From ad73910b55b925be0f369ea3f394e1eefb347251 Mon Sep 17 00:00:00 2001 From: ckunki Date: Mon, 18 Nov 2024 11:23:36 +0100 Subject: [PATCH] #50: Fixed vulnerability CVE-2024-47535 --- .github/workflows/broken_links_checker.yml | 2 + .github/workflows/ci-build-next-java.yml | 52 ++++---- .github/workflows/ci-build.yml | 7 +- .github/workflows/dependencies_check.yml | 2 +- .github/workflows/dependencies_update.yml | 16 +-- .github/workflows/release.yml | 4 +- .settings/org.eclipse.jdt.core.prefs | 28 +++-- .settings/org.eclipse.jdt.ui.prefs | 6 + dependencies.md | 111 ++++++++++-------- doc/changes/changelog.md | 1 + doc/changes/changes_3.0.3.md | 55 +++++++++ doc/user_guide/oracle_user_guide.md | 2 +- pk_generated_parent.pom | 57 +++++++-- pom.xml | 28 ++--- .../oracle/IntegrationTestConstants.java | 2 +- 15 files changed, 239 insertions(+), 134 deletions(-) create mode 100644 doc/changes/changes_3.0.3.md diff --git a/.github/workflows/broken_links_checker.yml b/.github/workflows/broken_links_checker.yml index d7a38b4..39612b7 100644 --- a/.github/workflows/broken_links_checker.yml +++ b/.github/workflows/broken_links_checker.yml @@ -13,6 +13,8 @@ on: jobs: linkChecker: runs-on: ubuntu-latest + permissions: + contents: read defaults: run: shell: "bash" diff --git a/.github/workflows/ci-build-next-java.yml b/.github/workflows/ci-build-next-java.yml index 8886e10..712a7cb 100644 --- a/.github/workflows/ci-build-next-java.yml +++ b/.github/workflows/ci-build-next-java.yml @@ -1,43 +1,39 @@ -# Generated by Project Keeper -# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/ci-build-next-java.yml +# This file was generated by Project Keeper. name: CI Build next Java on: push: - branches: - - main - pull_request: - + branches: [ + main + ] + + pull_request: null jobs: - java-17-compatibility: + next-java-compatibility: runs-on: ubuntu-latest defaults: - run: - shell: "bash" - permissions: + run: { + shell: bash + } + permissions: { contents: read - checks: write # Allow scacap/action-surefire-report - concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + } + concurrency: { + group: '${{ github.workflow }}-${{ github.ref }}', cancel-in-progress: true + } steps: - name: Checkout the repository uses: actions/checkout@v4 - with: + with: { fetch-depth: 0 + } - name: Set up JDK 17 uses: actions/setup-java@v4 - with: - distribution: "temurin" - java-version: 17 - cache: "maven" - - name: Run tests and build with Maven + with: { + distribution: temurin, + java-version: '17', + cache: maven + } + - name: Run tests and build with Maven 17 run: | - mvn --batch-mode --update-snapshots clean package -DtrimStackTrace=false \ - -Djava.version=17 \ - -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn - - name: Publish Test Report for Java 17 - uses: scacap/action-surefire-report@v1 - if: ${{ always() && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]' }} - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - fail_if_no_tests: false + mvn --batch-mode clean package -DtrimStackTrace=false -Djava.version=17 diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml index 1fc36f3..92d512b 100644 --- a/.github/workflows/ci-build.yml +++ b/.github/workflows/ci-build.yml @@ -15,8 +15,7 @@ jobs: shell: bash } permissions: { - contents: read, - checks: write + contents: read } concurrency: { group: '${{ github.workflow }}-${{ github.ref }}-${{ matrix.exasol_db_version }}', @@ -51,7 +50,7 @@ jobs: uses: actions/setup-java@v4 with: distribution: temurin - java-version: | + java-version: |- 11 17 cache: maven @@ -128,7 +127,7 @@ jobs: uses: actions/setup-java@v4 with: distribution: temurin - java-version: | + java-version: |- 11 17 cache: maven diff --git a/.github/workflows/dependencies_check.yml b/.github/workflows/dependencies_check.yml index 9c2365c..02c5aa0 100644 --- a/.github/workflows/dependencies_check.yml +++ b/.github/workflows/dependencies_check.yml @@ -35,7 +35,7 @@ jobs: uses: actions/setup-java@v4 with: distribution: temurin - java-version: | + java-version: |- 11 17 cache: maven diff --git a/.github/workflows/dependencies_update.yml b/.github/workflows/dependencies_update.yml index 9f536ee..c901506 100644 --- a/.github/workflows/dependencies_update.yml +++ b/.github/workflows/dependencies_update.yml @@ -35,7 +35,7 @@ jobs: uses: actions/setup-java@v4 with: distribution: temurin - java-version: | + java-version: |- 11 17 cache: maven @@ -61,14 +61,6 @@ jobs: env: { CREATED_ISSUES: '${{ inputs.vulnerability_issues }}' } - - name: Project Keeper Fix - id: project-keeper-fix - run: | - mvn --batch-mode com.exasol:project-keeper-maven-plugin:fix --projects . - - name: Project Keeper Fix for updated Project Keeper version - id: project-keeper-fix-2 - run: | - mvn --batch-mode com.exasol:project-keeper-maven-plugin:fix --projects . - name: Generate Pull Request comment id: pr-comment run: | @@ -81,7 +73,11 @@ jobs: echo 'It updates dependencies.' >> "$GITHUB_OUTPUT" fi echo >> "$GITHUB_OUTPUT" - echo '# ⚠️ This PR does not trigger CI workflows by default ⚠️' >> "$GITHUB_OUTPUT" + echo '# ⚠️ Notes ⚠️' >> "$GITHUB_OUTPUT" + echo '## Run PK fix manually' >> "$GITHUB_OUTPUT" + echo 'Due to restrictions workflow `dependencies_update.yml` cannot update other workflows, see https://github.com/exasol/project-keeper/issues/578 for details.' >> "$GITHUB_OUTPUT" + echo 'Please checkout this PR locally and run `mvn com.exasol:project-keeper-maven-plugin:fix --projects .`' >> "$GITHUB_OUTPUT" + echo '## This PR does not trigger CI workflows' >> "$GITHUB_OUTPUT" echo 'Please click the **Close pull request** button and then **Reopen pull request** to trigger running checks.' >> "$GITHUB_OUTPUT" echo 'See https://github.com/exasol/project-keeper/issues/534 for details.' >> "$GITHUB_OUTPUT" echo 'EOF' >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2a8bbf7..750fe45 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -52,7 +52,7 @@ jobs: uses: actions/setup-java@v4 with: distribution: temurin - java-version: | + java-version: |- 11 17 cache: maven @@ -67,7 +67,7 @@ jobs: uses: actions/setup-java@v4 with: distribution: temurin - java-version: | + java-version: |- 11 17 cache: maven diff --git a/.settings/org.eclipse.jdt.core.prefs b/.settings/org.eclipse.jdt.core.prefs index bb40c3f..43365b0 100644 --- a/.settings/org.eclipse.jdt.core.prefs +++ b/.settings/org.eclipse.jdt.core.prefs @@ -1,15 +1,19 @@ eclipse.preferences.version=1 +org.eclipse.jdt.core.builder.annotationPath.allLocations=disabled org.eclipse.jdt.core.compiler.annotation.inheritNullAnnotations=disabled org.eclipse.jdt.core.compiler.annotation.missingNonNullByDefaultAnnotation=ignore -org.eclipse.jdt.core.compiler.annotation.nonnull=org.eclipse.jdt.annotation.NonNull +org.eclipse.jdt.core.compiler.annotation.nonnull=javax.annotation.Nonnull org.eclipse.jdt.core.compiler.annotation.nonnull.secondary= -org.eclipse.jdt.core.compiler.annotation.nonnullbydefault=org.eclipse.jdt.annotation.NonNullByDefault +org.eclipse.jdt.core.compiler.annotation.nonnullbydefault=javax.annotation.ParametersAreNonnullByDefault org.eclipse.jdt.core.compiler.annotation.nonnullbydefault.secondary= -org.eclipse.jdt.core.compiler.annotation.nullable=org.eclipse.jdt.annotation.Nullable +org.eclipse.jdt.core.compiler.annotation.notowning=org.eclipse.jdt.annotation.NotOwning +org.eclipse.jdt.core.compiler.annotation.nullable=javax.annotation.Nullable org.eclipse.jdt.core.compiler.annotation.nullable.secondary= -org.eclipse.jdt.core.compiler.annotation.nullanalysis=disabled +org.eclipse.jdt.core.compiler.annotation.nullanalysis=enabled +org.eclipse.jdt.core.compiler.annotation.owning=org.eclipse.jdt.annotation.Owning +org.eclipse.jdt.core.compiler.annotation.resourceanalysis=disabled org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled -org.eclipse.jdt.core.compiler.codegen.methodParameters=do not generate +org.eclipse.jdt.core.compiler.codegen.methodParameters=generate org.eclipse.jdt.core.compiler.codegen.targetPlatform=11 org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve org.eclipse.jdt.core.compiler.compliance=11 @@ -17,6 +21,7 @@ org.eclipse.jdt.core.compiler.debug.lineNumber=generate org.eclipse.jdt.core.compiler.debug.localVariable=generate org.eclipse.jdt.core.compiler.debug.sourceFile=generate org.eclipse.jdt.core.compiler.problem.APILeak=warning +org.eclipse.jdt.core.compiler.problem.annotatedTypeArgumentToUnannotated=info org.eclipse.jdt.core.compiler.problem.annotationSuperInterface=warning org.eclipse.jdt.core.compiler.problem.assertIdentifier=error org.eclipse.jdt.core.compiler.problem.autoboxing=ignore @@ -39,8 +44,10 @@ org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning org.eclipse.jdt.core.compiler.problem.hiddenCatchBlock=warning org.eclipse.jdt.core.compiler.problem.includeNullInfoFromAsserts=disabled org.eclipse.jdt.core.compiler.problem.incompatibleNonInheritedInterfaceMethod=warning +org.eclipse.jdt.core.compiler.problem.incompatibleOwningContract=warning org.eclipse.jdt.core.compiler.problem.incompleteEnumSwitch=warning org.eclipse.jdt.core.compiler.problem.indirectStaticAccess=ignore +org.eclipse.jdt.core.compiler.problem.insufficientResourceAnalysis=warning org.eclipse.jdt.core.compiler.problem.localVariableHiding=ignore org.eclipse.jdt.core.compiler.problem.methodWithConstructorName=warning org.eclipse.jdt.core.compiler.problem.missingDefaultCase=ignore @@ -56,15 +63,15 @@ org.eclipse.jdt.core.compiler.problem.noImplicitStringConversion=warning org.eclipse.jdt.core.compiler.problem.nonExternalizedStringLiteral=ignore org.eclipse.jdt.core.compiler.problem.nonnullParameterAnnotationDropped=warning org.eclipse.jdt.core.compiler.problem.nonnullTypeVariableFromLegacyInvocation=warning -org.eclipse.jdt.core.compiler.problem.nullAnnotationInferenceConflict=error +org.eclipse.jdt.core.compiler.problem.nullAnnotationInferenceConflict=warning org.eclipse.jdt.core.compiler.problem.nullReference=warning -org.eclipse.jdt.core.compiler.problem.nullSpecViolation=error -org.eclipse.jdt.core.compiler.problem.nullUncheckedConversion=warning +org.eclipse.jdt.core.compiler.problem.nullSpecViolation=warning +org.eclipse.jdt.core.compiler.problem.nullUncheckedConversion=ignore org.eclipse.jdt.core.compiler.problem.overridingPackageDefaultMethod=warning org.eclipse.jdt.core.compiler.problem.parameterAssignment=ignore org.eclipse.jdt.core.compiler.problem.pessimisticNullAnalysisForFreeTypeVariables=warning org.eclipse.jdt.core.compiler.problem.possibleAccidentalBooleanAssignment=ignore -org.eclipse.jdt.core.compiler.problem.potentialNullReference=ignore +org.eclipse.jdt.core.compiler.problem.potentialNullReference=warning org.eclipse.jdt.core.compiler.problem.potentiallyUnclosedCloseable=ignore org.eclipse.jdt.core.compiler.problem.rawTypeReference=warning org.eclipse.jdt.core.compiler.problem.redundantNullAnnotation=warning @@ -78,7 +85,8 @@ org.eclipse.jdt.core.compiler.problem.specialParameterHidingField=disabled org.eclipse.jdt.core.compiler.problem.staticAccessReceiver=warning org.eclipse.jdt.core.compiler.problem.suppressOptionalErrors=disabled org.eclipse.jdt.core.compiler.problem.suppressWarnings=enabled -org.eclipse.jdt.core.compiler.problem.syntacticNullAnalysisForFields=disabled +org.eclipse.jdt.core.compiler.problem.suppressWarningsNotFullyAnalysed=info +org.eclipse.jdt.core.compiler.problem.syntacticNullAnalysisForFields=enabled org.eclipse.jdt.core.compiler.problem.syntheticAccessEmulation=ignore org.eclipse.jdt.core.compiler.problem.terminalDeprecation=warning org.eclipse.jdt.core.compiler.problem.typeParameterHiding=warning diff --git a/.settings/org.eclipse.jdt.ui.prefs b/.settings/org.eclipse.jdt.ui.prefs index 1add06a..54d02ac 100644 --- a/.settings/org.eclipse.jdt.ui.prefs +++ b/.settings/org.eclipse.jdt.ui.prefs @@ -76,6 +76,7 @@ sp_cleanup.add_missing_nls_tags=false sp_cleanup.add_missing_override_annotations=true sp_cleanup.add_missing_override_annotations_interface_methods=true sp_cleanup.add_serial_version_id=false +sp_cleanup.also_simplify_lambda=false sp_cleanup.always_use_blocks=true sp_cleanup.always_use_parentheses_in_expressions=true sp_cleanup.always_use_this_for_non_static_field_access=true @@ -130,6 +131,7 @@ sp_cleanup.one_if_rather_than_duplicate_blocks_that_fall_through=false sp_cleanup.operand_factorization=false sp_cleanup.organize_imports=true sp_cleanup.overridden_assignment=false +sp_cleanup.overridden_assignment_move_decl=false sp_cleanup.plain_replacement=false sp_cleanup.precompile_regex=false sp_cleanup.primitive_comparison=false @@ -159,10 +161,12 @@ sp_cleanup.remove_unnecessary_casts=true sp_cleanup.remove_unnecessary_nls_tags=true sp_cleanup.remove_unused_imports=true sp_cleanup.remove_unused_local_variables=false +sp_cleanup.remove_unused_method_parameters=false sp_cleanup.remove_unused_private_fields=true sp_cleanup.remove_unused_private_members=false sp_cleanup.remove_unused_private_methods=true sp_cleanup.remove_unused_private_types=true +sp_cleanup.replace_deprecated_calls=false sp_cleanup.return_expression=false sp_cleanup.simplify_lambda_expression_and_method_ref=false sp_cleanup.single_used_field=false @@ -174,6 +178,8 @@ sp_cleanup.strictly_equal_or_different=false sp_cleanup.stringbuffer_to_stringbuilder=false sp_cleanup.stringbuilder=false sp_cleanup.stringbuilder_for_local_vars=false +sp_cleanup.stringconcat_stringbuffer_stringbuilder=false +sp_cleanup.stringconcat_to_textblock=false sp_cleanup.substring=false sp_cleanup.switch=false sp_cleanup.system_property=false diff --git a/dependencies.md b/dependencies.md index dc3eff2..46e4187 100644 --- a/dependencies.md +++ b/dependencies.md @@ -17,7 +17,7 @@ | ----------------------------------------------- | ------------------------------------------------- | | [Maven Project Version Getter][6] | [MIT License][7] | | [Virtual Schema Common JDBC][0] | [MIT License][1] | -| [Hamcrest][8] | [BSD License 3][9] | +| [Hamcrest][8] | [BSD-3-Clause][9] | | [JUnit Jupiter (Aggregator)][10] | [Eclipse Public License v2.0][11] | | [mockito-junit-jupiter][12] | [MIT][13] | | [EqualsVerifier \| release normal jar][14] | [Apache License, Version 2.0][15] | @@ -31,7 +31,7 @@ | [Matcher for SQL Result Sets][28] | [MIT License][29] | | [virtual-schema-shared-integration-tests][30] | [MIT License][31] | | [Extension integration tests library][32] | [MIT License][33] | -| [JaCoCo :: Agent][34] | [Eclipse Public License 2.0][35] | +| [JaCoCo :: Agent][34] | [EPL-2.0][35] | ### Runtime Dependencies @@ -43,26 +43,30 @@ | Dependency | License | | ------------------------------------------------------- | --------------------------------- | -| [SonarQube Scanner for Maven][39] | [GNU LGPL 3][40] | -| [Apache Maven Toolchains Plugin][41] | [Apache License, Version 2.0][15] | -| [Apache Maven Compiler Plugin][42] | [Apache-2.0][15] | -| [Apache Maven Enforcer Plugin][43] | [Apache-2.0][15] | -| [Maven Flatten Plugin][44] | [Apache Software Licenese][15] | -| [org.sonatype.ossindex.maven:ossindex-maven-plugin][45] | [ASL2][46] | -| [Maven Surefire Plugin][47] | [Apache-2.0][15] | -| [Versions Maven Plugin][48] | [Apache License, Version 2.0][15] | -| [duplicate-finder-maven-plugin Maven Mojo][49] | [Apache License 2.0][50] | -| [Project Keeper Maven plugin][51] | [The MIT License][52] | -| [Apache Maven Assembly Plugin][53] | [Apache-2.0][15] | -| [Apache Maven JAR Plugin][54] | [Apache License, Version 2.0][15] | -| [Artifact reference checker and unifier][55] | [MIT License][56] | -| [Apache Maven Dependency Plugin][57] | [Apache-2.0][15] | -| [Maven Failsafe Plugin][58] | [Apache-2.0][15] | -| [JaCoCo :: Maven Plugin][59] | [EPL-2.0][35] | -| [error-code-crawler-maven-plugin][60] | [MIT License][61] | -| [Reproducible Build Maven Plugin][62] | [Apache 2.0][46] | -| [Apache Maven Clean Plugin][63] | [Apache-2.0][15] | -| [Exec Maven Plugin][64] | [Apache License 2][15] | +| [Apache Maven Clean Plugin][39] | [Apache-2.0][15] | +| [Apache Maven Install Plugin][40] | [Apache-2.0][15] | +| [Apache Maven Resources Plugin][41] | [Apache-2.0][15] | +| [Apache Maven Site Plugin][42] | [Apache License, Version 2.0][15] | +| [SonarQube Scanner for Maven][43] | [GNU LGPL 3][44] | +| [Apache Maven Toolchains Plugin][45] | [Apache-2.0][15] | +| [Apache Maven Compiler Plugin][46] | [Apache-2.0][15] | +| [Apache Maven Enforcer Plugin][47] | [Apache-2.0][15] | +| [Maven Flatten Plugin][48] | [Apache Software Licenese][15] | +| [org.sonatype.ossindex.maven:ossindex-maven-plugin][49] | [ASL2][50] | +| [Maven Surefire Plugin][51] | [Apache-2.0][15] | +| [Versions Maven Plugin][52] | [Apache License, Version 2.0][15] | +| [duplicate-finder-maven-plugin Maven Mojo][53] | [Apache License 2.0][54] | +| [Project Keeper Maven plugin][55] | [The MIT License][56] | +| [Apache Maven Assembly Plugin][57] | [Apache-2.0][15] | +| [Apache Maven JAR Plugin][58] | [Apache-2.0][15] | +| [Artifact reference checker and unifier][59] | [MIT License][60] | +| [Apache Maven Dependency Plugin][61] | [Apache-2.0][15] | +| [Maven Failsafe Plugin][62] | [Apache-2.0][15] | +| [JaCoCo :: Maven Plugin][63] | [EPL-2.0][35] | +| [Quality Summarizer Maven Plugin][64] | [MIT License][65] | +| [error-code-crawler-maven-plugin][66] | [MIT License][67] | +| [Reproducible Build Maven Plugin][68] | [Apache 2.0][50] | +| [Exec Maven Plugin][69] | [Apache License 2][15] | ## Extension @@ -70,7 +74,7 @@ | Dependency | License | | ----------------------------------------- | ------- | -| [@exasol/extension-manager-interface][65] | MIT | +| [@exasol/extension-manager-interface][70] | MIT | [0]: https://github.com/exasol/virtual-schema-common-jdbc/ [1]: https://github.com/exasol/virtual-schema-common-jdbc/blob/main/LICENSE @@ -81,7 +85,7 @@ [6]: https://github.com/exasol/maven-project-version-getter/ [7]: https://github.com/exasol/maven-project-version-getter/blob/main/LICENSE [8]: http://hamcrest.org/JavaHamcrest/ -[9]: http://opensource.org/licenses/BSD-3-Clause +[9]: https://raw.githubusercontent.com/hamcrest/JavaHamcrest/master/LICENSE [10]: https://junit.org/junit5/ [11]: https://www.eclipse.org/legal/epl-v20.html [12]: https://github.com/mockito/mockito @@ -111,30 +115,35 @@ [36]: https://github.com/eclipse-ee4j/jsonp [37]: https://projects.eclipse.org/license/epl-2.0 [38]: https://projects.eclipse.org/license/secondary-gpl-2.0-cp -[39]: http://sonarsource.github.io/sonar-scanner-maven/ -[40]: http://www.gnu.org/licenses/lgpl.txt -[41]: https://maven.apache.org/plugins/maven-toolchains-plugin/ -[42]: https://maven.apache.org/plugins/maven-compiler-plugin/ -[43]: https://maven.apache.org/enforcer/maven-enforcer-plugin/ -[44]: https://www.mojohaus.org/flatten-maven-plugin/ -[45]: https://sonatype.github.io/ossindex-maven/maven-plugin/ -[46]: http://www.apache.org/licenses/LICENSE-2.0.txt -[47]: https://maven.apache.org/surefire/maven-surefire-plugin/ -[48]: https://www.mojohaus.org/versions/versions-maven-plugin/ -[49]: https://basepom.github.io/duplicate-finder-maven-plugin -[50]: http://www.apache.org/licenses/LICENSE-2.0.html -[51]: https://github.com/exasol/project-keeper/ -[52]: https://github.com/exasol/project-keeper/blob/main/LICENSE -[53]: https://maven.apache.org/plugins/maven-assembly-plugin/ -[54]: https://maven.apache.org/plugins/maven-jar-plugin/ -[55]: https://github.com/exasol/artifact-reference-checker-maven-plugin/ -[56]: https://github.com/exasol/artifact-reference-checker-maven-plugin/blob/main/LICENSE -[57]: https://maven.apache.org/plugins/maven-dependency-plugin/ -[58]: https://maven.apache.org/surefire/maven-failsafe-plugin/ -[59]: https://www.jacoco.org/jacoco/trunk/doc/maven.html -[60]: https://github.com/exasol/error-code-crawler-maven-plugin/ -[61]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE -[62]: http://zlika.github.io/reproducible-build-maven-plugin -[63]: https://maven.apache.org/plugins/maven-clean-plugin/ -[64]: https://www.mojohaus.org/exec-maven-plugin -[65]: https://registry.npmjs.org/@exasol/extension-manager-interface/-/extension-manager-interface-0.4.2.tgz +[39]: https://maven.apache.org/plugins/maven-clean-plugin/ +[40]: https://maven.apache.org/plugins/maven-install-plugin/ +[41]: https://maven.apache.org/plugins/maven-resources-plugin/ +[42]: https://maven.apache.org/plugins/maven-site-plugin/ +[43]: http://sonarsource.github.io/sonar-scanner-maven/ +[44]: http://www.gnu.org/licenses/lgpl.txt +[45]: https://maven.apache.org/plugins/maven-toolchains-plugin/ +[46]: https://maven.apache.org/plugins/maven-compiler-plugin/ +[47]: https://maven.apache.org/enforcer/maven-enforcer-plugin/ +[48]: https://www.mojohaus.org/flatten-maven-plugin/ +[49]: https://sonatype.github.io/ossindex-maven/maven-plugin/ +[50]: http://www.apache.org/licenses/LICENSE-2.0.txt +[51]: https://maven.apache.org/surefire/maven-surefire-plugin/ +[52]: https://www.mojohaus.org/versions/versions-maven-plugin/ +[53]: https://basepom.github.io/duplicate-finder-maven-plugin +[54]: http://www.apache.org/licenses/LICENSE-2.0.html +[55]: https://github.com/exasol/project-keeper/ +[56]: https://github.com/exasol/project-keeper/blob/main/LICENSE +[57]: https://maven.apache.org/plugins/maven-assembly-plugin/ +[58]: https://maven.apache.org/plugins/maven-jar-plugin/ +[59]: https://github.com/exasol/artifact-reference-checker-maven-plugin/ +[60]: https://github.com/exasol/artifact-reference-checker-maven-plugin/blob/main/LICENSE +[61]: https://maven.apache.org/plugins/maven-dependency-plugin/ +[62]: https://maven.apache.org/surefire/maven-failsafe-plugin/ +[63]: https://www.jacoco.org/jacoco/trunk/doc/maven.html +[64]: https://github.com/exasol/quality-summarizer-maven-plugin/ +[65]: https://github.com/exasol/quality-summarizer-maven-plugin/blob/main/LICENSE +[66]: https://github.com/exasol/error-code-crawler-maven-plugin/ +[67]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE +[68]: http://zlika.github.io/reproducible-build-maven-plugin +[69]: https://www.mojohaus.org/exec-maven-plugin +[70]: https://registry.npmjs.org/@exasol/extension-manager-interface/-/extension-manager-interface-0.4.2.tgz diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md index 82ebf63..026b00b 100644 --- a/doc/changes/changelog.md +++ b/doc/changes/changelog.md @@ -1,5 +1,6 @@ # Changes +* [3.0.3](changes_3.0.3.md) * [3.0.2](changes_3.0.2.md) * [3.0.1](changes_3.0.1.md) * [3.0.0](changes_3.0.0.md) diff --git a/doc/changes/changes_3.0.3.md b/doc/changes/changes_3.0.3.md new file mode 100644 index 0000000..546438a --- /dev/null +++ b/doc/changes/changes_3.0.3.md @@ -0,0 +1,55 @@ +# Oracle Virtual Schema 3.0.3, released 2024-11-18 + +Code name: Fixed vulnerability CVE-2024-47535 in io.netty:netty-common:jar:4.1.104.Final:test + +## Summary + +This release fixes the following vulnerability: + +### CVE-2024-47535 (CWE-400) in dependency `io.netty:netty-common:jar:4.1.104.Final:test` +Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115. +#### References +* https://ossindex.sonatype.org/vulnerability/CVE-2024-47535?component-type=maven&component-name=io.netty%2Fnetty-common&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1 +* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-47535 +* https://github.com/advisories/GHSA-xq3w-v528-46rv + +## Security + +* #50: Fixed vulnerability CVE-2024-47535 in dependency `io.netty:netty-common:jar:4.1.104.Final:test` +## Dependency Updates + +### Virtual Schema for Oracle + +#### Test Dependency Updates + +* Updated `com.exasol:exasol-testcontainers:7.1.0` to `7.1.1` +* Updated `com.exasol:extension-manager-integration-test-java:0.5.11` to `0.5.12` +* Updated `com.exasol:hamcrest-resultset-matcher:1.6.5` to `1.7.0` +* Updated `com.exasol:test-db-builder-java:3.5.4` to `3.6.0` +* Updated `com.oracle.database.jdbc:ojdbc8:23.4.0.24.05` to `23.6.0.24.10` +* Updated `nl.jqno.equalsverifier:equalsverifier:3.16.1` to `3.17.3` +* Updated `org.hamcrest:hamcrest:2.2` to `3.0` +* Updated `org.jacoco:org.jacoco.agent:0.8.11` to `0.8.12` +* Updated `org.junit.jupiter:junit-jupiter:5.10.2` to `5.11.3` +* Updated `org.mockito:mockito-junit-jupiter:5.11.0` to `5.14.2` +* Updated `org.slf4j:slf4j-jdk14:2.0.13` to `2.0.16` +* Updated `org.testcontainers:junit-jupiter:1.19.7` to `1.20.3` +* Updated `org.testcontainers:oracle-xe:1.19.7` to `1.20.3` + +#### Plugin Dependency Updates + +* Updated `com.exasol:error-code-crawler-maven-plugin:2.0.2` to `2.0.3` +* Updated `com.exasol:project-keeper-maven-plugin:4.3.0` to `4.4.0` +* Added `com.exasol:quality-summarizer-maven-plugin:0.2.0` +* Updated `io.github.zlika:reproducible-build-maven-plugin:0.16` to `0.17` +* Updated `org.apache.maven.plugins:maven-dependency-plugin:3.6.1` to `3.8.0` +* Updated `org.apache.maven.plugins:maven-enforcer-plugin:3.4.1` to `3.5.0` +* Updated `org.apache.maven.plugins:maven-failsafe-plugin:3.2.5` to `3.5.1` +* Updated `org.apache.maven.plugins:maven-install-plugin:3.1.0` to `3.1.3` +* Updated `org.apache.maven.plugins:maven-jar-plugin:3.3.0` to `3.4.2` +* Updated `org.apache.maven.plugins:maven-resources-plugin:3.3.0` to `3.3.1` +* Updated `org.apache.maven.plugins:maven-site-plugin:3.12.1` to `3.9.1` +* Updated `org.apache.maven.plugins:maven-surefire-plugin:3.2.5` to `3.5.1` +* Updated `org.apache.maven.plugins:maven-toolchains-plugin:3.1.0` to `3.2.0` +* Updated `org.codehaus.mojo:versions-maven-plugin:2.16.2` to `2.17.1` +* Updated `org.sonarsource.scanner.maven:sonar-maven-plugin:3.11.0.3922` to `4.0.0.4121` diff --git a/doc/user_guide/oracle_user_guide.md b/doc/user_guide/oracle_user_guide.md index c822eba..56b3f4e 100644 --- a/doc/user_guide/oracle_user_guide.md +++ b/doc/user_guide/oracle_user_guide.md @@ -48,7 +48,7 @@ The SQL statement below creates the adapter script, defines the Java class that ```sql CREATE JAVA ADAPTER SCRIPT ADAPTER.JDBC_ADAPTER AS %scriptclass com.exasol.adapter.RequestDispatcher; - %jar /buckets///virtual-schema-dist-12.0.0-oracle-3.0.2.jar; + %jar /buckets///virtual-schema-dist-12.0.0-oracle-3.0.3.jar; %jar /buckets///ojdbc.jar; / ; diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom index ff242e3..3ddb3ce 100644 --- a/pk_generated_parent.pom +++ b/pk_generated_parent.pom @@ -3,7 +3,7 @@ 4.0.0 com.exasol oracle-virtual-schema-generated-parent - 3.0.2 + 3.0.3 pom UTF-8 @@ -37,22 +37,42 @@ org.jacoco org.jacoco.agent - 0.8.11 + 0.8.12 test runtime + + org.apache.maven.plugins + maven-clean-plugin + 3.4.0 + + + org.apache.maven.plugins + maven-install-plugin + 3.1.3 + + + org.apache.maven.plugins + maven-resources-plugin + 3.3.1 + + + org.apache.maven.plugins + maven-site-plugin + 3.9.1 + org.sonarsource.scanner.maven sonar-maven-plugin - 3.11.0.3922 + 4.0.0.4121 org.apache.maven.plugins maven-toolchains-plugin - 3.1.0 + 3.2.0 @@ -85,7 +105,7 @@ org.apache.maven.plugins maven-enforcer-plugin - 3.4.1 + 3.5.0 enforce-maven @@ -147,7 +167,7 @@ org.apache.maven.plugins maven-surefire-plugin - 3.2.5 + 3.5.1 @@ -158,7 +178,7 @@ org.codehaus.mojo versions-maven-plugin - 2.16.2 + 2.17.1 display-updates @@ -238,7 +258,7 @@ org.apache.maven.plugins maven-jar-plugin - 3.3.0 + 3.4.2 default-jar @@ -262,7 +282,7 @@ org.apache.maven.plugins maven-dependency-plugin - 3.6.1 + 3.8.0 copy-jacoco @@ -282,7 +302,7 @@ org.apache.maven.plugins maven-failsafe-plugin - 3.2.5 + 3.5.1 -Djava.util.logging.config.file=src/test/resources/logging.properties ${argLine} @@ -348,10 +368,23 @@ + + com.exasol + quality-summarizer-maven-plugin + 0.2.0 + + + summarize-metrics + + summarize + + + + com.exasol error-code-crawler-maven-plugin - 2.0.2 + 2.0.3 verify @@ -364,7 +397,7 @@ io.github.zlika reproducible-build-maven-plugin - 0.16 + 0.17 strip-jar diff --git a/pom.xml b/pom.xml index 1b2c5f5..e87151f 100644 --- a/pom.xml +++ b/pom.xml @@ -3,13 +3,13 @@ 4.0.0 com.exasol oracle-virtual-schema - 3.0.2 + 3.0.3 Virtual Schema for Oracle Virtual Schema for Oracle https://github.com/exasol/oracle-virtual-schema/ 12.0.0 - 1.19.7 + 1.20.3 src/main/,extension/src/ extension/src/*.test.ts @@ -51,38 +51,38 @@ org.hamcrest hamcrest - 2.2 + 3.0 test org.junit.jupiter junit-jupiter - 5.10.2 + 5.11.3 test org.mockito mockito-junit-jupiter - 5.11.0 + 5.14.2 test nl.jqno.equalsverifier equalsverifier - 3.16.1 + 3.17.3 test org.slf4j slf4j-jdk14 - 2.0.13 + 2.0.16 test com.exasol exasol-testcontainers - 7.1.0 + 7.1.1 test @@ -100,14 +100,14 @@ com.oracle.database.jdbc ojdbc8 - 23.4.0.24.05 + 23.6.0.24.10 test com.exasol test-db-builder-java - 3.5.4 + 3.6.0 test @@ -119,7 +119,7 @@ com.exasol hamcrest-resultset-matcher - 1.6.5 + 1.7.0 test @@ -139,7 +139,7 @@ com.exasol extension-manager-integration-test-java - 0.5.11 + 0.5.12 test @@ -158,7 +158,7 @@ com.exasol project-keeper-maven-plugin - 4.3.0 + 4.4.0 @@ -304,7 +304,7 @@ oracle-virtual-schema-generated-parent com.exasol - 3.0.2 + 3.0.3 pk_generated_parent.pom diff --git a/src/test/java/com/exasol/adapter/dialects/oracle/IntegrationTestConstants.java b/src/test/java/com/exasol/adapter/dialects/oracle/IntegrationTestConstants.java index 2a3bafe..353c43e 100644 --- a/src/test/java/com/exasol/adapter/dialects/oracle/IntegrationTestConstants.java +++ b/src/test/java/com/exasol/adapter/dialects/oracle/IntegrationTestConstants.java @@ -3,7 +3,7 @@ import java.nio.file.Path; public final class IntegrationTestConstants { - public static final String VIRTUAL_SCHEMAS_JAR_NAME_AND_VERSION = "virtual-schema-dist-12.0.0-oracle-3.0.2.jar"; + public static final String VIRTUAL_SCHEMAS_JAR_NAME_AND_VERSION = "virtual-schema-dist-12.0.0-oracle-3.0.3.jar"; public static final String ORACLE_CONTAINER_NAME = "gvenzl/oracle-xe:21.3.0-slim-faststart"; public static final Path VIRTUAL_SCHEMA_JAR = Path.of("target", VIRTUAL_SCHEMAS_JAR_NAME_AND_VERSION); public static final String SCHEMA_EXASOL = "SCHEMA_EXASOL";