apache Software Licenese][3] | @@ -98,20 +99,20 @@ [29]: https://java.testcontainers.org [30]: http://opensource.org/licenses/MIT [31]: http://aws.amazon.com/asl/ -[32]: https://github.com/exasol/exasol-testcontainers/ -[33]: https://github.com/exasol/exasol-testcontainers/blob/main/LICENSE -[34]: https://github.com/exasol/test-db-builder-java/ -[35]: https://github.com/exasol/test-db-builder-java/blob/main/LICENSE -[36]: https://github.com/exasol/java-util-logging-testing/ -[37]: https://github.com/exasol/hamcrest-resultset-matcher/ -[38]: https://github.com/exasol/hamcrest-resultset-matcher/blob/main/LICENSE -[39]: https://www.jqno.nl/equalsverifier -[40]: https://logging.apache.org/log4j/2.x/log4j/log4j-api/ -[41]: https://logging.apache.org/log4j/2.x/log4j/log4j-core/ -[42]: http://www.slf4j.org -[43]: http://www.opensource.org/licenses/mit-license.php -[44]: http://sonarsource.github.io/sonar-scanner-maven/ -[45]: http://www.gnu.org/licenses/lgpl.txt +[32]: https://github.com/amazon-ion/ion-java/ +[33]: https://github.com/exasol/exasol-testcontainers/ +[34]: https://github.com/exasol/exasol-testcontainers/blob/main/LICENSE +[35]: https://github.com/exasol/test-db-builder-java/ +[36]: https://github.com/exasol/test-db-builder-java/blob/main/LICENSE +[37]: https://github.com/exasol/java-util-logging-testing/ +[38]: https://github.com/exasol/hamcrest-resultset-matcher/ +[39]: https://github.com/exasol/hamcrest-resultset-matcher/blob/main/LICENSE +[40]: https://www.jqno.nl/equalsverifier +[41]: https://logging.apache.org/log4j/2.x/log4j/log4j-api/ +[42]: https://logging.apache.org/log4j/2.x/log4j/log4j-core/ +[43]: http://sonarsource.github.io/sonar-scanner-maven/ +[44]: http://www.gnu.org/licenses/lgpl.txt +[45]: https://maven.apache.org/plugins/maven-toolchains-plugin/ [46]: https://maven.apache.org/plugins/maven-compiler-plugin/ [47]: https://maven.apache.org/enforcer/maven-enforcer-plugin/ [48]: https://www.mojohaus.org/flatten-maven-plugin/ diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md index b919637..06947d7 100644 --- a/doc/changes/changelog.md +++ b/doc/changes/changelog.md @@ -1,5 +1,6 @@ # Changes +* [2.1.3](changes_2.1.3.md) * [2.1.2](changes_2.1.2.md) * [2.1.1](changes_2.1.1.md) * [2.1.0](changes_2.1.0.md) diff --git a/doc/changes/changes_2.1.3.md b/doc/changes/changes_2.1.3.md new file mode 100644 index 0000000..e35127e --- /dev/null +++ b/doc/changes/changes_2.1.3.md @@ -0,0 +1,36 @@ +# Exasol AWS Glue Connector 2.1.3, released 2024-01-19 + +Code name: Fix CVE-2024-21634 in `ion-java` + +## Summary + +This release fixes vulnerability CVE-2024-21634 in transitive test dependencies `com.amazon.ion:ion-java` and `software.amazon.ion:ion-java`. + +## Security + +* #88: Fixed CVE-2024-21634 in `ion-java` + +## Dependency Updates + +### Compile Dependency Updates + +* Updated `software.amazon.awssdk:s3:2.22.0` to `2.23.6` + +### Test Dependency Updates + +* Added `com.amazon.ion:ion-java:1.11.1` +* Updated `com.amazonaws:aws-java-sdk-s3:1.12.620` to `1.12.640` +* Updated `com.exasol:hamcrest-resultset-matcher:1.6.3` to `1.6.4` +* Updated `nl.jqno.equalsverifier:equalsverifier:3.15.4` to `3.15.6` +* Updated `org.apache.logging.log4j:log4j-api:2.22.0` to `2.22.1` +* Updated `org.apache.logging.log4j:log4j-core:2.22.0` to `2.22.1` +* Updated `org.mockito:mockito-core:5.8.0` to `5.9.0` +* Updated `org.mockito:mockito-junit-jupiter:5.8.0` to `5.9.0` +* Removed `org.slf4j:slf4j-jdk14:2.0.9` + +### Plugin Dependency Updates + +* Updated `com.exasol:project-keeper-maven-plugin:2.9.17` to `3.0.0` +* Updated `org.apache.maven.plugins:maven-failsafe-plugin:3.2.2` to `3.2.3` +* Updated `org.apache.maven.plugins:maven-surefire-plugin:3.2.2` to `3.2.3` +* Added `org.apache.maven.plugins:maven-toolchains-plugin:3.1.0` diff --git a/doc/developers_guide/developers_guide.md b/doc/developers_guide/developers_guide.md index f116fc7..1767aa4 100644 --- a/doc/developers_guide/developers_guide.md +++ b/doc/developers_guide/developers_guide.md @@ -40,11 +40,11 @@ To test connector by creating a custom connector, please follow these steps. ### Creating an Assembly Jar -By running `mvn verify` or `mvn package` create a connector artifact. For example, `target/exasol-glue-connector-2.1.2-assembly.jar`. +By running `mvn verify` or `mvn package` create a connector artifact. For example, `target/exasol-glue-connector-2.1.3-assembly.jar`. ### Uploading the Artifact to S3 Bucket -Upload the JAR artifact from previous step into an S3 bucket. For instance, `s3://exasol-artifacts/glue-connector/exasol-glue-connector-2.1.2-assembly.jar`. +Upload the JAR artifact from previous step into an S3 bucket. For instance, `s3://exasol-artifacts/glue-connector/exasol-glue-connector-2.1.3-assembly.jar`. ### Creating a Glue Studio Custom Connector diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom index fad3d77..aa23362 100644 --- a/pk_generated_parent.pom +++ b/pk_generated_parent.pom @@ -3,12 +3,14 @@ 4.0.0 com.exasol glue-connector-generated-parent - 2.1.2 + 2.1.3 pom UTF-8 UTF-8 11 + exasol + https://sonarcloud.io @@ -39,6 +41,25 @@ sonar-maven-plugin 3.10.0.2594 + + org.apache.maven.plugins + maven-toolchains-plugin + 3.1.0 + + + + toolchain + + + + + + + ${java.version} + + + + org.apache.maven.plugins maven-compiler-plugin @@ -69,6 +90,9 @@ 3.6.3 + + 17 + @@ -116,7 +140,7 @@ org.apache.maven.plugins maven-surefire-plugin - 3.2.2 + 3.2.3 @@ -220,7 +244,7 @@ org.apache.maven.plugins maven-failsafe-plugin - 3.2.2 + 3.2.3 -Djava.util.logging.config.file=src/test/resources/logging.properties ${argLine} diff --git a/pom.xml b/pom.xml index bf0b36d..bf3cf3e 100644 --- a/pom.xml +++ b/pom.xml @@ -3,22 +3,23 @@ 4.0.0 com.exasol glue-connector - 2.1.2 + 2.1.3 Exasol AWS Glue Connector An AWS Glue connector for accessing Exasol database https://github.com/exasol/glue-connector/ glue-connector-generated-parent com.exasol - 2.1.2 + 2.1.3 pk_generated_parent.pom 8 + 11 3.3.6 5.10.1 - 5.8.0 - 2.22.0 + 5.9.0 + 2.22.1 @@ -209,7 +210,7 @@ com.google.guava guava - 32.1.3-jre + 33.0.0-jre provided + com.amazon.ion + ion-java + 1.11.1 + test + com.exasol exasol-testcontainers @@ -435,13 +443,13 @@ com.exasol hamcrest-resultset-matcher - 1.6.3 + 1.6.4 test nl.jqno.equalsverifier equalsverifier - 3.15.4 + 3.15.6 test @@ -456,16 +464,21 @@ ${log4j.version} test - - - org.slf4j - slf4j-jdk14 - 2.0.9 - test - + + org.apache.maven.plugins + maven-toolchains-plugin + + + + + ${toolchain.version} + + + + org.apache.maven.plugins maven-compiler-plugin @@ -477,7 +490,7 @@ com.exasol project-keeper-maven-plugin - 2.9.17 + 3.0.0