diff --git a/.gitattributes b/.gitattributes index 243feac..b92b235 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,11 +1,10 @@ -.github/workflows/broken_links_checker.yml linguist-generated=true -.github/workflows/dependencies_check.yml linguist-generated=true -.github/workflows/ci-build.yml linguist-generated=true -.github/workflows/release_droid_print_quick_checksum.yml linguist-generated=true -.github/workflows/release_droid_prepare_original_checksum.yml linguist-generated=true -.github/workflows/release_droid_upload_github_release_assets.yml linguist-generated=true -.settings/org.eclipse.jdt.core.prefs linguist-generated=true -.settings/org.eclipse.jdt.ui.prefs linguist-generated=true -dependencies.md linguist-generated=true -doc/changes/changelog.md linguist-generated=true -pk_generated_parent.pom linguist-generated=true +.github/workflows/broken_links_checker.yml linguist-generated=true +.github/workflows/dependencies_check.yml linguist-generated=true +.github/workflows/dependencies_update.yml linguist-generated=true +.github/workflows/release.yml linguist-generated=true +.github/workflows/ci-build.yml linguist-generated=true +.settings/org.eclipse.jdt.core.prefs linguist-generated=true +.settings/org.eclipse.jdt.ui.prefs linguist-generated=true +dependencies.md linguist-generated=true +doc/changes/changelog.md linguist-generated=true +pk_generated_parent.pom linguist-generated=true diff --git a/.github/workflows/broken_links_checker.yml b/.github/workflows/broken_links_checker.yml index 0fbcad5..d7a38b4 100644 --- a/.github/workflows/broken_links_checker.yml +++ b/.github/workflows/broken_links_checker.yml @@ -13,6 +13,9 @@ on: jobs: linkChecker: runs-on: ubuntu-latest + defaults: + run: + shell: "bash" concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/ci-build-next-java.yml b/.github/workflows/ci-build-next-java.yml index 26261ce..3f95694 100644 --- a/.github/workflows/ci-build-next-java.yml +++ b/.github/workflows/ci-build-next-java.yml @@ -8,6 +8,12 @@ on: jobs: java-17-compatibility: runs-on: ubuntu-latest + defaults: + run: + shell: "bash" + permissions: + contents: read + checks: write # Allow scacap/action-surefire-report concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -24,9 +30,9 @@ jobs: cache: "maven" - name: Run tests and build with Maven run: | - mvn --batch-mode --update-snapshots clean javadoc:javadoc -DtrimStackTrace=false \ - -Djava.version=17 -Dtoolchain.version=17 \ - -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn + mvn --batch-mode --update-snapshots clean javadoc:javadoc \ + -DtrimStackTrace=false -Djava.version=17 -Dtoolchain.version=17 \ + -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn - name: Publish Test Report for Java 17 uses: scacap/action-surefire-report@v1 if: ${{ always() && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]' }} diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml index 76adff4..e847dc0 100644 --- a/.github/workflows/ci-build.yml +++ b/.github/workflows/ci-build.yml @@ -3,13 +3,18 @@ name: CI Build on: push: - branches: - - main + branches: ["main"] pull_request: jobs: matrix-build: runs-on: ubuntu-20.04 + defaults: + run: + shell: "bash" + permissions: + contents: read + checks: write # Allow scacap/action-surefire-report concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.exasol_db_version }} cancel-in-progress: true @@ -38,7 +43,7 @@ jobs: 17 cache: "maven" - name: Cache SonarCloud packages - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: ~/.sonar/cache key: ${{ runner.os }}-sonar @@ -46,6 +51,7 @@ jobs: - name: Enable testcontainer reuse run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties" - name: Run tests and build with Maven + id: pk-verify run: | mvn --batch-mode clean verify \ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ @@ -71,8 +77,58 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + - name: Verify Release Artifacts + run: | + print_message() { + local -r message=$1 + echo "$message" + echo "$message" >> "$GITHUB_STEP_SUMMARY" + } + + print_message "# Release Artifacts" + + IFS=$'\n' artifacts_array=($ARTIFACTS) + missing_files=() + for file in "${artifacts_array[@]}"; + do + echo "Checking if file $file exists..." + if ! [[ -f "$file" ]]; then + print_message "* ⚠️ \`$file\` does not exist ⚠️" + echo "Content of directory $(dirname "$file"):" + ls "$(dirname "$file")" + missing_files+=("$file") + else + print_message "* \`$file\` ✅" + fi + done + print_message "" + number_of_missing_files=${#missing_files[@]} + if [[ $number_of_missing_files -gt 0 ]]; then + print_message "⚠️ $number_of_missing_files release artifact(s) missing ⚠️" + exit 1 + else + print_message "All ${#artifacts_array[@]} artifact(s) present ✅" + fi + env: + ARTIFACTS: ${{ steps.pk-verify.outputs.release-artifacts }} + build: needs: matrix-build runs-on: ubuntu-latest steps: - run: echo "Build successful" + + # [impl->dsn~release-workflow.ci-build-starts-release~1] + start_release: + needs: build + if: ${{ github.ref == 'refs/heads/main' }} + concurrency: + cancel-in-progress: false + group: "release" + secrets: inherit + permissions: + contents: write + actions: read + uses: ./.github/workflows/release.yml + with: + started-from-ci: true diff --git a/.github/workflows/dependencies_check.yml b/.github/workflows/dependencies_check.yml index 87b64ba..bd26ab6 100644 --- a/.github/workflows/dependencies_check.yml +++ b/.github/workflows/dependencies_check.yml @@ -1,6 +1,6 @@ # Generated by Project Keeper # https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/dependencies_check.yml -name: Report Security Issues for Repository +name: Report Security Issues on: workflow_dispatch: schedule: @@ -9,11 +9,17 @@ on: jobs: report_security_issues: runs-on: ubuntu-latest + defaults: + run: + shell: "bash" permissions: + contents: read issues: write - + outputs: + created-issues: ${{ steps.security-issues.outputs.created-issues }} steps: - uses: actions/checkout@v4 + - name: Set up JDKs uses: actions/setup-java@v4 with: @@ -25,14 +31,38 @@ jobs: - name: Generate ossindex report run: | - mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:audit \ + mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit \ org.sonatype.ossindex.maven:ossindex-maven-plugin:audit-aggregate \ -Dossindex.reportFile=$(pwd)/ossindex-report.json \ -Dossindex.fail=false - name: Report Security Issues + id: security-issues uses: exasol/python-toolbox/.github/actions/security-issues@main with: format: "maven" command: "cat ossindex-report.json" github-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Output security issues (Debugging) + run: | + echo "$CREATED_ISSUES" > test.jsonl + cat test.jsonl + env: + CREATED_ISSUES: ${{ steps.security-issues.outputs.created-issues }} + + start_dependency_udpate: + needs: report_security_issues + # [impl->dsn~trigger-dependency-updates~1] + if: ${{ needs.report_security_issues.outputs.created-issues }} + concurrency: + cancel-in-progress: true + group: "dependencies_update" + # Workflow needs secret INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK + secrets: inherit + permissions: + contents: write + pull-requests: write + uses: ./.github/workflows/dependencies_update.yml + with: + vulnerability_issues: ${{ needs.report_security_issues.outputs.created-issues }} diff --git a/.github/workflows/dependencies_update.yml b/.github/workflows/dependencies_update.yml new file mode 100644 index 0000000..0f6b816 --- /dev/null +++ b/.github/workflows/dependencies_update.yml @@ -0,0 +1,175 @@ +# Generated by Project Keeper +# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/dependencies_update.yml +name: Update dependencies +on: + workflow_call: + inputs: + # [impl->dsn~dependency-updater.workflow.vulnerability-info~1] + vulnerability_issues: + description: "GitHub issues for vulnerable dependencies as JSONL" + required: true + type: string + workflow_dispatch: + +jobs: + update_dependencies: + runs-on: ubuntu-latest + defaults: + run: + shell: "bash" + permissions: + contents: write + pull-requests: write + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up JDKs + uses: actions/setup-java@v4 + with: + distribution: "temurin" + java-version: | + 11 + 17 + cache: "maven" + + - name: Print issues + run: | + echo "Issues from Action input: $ISSUES" + env: + ISSUES: ${{ inputs.vulnerability_issues }} + + - name: Fail if not running on a branch + if: ${{ !startsWith(github.ref, 'refs/heads/') }} + uses: actions/github-script@v7 + with: + script: | + core.setFailed('Not running on a branch, github.ref is ${{ github.ref }}. Please start this workflow only on main or a branch') + + - name: Update dependencies + # [impl->dsn~dependency-updater.workflow.start-pk-update~1] + run: | + mvn --batch-mode com.exasol:project-keeper-maven-plugin:update-dependencies --projects . \ + -Dproject-keeper:vulnerabilities="$CREATED_ISSUES" + env: + CREATED_ISSUES: ${{ inputs.vulnerability_issues }} + + - name: Project Keeper Fix + run: | + mvn --batch-mode com.exasol:project-keeper-maven-plugin:fix --projects . + + - name: Project Keeper Fix for updated Project Keeper version + # Calling PK fix a second time is necessary because the first invocation potentially updated PK itself. + # So we need to run PK fix again with the latest PK version. + # [impl->dsn~dependency-updater.workflow.start-pk-fix~1] + run: | + mvn --batch-mode com.exasol:project-keeper-maven-plugin:fix --projects . + + - name: Generate Pull Request comment + id: pr-comment + # [impl->dsn~dependency-updater.workflow.create-pull-request~1] + # [impl->dsn~dependency-updater.workflow.pull-request-trigger-ci-build~1] + run: | + echo 'comment<> "$GITHUB_OUTPUT" + echo 'This Pull Request was created by [`dependencies_update.yml`](https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/dependencies_update.yml) workflow.' >> "$GITHUB_OUTPUT" + if [ -n "$CREATED_ISSUES" ]; then + echo 'It updates dependencies to fix the following vulnerabilities:' >> "$GITHUB_OUTPUT" + echo $CREATED_ISSUES | jq --raw-output '. | "* Closes " + .issue_url + " (" + .cve + ")"' >> "$GITHUB_OUTPUT" + else + echo 'It updates dependencies.' >> "$GITHUB_OUTPUT" + fi + echo >> "$GITHUB_OUTPUT" + echo '# ⚠️ This PR does not trigger CI workflows by default ⚠️' >> "$GITHUB_OUTPUT" + echo 'Please click the **Close pull request** button and then **Reopen pull request** to trigger running checks.' >> "$GITHUB_OUTPUT" + echo 'See https://github.com/exasol/project-keeper/issues/534 for details.' >> "$GITHUB_OUTPUT" + echo 'EOF' >> "$GITHUB_OUTPUT" + + cat "$GITHUB_OUTPUT" + env: + CREATED_ISSUES: ${{ inputs.vulnerability_issues }} + + - name: Generate Pull Request Title + id: pr-title + run: | + if [ -n "$CREATED_ISSUES" ]; then + echo "Security issues are available" + echo "title=🔐 Update dependencies to fix vulnerabilities" >> "$GITHUB_OUTPUT" + else + echo "Security issues are not available" + echo "title=Update dependencies" >> "$GITHUB_OUTPUT" + fi + + cat "$GITHUB_OUTPUT" + env: + CREATED_ISSUES: ${{ inputs.vulnerability_issues }} + + - name: Configure git + run: | + git config --global user.email "opensource@exasol.com" + git config --global user.name "Automatic Dependency Updater" + + - name: Create branch + if: ${{ github.ref == 'refs/heads/main' }} + run: | + branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")" + echo "Creating branch $branch_name" + git checkout -b "$branch_name" + + - name: Commit changes & push + if: ${{ startsWith(github.ref, 'refs/heads/' ) }} + run: | + branch_name=$(git rev-parse --abbrev-ref HEAD) + echo "Current branch: $branch_name" + echo "git diff --stat" + git diff --stat + echo "git diff --numstat" + git diff --numstat + echo "git diff --name-status" + git diff --name-status + echo "Adding untracked files:" + git add . --verbose --all + echo "Committing changes..." + git commit --message "$TITLE" + echo "Pushing branch $branch_name..." + git push --set-upstream origin "$branch_name" + echo "Done." + env: + TITLE: ${{ steps.pr-title.outputs.title }} + + - name: Create pull request + id: create-pr + if: ${{ github.ref == 'refs/heads/main' }} + run: | + pr_url=$(gh pr create --base main --title "$TITLE" --body "$COMMENT") + echo "Created Pull Request: $pr_url" + echo "pr_url=$pr_url" >> "$GITHUB_OUTPUT" + env: + COMMENT: ${{ steps.pr-comment.outputs.comment }} + TITLE: ${{ steps.pr-title.outputs.title }} + GH_TOKEN: ${{ github.token }} + + - name: Report failure Status to Slack channel + # Also run this step in case of failures + if: ${{ always() }} + uses: ravsamhq/notify-slack-action@v2 + with: + status: ${{ job.status }} + token: ${{ secrets.GITHUB_TOKEN }} + notification_title: "Dependency check in {repo} has {status_message}" + message_format: "{emoji} *{workflow}* {status_message} in <{repo_url}|{repo}>" + notify_when: "failure,cancelled,warnings" + env: + SLACK_WEBHOOK_URL: ${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }} + + - name: Report new Pull Request to Slack channel + if: ${{ steps.create-pr.outputs.pr_url }} + uses: ravsamhq/notify-slack-action@v2 + with: + status: ${{ job.status }} + token: ${{ secrets.GITHUB_TOKEN }} + notification_title: "Dependency update for {repo} created a Pull Request" + message_format: "{workflow} created Pull Request ${{ steps.create-pr.outputs.pr_url }}" + env: + SLACK_WEBHOOK_URL: ${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..7a2dc9c --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,193 @@ +# Generated by Project Keeper +# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/release.yml +name: Release +on: + # [impl->dsn~release-workflow.triggers~1] + workflow_call: + inputs: + started-from-ci: + description: "Marks this release as started from CI, skipping precondition check" + type: boolean + required: true + default: false + workflow_dispatch: + inputs: + skip-maven-central: + description: "Skip deployment to Maven Central" + required: true + type: boolean + default: false + skip-github-release: + description: "Skip creating the GitHub release" + required: true + type: boolean + default: false + +jobs: + release: + runs-on: ubuntu-latest + defaults: + run: + shell: "bash" + concurrency: + group: ${{ github.workflow }} + cancel-in-progress: false + permissions: + contents: write + actions: read + steps: + - name: Checkout the repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Set up Maven Central Repository + if: ${{ false }} + uses: actions/setup-java@v4 + with: + distribution: "temurin" + java-version: | + 11 + 17 + cache: "maven" + server-id: ossrh + server-username: MAVEN_USERNAME + server-password: MAVEN_PASSWORD + gpg-private-key: ${{ secrets.OSSRH_GPG_SECRET_KEY }} + gpg-passphrase: MAVEN_GPG_PASSPHRASE + - name: Set up JDKs + if: ${{ ! false }} + uses: actions/setup-java@v4 + with: + distribution: "temurin" + java-version: | + 11 + 17 + cache: "maven" + + # Check preconditions + + - name: Fail if not running on main branch + if: ${{ github.ref != 'refs/heads/main' }} + uses: actions/github-script@v7 + with: + script: | + core.setFailed('Not running on main branch, github.ref is ${{ github.ref }}. Please start this workflow only on main') + + # [impl->dsn~release-workflow.verify-ci-build-success~1] + - name: Check CI build of this commit succeeded + # We skip this check if this was started from ci-build.yml, because the build status would be "in progress". + if: ${{ ! inputs.started-from-ci }} + run: | + echo "Commit SHA: $COMMIT_SHA" + gh run list --workflow ci-build.yml --branch main --event push --commit $COMMIT_SHA + ci_build_status=$(gh run list --workflow ci-build.yml --branch main --event push --commit $COMMIT_SHA --json conclusion --template '{{range .}}{{.conclusion}}{{"\n"}}{{end}}') + echo "CI build status at commit $COMMIT_SHA was '$ci_build_status'" + if [[ "$ci_build_status" != "success" ]]; then + gh run list --workflow ci-build.yml --commit $COMMIT_SHA >> $GITHUB_STEP_SUMMARY + echo "Status of CI build for commit $COMMIT_SHA was '$ci_build_status', expected 'success'" >> $GITHUB_STEP_SUMMARY + cat $GITHUB_STEP_SUMMARY + exit 1 + fi + env: + COMMIT_SHA: ${{ github.sha }} + GH_TOKEN: ${{ github.token }} + # [impl->dsn~release-workflow.run-verify-release~1] + - name: Verify release preconditions + id: verify-release + run: | + mvn --batch-mode com.exasol:project-keeper-maven-plugin:verify-release --projects . + echo "$GITHUB_OUTPUT" + env: + GITHUB_TOKEN: ${{ github.token }} + # [impl->dsn~release-workflow.verify-skip-tests~1] + - name: Build project + run: mvn --batch-mode -DskipTests clean verify + + # Maven Central Deployment + - name: List secret GPG keys + if: ${{ false && (! inputs.skip-maven-central) }} + run: gpg --list-secret-keys + # [impl->dsn~release-workflow.deploy-maven-central~1] + - name: Publish to Central Repository + if: ${{ false && (! inputs.skip-maven-central) }} + run: | + mvn --batch-mode -Dgpg.skip=false -DskipTests deploy + echo "Published to Maven Central" >> "$GITHUB_STEP_SUMMARY" + env: + MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }} + MAVEN_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} + MAVEN_GPG_PASSPHRASE: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} + + # Create GitHub releasse + + - name: Calculate Artifact Checksums + id: artifact-checksum + if: ${{ ! inputs.skip-github-release }} + run: | + ls target/ + echo "Calculating sha256 checksum for artifact files" + echo "artifacts<> "$GITHUB_OUTPUT" + IFS=$'\n' artifacts_array=($ARTIFACTS) + for file in "${artifacts_array[@]}"; + do + full_path=$(realpath "$file") + echo "Calculate sha256sum for file '$full_path'" + file_dir="$(dirname "$full_path")" + file_name=$(basename "$full_path") + pushd "$file_dir" + checksum_file_name="${file_name}.sha256" + sha256sum "$file_name" > "$checksum_file_name" + echo "$full_path" >> "$GITHUB_OUTPUT" + echo "${file_dir}/$checksum_file_name" >> "$GITHUB_OUTPUT" + popd + done + echo "EOF" >> "$GITHUB_OUTPUT" + echo "Full artifact file list" + cat "$GITHUB_OUTPUT" + env: + ARTIFACTS: ${{ steps.verify-release.outputs.release-artifacts }} + + # [impl->dsn~release-workflow.create-github-release~1] + - name: Create GitHub Release + id: create-github-release + if: ${{ ! inputs.skip-github-release }} + run: | + IFS=$'\n' artifacts_array=($ARTIFACTS) + for file in "${artifacts_array[@]}"; + do + echo "Attaching file '$file'" + done + release_url=$(gh release create --draft --latest --title "$TITLE" --notes "$NOTES" --target main $TAG "${artifacts_array[@]}") + echo "Created release $TAG with title '$TITLE' at $release_url" >> "$GITHUB_STEP_SUMMARY" + echo "release-url=$release_url" >> "$GITHUB_OUTPUT" + git fetch --tags origin + env: + GH_TOKEN: ${{ github.token }} + TAG: ${{ steps.verify-release.outputs.version }} + NOTES: ${{ steps.verify-release.outputs.release-notes }} + TITLE: ${{ steps.verify-release.outputs.release-title }} + ARTIFACTS: ${{ steps.artifact-checksum.outputs.artifacts }} + + - name: Report failure Status to Slack channel + # Also run this step in case of failures + if: ${{ always() }} + uses: ravsamhq/notify-slack-action@v2 + with: + status: ${{ job.status }} + token: ${{ github.token }} + notification_title: "Release build in {repo} has {status_message}" + message_format: "{emoji} *{workflow}* {status_message} in <{repo_url}|{repo}>" + notify_when: "failure,cancelled,warnings,skipped" + env: + SLACK_WEBHOOK_URL: ${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }} + + - name: Report new release to Slack channel + if: ${{ steps.create-github-release.outputs.release-url }} + uses: ravsamhq/notify-slack-action@v2 + with: + status: ${{ job.status }} + token: ${{ github.token }} + notification_title: "Release build for {repo} created a new release" + message_format: "{workflow} created release ${{ steps.create-github-release.outputs.release-url }}" + env: + SLACK_WEBHOOK_URL: ${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }} diff --git a/.github/workflows/release_droid_prepare_original_checksum.yml b/.github/workflows/release_droid_prepare_original_checksum.yml deleted file mode 100644 index 413274b..0000000 --- a/.github/workflows/release_droid_prepare_original_checksum.yml +++ /dev/null @@ -1,39 +0,0 @@ -# Generated by Project Keeper -# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/release_droid_prepare_original_checksum.yml -name: Release Droid - Prepare Original Checksum -on: - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-20.04 - steps: - - name: Free Disk Space - if: ${{ false }} - run: | - sudo rm -rf /usr/local/lib/android - sudo rm -rf /usr/share/dotnet - - name: Checkout the repository - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Set up JDKs - uses: actions/setup-java@v4 - with: - distribution: "temurin" - java-version: | - 11 - 17 - cache: "maven" - - name: Enable testcontainer reuse - run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties" - - name: Run tests and build with Maven - run: mvn --batch-mode clean verify --file pom.xml - - name: Prepare checksum - run: find target -maxdepth 1 -name *.jar -exec sha256sum "{}" + > original_checksum - - name: Upload checksum to the artifactory - uses: actions/upload-artifact@v3 - with: - name: original_checksum - retention-days: 5 - path: original_checksum diff --git a/.github/workflows/release_droid_print_quick_checksum.yml b/.github/workflows/release_droid_print_quick_checksum.yml deleted file mode 100644 index 86979cd..0000000 --- a/.github/workflows/release_droid_print_quick_checksum.yml +++ /dev/null @@ -1,26 +0,0 @@ -# Generated by Project Keeper -# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/release_droid_print_quick_checksum.yml -name: Release Droid - Print Quick Checksum -on: - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Checkout the repository - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Set up JDKs - uses: actions/setup-java@v4 - with: - distribution: "temurin" - java-version: | - 11 - 17 - cache: "maven" - - name: Build with Maven skipping tests - run: mvn --batch-mode clean verify -DskipTests - - name: Print checksum - run: echo 'checksum_start==';find target -maxdepth 1 -name *.jar -exec sha256sum "{}" + | xargs;echo '==checksum_end' diff --git a/.github/workflows/release_droid_upload_github_release_assets.yml b/.github/workflows/release_droid_upload_github_release_assets.yml deleted file mode 100644 index b19f7cf..0000000 --- a/.github/workflows/release_droid_upload_github_release_assets.yml +++ /dev/null @@ -1,47 +0,0 @@ -# Generated by Project Keeper -# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/release_droid_upload_github_release_assets.yml -name: Release Droid - Upload GitHub Release Assets -on: - workflow_dispatch: - inputs: - upload_url: - description: "Assets upload URL" - required: true - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Checkout the repository - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Set up JDKs - uses: actions/setup-java@v4 - with: - distribution: "temurin" - java-version: | - 11 - 17 - cache: "maven" - - name: Build with Maven skipping tests - run: mvn --batch-mode clean verify -DskipTests - - name: Generate sha256sum files - run: | - cd target - find . -maxdepth 1 -name \*.jar -exec bash -c 'sha256sum {} > {}.sha256' \; - - name: Upload assets to the GitHub release draft - uses: shogo82148/actions-upload-release-asset@v1 - with: - upload_url: ${{ github.event.inputs.upload_url }} - asset_path: target/*.jar - - name: Upload sha256sum files - uses: shogo82148/actions-upload-release-asset@v1 - with: - upload_url: ${{ github.event.inputs.upload_url }} - asset_path: target/*.sha256 - - name: Upload error-code-report - uses: shogo82148/actions-upload-release-asset@v1 - with: - upload_url: ${{ github.event.inputs.upload_url }} - asset_path: target/error_code_report.json diff --git a/.project-keeper.yml b/.project-keeper.yml index e4f1e1b..4bdfe2e 100644 --- a/.project-keeper.yml +++ b/.project-keeper.yml @@ -12,4 +12,5 @@ build: - "7.1.25" - "8.24.0" excludes: + # Only run javadoc as glue-connector cannot be built with java version > 11 currently - "E-PK-CORE-18: Outdated content: '.github/workflows/ci-build-next-java.yml'" diff --git a/dependencies.md b/dependencies.md index 61b3c90..9bceb0c 100644 --- a/dependencies.md +++ b/dependencies.md @@ -5,7 +5,7 @@ | Dependency | License | | ------------------------------------------- | --------------------------------------------- | -| [Spark Project SQL][0] | [Apache 2.0 License][1] | +| [Spark Project SQL][0] | [Apache-2.0][1] | | [Apache ZooKeeper - Server][2] | [Apache License, Version 2.0][3] | | [Apache Avro][4] | [Apache-2.0][3] | | [Apache Commons Compress][5] | [Apache-2.0][3] | @@ -58,9 +58,9 @@ | [Maven Surefire Plugin][53] | [Apache-2.0][3] | | [Versions Maven Plugin][54] | [Apache License, Version 2.0][3] | | [duplicate-finder-maven-plugin Maven Mojo][55] | [Apache License 2.0][1] | -| [Apache Maven Assembly Plugin][56] | [Apache-2.0][3] | -| [Apache Maven JAR Plugin][57] | [Apache License, Version 2.0][3] | -| [Project Keeper Maven plugin][58] | [The MIT License][59] | +| [Project Keeper Maven plugin][56] | [The MIT License][57] | +| [Apache Maven Assembly Plugin][58] | [Apache-2.0][3] | +| [Apache Maven JAR Plugin][59] | [Apache License, Version 2.0][3] | | [Artifact reference checker and unifier][60] | [MIT License][61] | | [Maven Failsafe Plugin][62] | [Apache-2.0][3] | | [JaCoCo :: Maven Plugin][63] | [Eclipse Public License 2.0][64] | @@ -123,10 +123,10 @@ [53]: https://maven.apache.org/surefire/maven-surefire-plugin/ [54]: https://www.mojohaus.org/versions/versions-maven-plugin/ [55]: https://basepom.github.io/duplicate-finder-maven-plugin -[56]: https://maven.apache.org/plugins/maven-assembly-plugin/ -[57]: https://maven.apache.org/plugins/maven-jar-plugin/ -[58]: https://github.com/exasol/project-keeper/ -[59]: https://github.com/exasol/project-keeper/blob/main/LICENSE +[56]: https://github.com/exasol/project-keeper/ +[57]: https://github.com/exasol/project-keeper/blob/main/LICENSE +[58]: https://maven.apache.org/plugins/maven-assembly-plugin/ +[59]: https://maven.apache.org/plugins/maven-jar-plugin/ [60]: https://github.com/exasol/artifact-reference-checker-maven-plugin/ [61]: https://github.com/exasol/artifact-reference-checker-maven-plugin/blob/main/LICENSE [62]: https://maven.apache.org/surefire/maven-failsafe-plugin/ diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md index 06947d7..5737f18 100644 --- a/doc/changes/changelog.md +++ b/doc/changes/changelog.md @@ -1,5 +1,6 @@ # Changes +* [2.1.4](changes_2.1.4.md) * [2.1.3](changes_2.1.3.md) * [2.1.2](changes_2.1.2.md) * [2.1.1](changes_2.1.1.md) diff --git a/doc/changes/changes_2.1.4.md b/doc/changes/changes_2.1.4.md new file mode 100644 index 0000000..58c787b --- /dev/null +++ b/doc/changes/changes_2.1.4.md @@ -0,0 +1,47 @@ +# Exasol AWS Glue Connector 2.1.4, released 2024-03-14 + +Code name: Fixed vulnerabilities CVE-2024-25710 and CVE-2024-26308 in test dependencies + +## Summary + +This is a security release in which we updated test dependency `com.exasol:exasol-test-setup-abstraction-java` to fix vulnerabilities CVE-2024-25710 and CVE-2024-26308 in its transitive dependencies. + +Vulnerability CVE-2023-52428 reported for transitive dependency `com.nimbusds:nimbus-jose-jwt:jar:9.8.1` via `org.apache.hadoop:hadoop-client:jar:3.3.6` has been excluded in file `pom.xml` as `nimbus-jose-jwt` is not included in the released artifact, but 'provided' by the runtime Spark cluster. + +## Security + +* #90: Ignored vulnerability CVE-2023-52428 +* #91: Fixed vulnerability CVE-2024-25710 in test dependencies +* #92: Fixed vulnerability CVE-2024-26308 in test dependencies + +## Dependency Updates + +### Compile Dependency Updates + +* Updated `software.amazon.awssdk:s3:2.23.6` to `2.25.9` + +### Test Dependency Updates + +* Updated `com.amazon.ion:ion-java:1.11.1` to `1.11.4` +* Updated `com.amazonaws:aws-java-sdk-s3:1.12.640` to `1.12.679` +* Updated `com.exasol:exasol-testcontainers:7.0.0` to `7.0.1` +* Updated `com.exasol:hamcrest-resultset-matcher:1.6.4` to `1.6.5` +* Updated `com.exasol:test-db-builder-java:3.5.3` to `3.5.4` +* Updated `nl.jqno.equalsverifier:equalsverifier:3.15.6` to `3.15.8` +* Updated `org.apache.logging.log4j:log4j-api:2.22.1` to `2.23.1` +* Updated `org.apache.logging.log4j:log4j-core:2.22.1` to `2.23.1` +* Updated `org.junit.jupiter:junit-jupiter-api:5.10.1` to `5.10.2` +* Updated `org.junit.jupiter:junit-jupiter:5.10.1` to `5.10.2` +* Updated `org.mockito:mockito-core:5.9.0` to `5.11.0` +* Updated `org.mockito:mockito-junit-jupiter:5.9.0` to `5.11.0` +* Updated `org.testcontainers:junit-jupiter:1.19.3` to `1.19.7` +* Updated `org.testcontainers:localstack:1.19.3` to `1.19.7` + +### Plugin Dependency Updates + +* Updated `com.exasol:error-code-crawler-maven-plugin:1.3.1` to `2.0.1` +* Updated `com.exasol:project-keeper-maven-plugin:3.0.0` to `4.2.0` +* Updated `org.apache.maven.plugins:maven-compiler-plugin:3.11.0` to `3.12.1` +* Updated `org.apache.maven.plugins:maven-failsafe-plugin:3.2.3` to `3.2.5` +* Updated `org.apache.maven.plugins:maven-surefire-plugin:3.2.3` to `3.2.5` +* Updated `org.codehaus.mojo:flatten-maven-plugin:1.5.0` to `1.6.0` diff --git a/doc/developers_guide/developers_guide.md b/doc/developers_guide/developers_guide.md index 1767aa4..985702c 100644 --- a/doc/developers_guide/developers_guide.md +++ b/doc/developers_guide/developers_guide.md @@ -40,11 +40,11 @@ To test connector by creating a custom connector, please follow these steps. ### Creating an Assembly Jar -By running `mvn verify` or `mvn package` create a connector artifact. For example, `target/exasol-glue-connector-2.1.3-assembly.jar`. +By running `mvn verify` or `mvn package` create a connector artifact. For example, `target/exasol-glue-connector-2.1.4-assembly.jar`. ### Uploading the Artifact to S3 Bucket -Upload the JAR artifact from previous step into an S3 bucket. For instance, `s3://exasol-artifacts/glue-connector/exasol-glue-connector-2.1.3-assembly.jar`. +Upload the JAR artifact from previous step into an S3 bucket. For instance, `s3://exasol-artifacts/glue-connector/exasol-glue-connector-2.1.4-assembly.jar`. ### Creating a Glue Studio Custom Connector diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom index aa23362..ed2c86a 100644 --- a/pk_generated_parent.pom +++ b/pk_generated_parent.pom @@ -3,7 +3,7 @@ 4.0.0 com.exasol glue-connector-generated-parent - 2.1.3 + 2.1.4 pom UTF-8 @@ -63,7 +63,7 @@ org.apache.maven.plugins maven-compiler-plugin - 3.11.0 + 3.12.1 ${java.version} ${java.version} @@ -101,7 +101,7 @@ org.codehaus.mojo flatten-maven-plugin - 1.5.0 + 1.6.0 true oss @@ -140,7 +140,7 @@ org.apache.maven.plugins maven-surefire-plugin - 3.2.3 + 3.2.5 @@ -164,6 +164,17 @@ file:///${project.basedir}/versionsMavenPluginRules.xml + false + true + true + true + false + true + true + true + false + true + true @@ -244,7 +255,7 @@ org.apache.maven.plugins maven-failsafe-plugin - 3.2.3 + 3.2.5 -Djava.util.logging.config.file=src/test/resources/logging.properties ${argLine} @@ -305,7 +316,7 @@ com.exasol error-code-crawler-maven-plugin - 1.3.1 + 2.0.1 verify diff --git a/pom.xml b/pom.xml index bf3cf3e..6a8943c 100644 --- a/pom.xml +++ b/pom.xml @@ -3,23 +3,23 @@ 4.0.0 com.exasol glue-connector - 2.1.3 + 2.1.4 Exasol AWS Glue Connector An AWS Glue connector for accessing Exasol database https://github.com/exasol/glue-connector/ glue-connector-generated-parent com.exasol - 2.1.3 + 2.1.4 pk_generated_parent.pom 8 11 3.3.6 - 5.10.1 - 5.9.0 - 2.22.1 + 5.10.2 + 5.11.0 + 2.23.1 @@ -35,7 +35,7 @@ org.apache.spark spark-sql_2.12 - 3.5.0 + 3.5.1 provided @@ -110,7 +110,7 @@ org.apache.zookeeper zookeeper - 3.9.1 + 3.9.2 provided @@ -138,7 +138,7 @@ org.apache.commons commons-compress - 1.25.0 + 1.26.1 provided com.fasterxml.jackson.core jackson-databind - 2.15.3 + 2.15.4 provided software.amazon.awssdk s3 - 2.23.6 + 2.25.9 com.exasol @@ -284,13 +278,13 @@ org.testcontainers junit-jupiter - 1.19.3 + 1.19.7 test org.testcontainers localstack - 1.19.3 + 1.19.7 test com.amazon.ion ion-java - 1.11.1 + 1.11.4 test com.exasol exasol-testcontainers - 7.0.0 + 7.0.1 test com.exasol test-db-builder-java - 3.5.3 + 3.5.4 test @@ -443,13 +437,13 @@ com.exasol hamcrest-resultset-matcher - 1.6.4 + 1.6.5 test nl.jqno.equalsverifier equalsverifier - 3.15.6 + 3.15.8 test @@ -485,12 +479,19 @@ ${java.version} ${java.version} + + + -Xlint:all,-path,-options,-processing + -Werror + com.exasol project-keeper-maven-plugin - 3.0.0 + 4.2.0 @@ -499,15 +500,6 @@ - - com.exasol - artifact-reference-checker-maven-plugin - - - /doc/changes/* - - - maven-assembly-plugin org.apache.maven.plugins @@ -566,6 +558,23 @@ + + org.codehaus.mojo + versions-maven-plugin + + + + com.fasterxml.jackson.core:jackson-databind:jar:*:* + + + org.apache.maven.plugins maven-shade-plugin @@ -618,13 +627,21 @@ ${ossindex.skip} - CVE-2023-33546 + + CVE-2023-52428 diff --git a/src/main/java/com/exasol/glue/ExasolTable.java b/src/main/java/com/exasol/glue/ExasolTable.java index 417d06f..002f244 100644 --- a/src/main/java/com/exasol/glue/ExasolTable.java +++ b/src/main/java/com/exasol/glue/ExasolTable.java @@ -1,14 +1,10 @@ package com.exasol.glue; -import java.util.Arrays; -import java.util.HashSet; -import java.util.Set; +import java.util.*; import org.apache.hadoop.conf.Configuration; import org.apache.spark.sql.SparkSession; -import org.apache.spark.sql.connector.catalog.SupportsRead; -import org.apache.spark.sql.connector.catalog.SupportsWrite; -import org.apache.spark.sql.connector.catalog.TableCapability; +import org.apache.spark.sql.connector.catalog.*; import org.apache.spark.sql.connector.read.ScanBuilder; import org.apache.spark.sql.connector.write.LogicalWriteInfo; import org.apache.spark.sql.connector.write.WriteBuilder; @@ -19,9 +15,7 @@ import com.exasol.glue.filesystem.S3FileSystem; import com.exasol.glue.reader.ExasolScanBuilder; import com.exasol.glue.writer.ExasolWriteBuilderProvider; -import com.exasol.spark.common.ExasolOptions; -import com.exasol.spark.common.ExasolValidationException; -import com.exasol.spark.common.Option; +import com.exasol.spark.common.*; /** * Represents an instance of {@link ExasolTable}. @@ -66,14 +60,20 @@ public String name() { return "ExasolTable"; } + @SuppressWarnings("deprecation") @Override public StructType schema() { - return schema; + return this.schema; + } + + @Override + public Column[] columns() { + return CatalogV2Util.structTypeToV2Columns(this.schema); } @Override public Set capabilities() { - return capabilities; + return this.capabilities; } private void validate(final ExasolOptions options) {