diff --git a/.gitattributes b/.gitattributes index b93bb8d..9064858 100644 --- a/.gitattributes +++ b/.gitattributes @@ -4,6 +4,9 @@ pk_generated_parent.pom linguist-genera .github/workflows/broken_links_checker.yml linguist-generated=true .github/workflows/ci-build-next-java.yml linguist-generated=true .github/workflows/dependencies_check.yml linguist-generated=true -.github/workflows/release_droid_prepare_original_checksum.yml linguist-generated=true .github/workflows/release_droid_print_quick_checksum.yml linguist-generated=true .github/workflows/release_droid_release_on_maven_central.yml linguist-generated=true +.github/workflows/release_droid_upload_github_release_assets.yml linguist-generated=true + +.settings/org.eclipse.jdt.core.prefs linguist-generated=true +.settings/org.eclipse.jdt.ui.prefs linguist-generated=true diff --git a/.github/workflows/broken_links_checker.yml b/.github/workflows/broken_links_checker.yml index c4ff3be..82ec1cd 100644 --- a/.github/workflows/broken_links_checker.yml +++ b/.github/workflows/broken_links_checker.yml @@ -15,16 +15,18 @@ jobs: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Configure broken links checker run: | mkdir -p ./target echo '{"aliveStatusCodes": [429, 200], "ignorePatterns": [' \ '{"pattern": "^https?://(www|dev).mysql.com/"},' \ '{"pattern": "^https?://(www.)?opensource.org"}' \ + '{"pattern": "^https?://(www.)?eclipse.org"}' \ + '{"pattern": "^https?://projects.eclipse.org"}' \ ']}' > ./target/broken_links_checker.json - uses: gaurav-nelson/github-action-markdown-link-check@v1 with: - use-quiet-mode: 'yes' - use-verbose-mode: 'yes' + use-quiet-mode: "yes" + use-verbose-mode: "yes" config-file: ./target/broken_links_checker.json diff --git a/.github/workflows/ci-build-next-java.yml b/.github/workflows/ci-build-next-java.yml index e0c15cf..7cbab08 100644 --- a/.github/workflows/ci-build-next-java.yml +++ b/.github/workflows/ci-build-next-java.yml @@ -14,15 +14,15 @@ jobs: cancel-in-progress: true steps: - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up JDK 17 uses: actions/setup-java@v3 with: - distribution: 'temurin' + distribution: "temurin" java-version: 17 - cache: 'maven' + cache: "maven" - name: Run tests and build with Maven run: | mvn --batch-mode --update-snapshots clean package -DtrimStackTrace=false \ diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml index e520870..4d3ebab 100644 --- a/.github/workflows/ci-build.yml +++ b/.github/workflows/ci-build.yml @@ -8,21 +8,27 @@ on: jobs: build: - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 # UDFs fail with "VM error: Internal error: VM crashed" on ubuntu-latest concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true steps: + - name: Free Disk Space + run: | + sudo rm -rf /usr/local/lib/android + sudo rm -rf /usr/share/dotnet - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up JDK 11 + - name: Set up JDK 11 & 17 uses: actions/setup-java@v3 with: - distribution: 'temurin' - java-version: 11 - cache: 'maven' + distribution: "temurin" + java-version: | + 17 + 11 + cache: "maven" - name: Cache SonarCloud packages uses: actions/cache@v3 with: @@ -33,7 +39,7 @@ jobs: run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties" - name: Run tests and build with Maven run: | - mvn --batch-mode clean verify \ + JAVA_HOME=$JAVA_HOME_11_X64 mvn --batch-mode clean verify \ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ -DtrimStackTrace=false - name: Publish Test Report @@ -44,12 +50,12 @@ jobs: - name: Sonar analysis if: ${{ env.SONAR_TOKEN != null }} run: | - mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \ + JAVA_HOME=$JAVA_HOME_17_X64 mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ -DtrimStackTrace=false \ -Dsonar.organization=exasol \ -Dsonar.host.url=https://sonarcloud.io \ - -Dsonar.login=$SONAR_TOKEN + -Dsonar.token=$SONAR_TOKEN env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} \ No newline at end of file + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/dependencies_check.yml b/.github/workflows/dependencies_check.yml index b2ab231..3059964 100644 --- a/.github/workflows/dependencies_check.yml +++ b/.github/workflows/dependencies_check.yml @@ -9,12 +9,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up JDK 11 uses: actions/setup-java@v3 with: - distribution: 'temurin' + distribution: "temurin" java-version: 11 - cache: 'maven' + cache: "maven" - name: Checking dependencies for vulnerabilities - run: mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f pom.xml \ No newline at end of file + run: mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f pom.xml diff --git a/.github/workflows/release_droid_prepare_original_checksum.yml b/.github/workflows/release_droid_prepare_original_checksum.yml index 4a980f8..843604c 100644 --- a/.github/workflows/release_droid_prepare_original_checksum.yml +++ b/.github/workflows/release_droid_prepare_original_checksum.yml @@ -5,18 +5,22 @@ on: jobs: build: - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 # UDFs fail with "VM error: Internal error: VM crashed" on ubuntu-latest steps: + - name: Free Disk Space + run: | + sudo rm -rf /usr/local/lib/android + sudo rm -rf /usr/share/dotnet - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up JDK 11 uses: actions/setup-java@v3 with: - distribution: 'temurin' + distribution: "temurin" java-version: 11 - cache: 'maven' + cache: "maven" - name: Enable testcontainer reuse run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties" - name: Run tests and build with Maven @@ -28,4 +32,4 @@ jobs: with: name: original_checksum retention-days: 5 - path: original_checksum \ No newline at end of file + path: original_checksum diff --git a/.github/workflows/release_droid_print_quick_checksum.yml b/.github/workflows/release_droid_print_quick_checksum.yml index 8add957..aed4444 100644 --- a/.github/workflows/release_droid_print_quick_checksum.yml +++ b/.github/workflows/release_droid_print_quick_checksum.yml @@ -8,17 +8,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up JDK 11 uses: actions/setup-java@v3 with: - distribution: 'temurin' + distribution: "temurin" java-version: 11 - cache: 'maven' + cache: "maven" - name: Build with Maven skipping tests run: mvn --batch-mode clean verify -DskipTests - name: Print checksum run: echo 'checksum_start==';find target -maxdepth 1 -name *.jar -exec sha256sum "{}" + | xargs;echo '==checksum_end' - diff --git a/.github/workflows/release_droid_release_on_maven_central.yml b/.github/workflows/release_droid_release_on_maven_central.yml index b467607..dfdbd6a 100644 --- a/.github/workflows/release_droid_release_on_maven_central.yml +++ b/.github/workflows/release_droid_release_on_maven_central.yml @@ -8,15 +8,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up Maven Central Repository uses: actions/setup-java@v3 with: - distribution: 'temurin' + distribution: "temurin" java-version: 11 - cache: 'maven' + cache: "maven" server-id: ossrh server-username: MAVEN_USERNAME server-password: MAVEN_PASSWORD @@ -27,4 +27,4 @@ jobs: env: MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }} MAVEN_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - MAVEN_GPG_PASSPHRASE: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} \ No newline at end of file + MAVEN_GPG_PASSPHRASE: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} diff --git a/.github/workflows/release_droid_upload_github_release_assets.yml b/.github/workflows/release_droid_upload_github_release_assets.yml index 7350faf..7ae8bbb 100644 --- a/.github/workflows/release_droid_upload_github_release_assets.yml +++ b/.github/workflows/release_droid_upload_github_release_assets.yml @@ -4,7 +4,7 @@ on: workflow_dispatch: inputs: upload_url: - description: 'Assets upload URL' + description: "Assets upload URL" required: true jobs: @@ -12,15 +12,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up JDK 11 uses: actions/setup-java@v3 with: - distribution: 'temurin' + distribution: "temurin" java-version: 11 - cache: 'maven' + cache: "maven" - name: Build with Maven skipping tests run: mvn --batch-mode clean verify -DskipTests - name: Generate sha256sum files diff --git a/.gitignore b/.gitignore index cbd2afe..ea71e1a 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,8 @@ pom.xml.versionsBackup .classpath .project /.settings/org.eclipse.jdt.apt.core.prefs +/.settings/org.eclipse.core.resources.prefs +/.settings/org.eclipse.m2e.core.prefs # .settings : we need Eclipse settings for code formatter and clean-up rules target .cache diff --git a/.project-keeper.yml b/.project-keeper.yml index 28d3438..c6aee8f 100644 --- a/.project-keeper.yml +++ b/.project-keeper.yml @@ -5,4 +5,7 @@ sources: - maven_central - integration_tests linkReplacements: - - "https://github.com/hamcrest/JavaHamcrest/hamcrest-all|https://github.com/hamcrest/JavaHamcrest" \ No newline at end of file + - "https://github.com/hamcrest/JavaHamcrest/hamcrest-all|https://github.com/hamcrest/JavaHamcrest" +excludes: + - "E-PK-CORE-18: Outdated content: '.github/workflows/ci-build.yml'" + - "E-PK-CORE-18: Outdated content: '.github/workflows/release_droid_prepare_original_checksum.yml'" diff --git a/.settings/org.eclipse.core.resources.prefs b/.settings/org.eclipse.core.resources.prefs deleted file mode 100644 index cdfe4f1..0000000 --- a/.settings/org.eclipse.core.resources.prefs +++ /dev/null @@ -1,5 +0,0 @@ -eclipse.preferences.version=1 -encoding//src/main/java=UTF-8 -encoding//src/test/java=UTF-8 -encoding//src/test/resources=UTF-8 -encoding/=UTF-8 diff --git a/.settings/org.eclipse.jdt.core.prefs b/.settings/org.eclipse.jdt.core.prefs index 8b5a9aa..bb40c3f 100644 --- a/.settings/org.eclipse.jdt.core.prefs +++ b/.settings/org.eclipse.jdt.core.prefs @@ -111,7 +111,7 @@ org.eclipse.jdt.core.compiler.problem.unusedPrivateMember=warning org.eclipse.jdt.core.compiler.problem.unusedTypeParameter=ignore org.eclipse.jdt.core.compiler.problem.unusedWarningToken=warning org.eclipse.jdt.core.compiler.problem.varargsArgumentNeedCast=warning -org.eclipse.jdt.core.compiler.processAnnotations=enabled +org.eclipse.jdt.core.compiler.processAnnotations=disabled org.eclipse.jdt.core.compiler.release=disabled org.eclipse.jdt.core.compiler.source=11 org.eclipse.jdt.core.formatter.align_assignment_statements_on_columns=false diff --git a/.settings/org.eclipse.m2e.core.prefs b/.settings/org.eclipse.m2e.core.prefs deleted file mode 100644 index f897a7f..0000000 --- a/.settings/org.eclipse.m2e.core.prefs +++ /dev/null @@ -1,4 +0,0 @@ -activeProfiles= -eclipse.preferences.version=1 -resolveWorkspaceProjects=true -version=1 diff --git a/dependencies.md b/dependencies.md index 3b9c4a4..bea09b3 100644 --- a/dependencies.md +++ b/dependencies.md @@ -11,7 +11,7 @@ | [BucketFS Java][7] | [MIT License][8] | | [exasol-test-setup-abstraction-java][9] | [MIT License][10] | | [Apache Commons Compress][11] | [Apache-2.0][12] | -| [SLF4J JDK14 Binding][13] | [MIT License][14] | +| [SLF4J JDK14 Provider][13] | [MIT License][14] | ## Test Dependencies @@ -48,7 +48,7 @@ | [Versions Maven Plugin][41] | [Apache License, Version 2.0][12] | | [duplicate-finder-maven-plugin Maven Mojo][42] | [Apache License 2.0][43] | | [Apache Maven Deploy Plugin][44] | [Apache-2.0][12] | -| [Apache Maven GPG Plugin][45] | [Apache License, Version 2.0][12] | +| [Apache Maven GPG Plugin][45] | [Apache-2.0][12] | | [Apache Maven Source Plugin][46] | [Apache License, Version 2.0][12] | | [Apache Maven Javadoc Plugin][47] | [Apache-2.0][12] | | [Nexus Staging Maven Plugin][48] | [Eclipse Public License][49] | @@ -85,7 +85,7 @@ [20]: http://www.opensource.org/licenses/bsd-license.php [21]: https://github.com/exasol/exasol-testcontainers/ [22]: https://github.com/exasol/exasol-testcontainers/blob/main/LICENSE -[23]: https://testcontainers.org +[23]: https://java.testcontainers.org [24]: http://opensource.org/licenses/MIT [25]: https://github.com/exasol/test-db-builder-java/ [26]: https://github.com/exasol/test-db-builder-java/blob/main/LICENSE @@ -104,7 +104,7 @@ [39]: https://sonatype.github.io/ossindex-maven/maven-plugin/ [40]: https://maven.apache.org/surefire/maven-surefire-plugin/ [41]: https://www.mojohaus.org/versions/versions-maven-plugin/ -[42]: https://github.com/basepom/duplicate-finder-maven-plugin +[42]: https://basepom.github.io/duplicate-finder-maven-plugin [43]: http://www.apache.org/licenses/LICENSE-2.0.html [44]: https://maven.apache.org/plugins/maven-deploy-plugin/ [45]: https://maven.apache.org/plugins/maven-gpg-plugin/ diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md index d96483a..c404b40 100644 --- a/doc/changes/changelog.md +++ b/doc/changes/changelog.md @@ -1,5 +1,6 @@ # Changes +* [0.6.11](changes_0.6.11.md) * [0.6.10](changes_0.6.10.md) * [0.6.9](changes_0.6.9.md) * [0.6.8](changes_0.6.8.md) diff --git a/doc/changes/changes_0.6.11.md b/doc/changes/changes_0.6.11.md new file mode 100644 index 0000000..a4bf90d --- /dev/null +++ b/doc/changes/changes_0.6.11.md @@ -0,0 +1,46 @@ +# Udf Debugging Java 0.6.11, released 2023-09-26 + +Code name: Fix CVE-2023-42503 + +## Summary + +This release fixes CVE-2023-42503 in `org.apache.commons:commons-compress` by upgrading dependencies. + +**Known issue:** Transitive dependency `io.netty:netty-handler` used by `software.amazon.awssdk:cloudformation` in scope `provided` contains vulnerability CVE-2023-4586. We assume that the AWS SDK's usage of netty is not affected. + +## Security + +* #61: Fixed CVE-2023-42503 in `org.apache.commons:commons-compress` + +## Dependency Updates + +### Compile Dependency Updates + +* Updated `org.apache.commons:commons-compress:1.23.0` to `1.24.0` +* Updated `org.slf4j:slf4j-jdk14:2.0.7` to `2.0.9` + +### Runtime Dependency Updates + +* Updated `org.eclipse.parsson:parsson:1.1.2` to `1.1.4` + +### Test Dependency Updates + +* Updated `com.exasol:exasol-testcontainers:6.6.0` to `6.6.2` +* Updated `com.exasol:test-db-builder-java:3.4.2` to `3.5.0` +* Updated `org.junit.jupiter:junit-jupiter-engine:5.9.3` to `5.10.0` +* Updated `org.junit.jupiter:junit-jupiter-params:5.9.3` to `5.10.0` +* Updated `org.mockito:mockito-junit-jupiter:5.4.0` to `5.5.0` +* Updated `org.testcontainers:junit-jupiter:1.18.3` to `1.19.0` + +### Plugin Dependency Updates + +* Updated `com.exasol:error-code-crawler-maven-plugin:1.2.3` to `1.3.0` +* Updated `com.exasol:project-keeper-maven-plugin:2.9.7` to `2.9.12` +* Updated `org.apache.maven.plugins:maven-enforcer-plugin:3.3.0` to `3.4.0` +* Updated `org.apache.maven.plugins:maven-failsafe-plugin:3.0.0` to `3.1.2` +* Updated `org.apache.maven.plugins:maven-gpg-plugin:3.0.1` to `3.1.0` +* Updated `org.apache.maven.plugins:maven-surefire-plugin:3.0.0` to `3.1.2` +* Updated `org.basepom.maven:duplicate-finder-maven-plugin:1.5.1` to `2.0.1` +* Updated `org.codehaus.mojo:flatten-maven-plugin:1.4.1` to `1.5.0` +* Updated `org.codehaus.mojo:versions-maven-plugin:2.15.0` to `2.16.0` +* Updated `org.jacoco:jacoco-maven-plugin:0.8.9` to `0.8.10` diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom index cff79e0..4c5de41 100644 --- a/pk_generated_parent.pom +++ b/pk_generated_parent.pom @@ -3,7 +3,7 @@ 4.0.0 com.exasol udf-debugging-java-generated-parent - 0.6.10 + 0.6.11 pom UTF-8 @@ -62,7 +62,7 @@ org.apache.maven.plugins maven-enforcer-plugin - 3.3.0 + 3.4.0 enforce-maven @@ -82,7 +82,7 @@ org.codehaus.mojo flatten-maven-plugin - 1.4.1 + 1.5.0 true oss @@ -121,7 +121,7 @@ org.apache.maven.plugins maven-surefire-plugin - 3.0.0 + 3.1.2 @@ -132,7 +132,7 @@ org.codehaus.mojo versions-maven-plugin - 2.15.0 + 2.16.0 display-updates @@ -150,7 +150,7 @@ org.basepom.maven duplicate-finder-maven-plugin - 1.5.1 + 2.0.1 default @@ -168,7 +168,6 @@ true true false - true true false @@ -184,7 +183,7 @@ org.apache.maven.plugins maven-gpg-plugin - 3.0.1 + 3.1.0 sign-artifacts @@ -204,6 +203,9 @@ org.apache.maven.plugins maven-source-plugin + 3.2.1 @@ -258,7 +260,7 @@ org.apache.maven.plugins maven-failsafe-plugin - 3.0.0 + 3.1.2 @@ -279,7 +281,7 @@ org.jacoco jacoco-maven-plugin - 0.8.9 + 0.8.10 prepare-agent @@ -320,7 +322,7 @@ com.exasol error-code-crawler-maven-plugin - 1.2.3 + 1.3.0 verify diff --git a/pom.xml b/pom.xml index 9b6ab6e..95a8455 100644 --- a/pom.xml +++ b/pom.xml @@ -1,15 +1,13 @@ - + 4.0.0 udf-debugging-java - 0.6.10 + 0.6.11 udf-debugging-java Utilities for debugging, profiling and code coverage measure for UDFs. https://github.com/exasol/udf-debugging-java/ - 5.9.3 + 5.10.0 0.8.10 @@ -21,7 +19,7 @@ org.eclipse.parsson parsson - 1.1.2 + 1.1.4 runtime @@ -49,19 +47,17 @@ com.exasol exasol-test-setup-abstraction-java - 2.0.2 + 2.0.3 provided org.apache.commons commons-compress - 1.23.0 + 1.24.0 @@ -79,7 +75,7 @@ org.mockito mockito-junit-jupiter - 5.4.0 + 5.5.0 test @@ -92,19 +88,19 @@ com.exasol exasol-testcontainers - 6.6.0 + 6.6.2 test org.testcontainers junit-jupiter - 1.18.3 + 1.19.0 test com.exasol test-db-builder-java - 3.4.2 + 3.5.0 test @@ -117,7 +113,7 @@ org.slf4j slf4j-jdk14 - 2.0.7 + 2.0.9 @@ -143,7 +139,7 @@ com.exasol project-keeper-maven-plugin - 2.9.7 + 2.9.12 @@ -157,13 +153,14 @@ ossindex-maven-plugin - + CVE-2020-36641 + + CVE-2023-4586 @@ -172,7 +169,7 @@ udf-debugging-java-generated-parent com.exasol - 0.6.10 + 0.6.11 pk_generated_parent.pom