exasol · Shmuma · Jun 3, 2024 · Jun 3, 2024 · Jun 3, 2024 · Jun 3, 2024
diff --git a/.github/workflows/broken_links_checker.yml b/.github/workflows/broken_links_checker.yml
diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml
diff --git a/.github/workflows/dependencies_update.yml b/.github/workflows/dependencies_update.yml
diff --git a/dependencies.md b/dependencies.md
diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md
diff --git a/doc/changes/changes_2.1.6.md b/doc/changes/changes_2.1.6.md
@@ -0,0 +1,29 @@
+# Exasol AWS Glue Connector 2.1.6, released 2024-06-03
+
+Code name: CVEs fixes
+
+## Summary
+Fixed CVE-2024-36114 in io.airlift:aircompressor (dependency of spark-sql).
+Fixed CVE-2023-33546 in org.codehaus.janino:janino:jar:3.1.9 (previously excluded).
+Fixed CVE-2023-52428 in com.nimbusds:nimbus-jose-jwt:jar:9.8.1 (previously excluded).
+Bunch of CVEs in org.bouncycastle:bcprov-jdk15on were excluded.
+
+## Features
+
+* #106: CVE-2024-36114: io.airlift:aircompressor:jar:0.25:provided
+* #100: CVE-2023-33201: org.bouncycastle:bcprov-jdk15on:jar:1.70:provided
+* #101: CVE-2023-33202: org.bouncycastle:bcprov-jdk15on:jar:1.70:provided
+* #102: CVE-2024-29857: org.bouncycastle:bcprov-jdk15on:jar:1.70:provided
+* #103: CVE-2024-30171: org.bouncycastle:bcprov-jdk15on:jar:1.70:provided
+* #104: CVE-2024-34447: org.bouncycastle:bcprov-jdk15on:jar:1.70:provided
+
+## Dependency Updates
+
+### Plugin Dependency Updates
+
+* Updated `com.exasol:error-code-crawler-maven-plugin:2.0.2` to `2.0.3`
+* Updated `com.exasol:project-keeper-maven-plugin:4.3.0` to `4.3.2`
+* Updated `org.apache.maven.plugins:maven-enforcer-plugin:3.4.1` to `3.5.0`
+* Updated `org.apache.maven.plugins:maven-jar-plugin:3.3.0` to `3.4.1`
+* Updated `org.apache.maven.plugins:maven-toolchains-plugin:3.1.0` to `3.2.0`
+* Updated `org.sonarsource.scanner.maven:sonar-maven-plugin:3.11.0.3922` to `4.0.0.4121`
diff --git a/doc/developers_guide/developers_guide.md b/doc/developers_guide/developers_guide.md
@@ -40,11 +40,11 @@ To test connector by creating a custom connector, please follow these steps.
 
 ### Creating an Assembly Jar
 
-By running `mvn verify` or `mvn package` create a connector artifact. For example, `target/exasol-glue-connector-2.1.5-assembly.jar`.
+By running `mvn verify` or `mvn package` create a connector artifact. For example, `target/exasol-glue-connector-2.1.6-assembly.jar`.
 
 ### Uploading the Artifact to S3 Bucket
 
-Upload the JAR artifact from previous step into an S3 bucket. For instance, `s3://exasol-artifacts/glue-connector/exasol-glue-connector-2.1.5-assembly.jar`.
+Upload the JAR artifact from previous step into an S3 bucket. For instance, `s3://exasol-artifacts/glue-connector/exasol-glue-connector-2.1.6-assembly.jar`.
 
 ### Creating a Glue Studio Custom Connector
 

diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom
diff --git a/pom.xml b/pom.xml
@@ -3,14 +3,14 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.exasol</groupId>
     <artifactId>glue-connector</artifactId>
-    <version>2.1.5</version>
+    <version>2.1.6</version>
     <name>Exasol AWS Glue Connector</name>
     <description>An AWS Glue connector for accessing Exasol database</description>
     <url>https://github.com/exasol/glue-connector/</url>
     <parent>
         <artifactId>glue-connector-generated-parent</artifactId>
         <groupId>com.exasol</groupId>
-        <version>2.1.5</version>
+        <version>2.1.6</version>
         <relativePath>pk_generated_parent.pom</relativePath>
     </parent>
     <properties>
@@ -103,6 +103,10 @@
                     <groupId>org.slf4j</groupId>
                     <artifactId>jcl-over-slf4j</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>io.airlift</groupId>
+                    <artifactId>aircompressor</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <!-- Override version 3.6.3 of transitive dependency via org.apache.spark:spark-sql_2.12
@@ -195,6 +199,18 @@
                     <groupId>org.slf4j</groupId>
                     <artifactId>slf4j-reload4j</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.codehaus.janino</groupId>
+                    <artifactId>janino</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.codehaus.janino</groupId>
+                    <artifactId>commons-compiler</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>com.nimbusds</groupId>
+                    <artifactId>nimbus-jose-jwt</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency>
@@ -204,6 +220,32 @@
             <version>2.10.1</version>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <!-- Fix CVE-2024-36114 in transitive dependency of spark-sql -->
+            <groupId>io.airlift</groupId>
+            <artifactId>aircompressor</artifactId>
+            <version>0.27</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <!-- Fix CVE-2023-52428 in transitive dependency of hadoop-client -->
+            <groupId>com.nimbusds</groupId>
+            <artifactId>nimbus-jose-jwt</artifactId>
+            <version>9.39.3</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.codehaus.janino</groupId>
+            <artifactId>janino</artifactId>
+            <version>3.1.12</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.codehaus.janino</groupId>
+            <artifactId>commons-compiler</artifactId>
+            <version>3.1.12</version>
+            <scope>provided</scope>
+        </dependency>
         <dependency>
             <groupId>org.apache.hadoop</groupId>
             <artifactId>hadoop-aws</artifactId>
@@ -374,10 +416,6 @@
                     <groupId>org.bouncycastle</groupId>
                     <artifactId>bcprov-ext-jdk15on</artifactId>
                 </exclusion>
-                <exclusion>
-                    <groupId>org.bouncycastle</groupId>
-                    <artifactId>bcprov-jdk15on</artifactId>
-                </exclusion>
                 <exclusion>
                     <groupId>org.codehaus.jackson</groupId>
                     <artifactId>*</artifactId>
@@ -498,7 +536,7 @@
             <plugin>
                 <groupId>com.exasol</groupId>
                 <artifactId>project-keeper-maven-plugin</artifactId>
-                <version>4.3.0</version>
+                <version>4.3.2</version>
                 <executions>
                     <execution>
                         <goals>
@@ -639,29 +677,18 @@
                 <configuration>
                     <skip>${ossindex.skip}</skip>
                     <excludeVulnerabilityIds>
-                        <!-- Ignore vulnerability reported for transitive
-                             dependency org.codehaus.janino:janino:jar:3.1.9
-                             via org.apache.spark:spark-sql_2.12 Please note:
-                             janino is not included in the released artifact,
-                             but 'provided' by the runtime Spark cluster.
-                        -->
-                        <exclude>CVE-2023-33546</exclude>
-                        <!-- Ignore vulnerability reported for transitive
-                             dependency com.nimbusds:nimbus-jose-jwt:jar:9.8.1
-                             via org.apache.hadoop:hadoop-client:jar:3.3.6
-                             Please note: nimbus-jose-jwt is not included in
-                             the released artifact, but 'provided' by the
-                             runtime Spark cluster.
-                        -->
-                        <exclude>CVE-2023-52428</exclude>
-
                         <!-- Ignore vulnerabilities from org.bouncycastle:bcprov-jdk15on:jar:1.70:provided via org.apache.hadoop:hadoop-client.
                              This is a "provided" library that is not included in the built JAR and must be fixed in the runtime environment. -->
                         <exclude>CVE-2023-33201</exclude>
                         <exclude>CVE-2023-33202</exclude>
                         <exclude>CVE-2024-29857</exclude>
                         <exclude>CVE-2024-30171</exclude>
                         <exclude>CVE-2024-30172</exclude>
+                        <exclude>CVE-2023-33201</exclude>
+                        <exclude>CVE-2023-33202</exclude>
+                        <exclude>CVE-2024-29857</exclude>
+                        <exclude>CVE-2024-30171</exclude>
+                        <exclude>CVE-2024-34447</exclude>
                     </excludeVulnerabilityIds>
                 </configuration>
             </plugin>

diff --git a/release_config.yml b/release_config.yml