#30 Fix CVE-2023-42503 in test dependency `org.apache.commons:commons…

…-compress` (#31)
exasol · Sep 29, 2023 · 4c0e8b7 · 4c0e8b7
1 parent efcd170
commit 4c0e8b7
Show file tree

Hide file tree

Showing 17 changed files with 128 additions and 72 deletions.
diff --git a/.gitattributes b/.gitattributes
@@ -2,9 +2,10 @@ dependencies.md                                                  linguist-genera
 doc/changes/changelog.md                                         linguist-generated=true
 pk_generated_parent.pom                                          linguist-generated=true
 .github/workflows/broken_links_checker.yml                       linguist-generated=true
-.github/workflows/ci-build.yml                                   linguist-generated=true
 .github/workflows/ci-build-next-java.yml                         linguist-generated=true
 .github/workflows/dependencies_check.yml                         linguist-generated=true
-.github/workflows/release_droid_prepare_original_checksum.yml    linguist-generated=true
 .github/workflows/release_droid_print_quick_checksum.yml         linguist-generated=true
 .github/workflows/release_droid_upload_github_release_assets.yml linguist-generated=true
+
+.settings/org.eclipse.jdt.core.prefs linguist-generated=true
+.settings/org.eclipse.jdt.ui.prefs   linguist-generated=true
diff --git a/.github/workflows/broken_links_checker.yml b/.github/workflows/broken_links_checker.yml
diff --git a/.github/workflows/ci-build-next-java.yml b/.github/workflows/ci-build-next-java.yml
diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml
@@ -8,21 +8,23 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04 # UDFs fail with "VM error: Internal error: VM crashed" on ubuntu-latest
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}
       cancel-in-progress: true
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Set up JDK 11
+      - name: Set up JDK 11 & 17
         uses: actions/setup-java@v3
         with:
-          distribution: 'temurin'
-          java-version: 11
-          cache: 'maven'
+          distribution: "temurin"
+          java-version: |
+            17
+            11
+          cache: "maven"
       - name: Cache SonarCloud packages
         uses: actions/cache@v3
         with:
@@ -33,7 +35,7 @@ jobs:
         run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties"
       - name: Run tests and build with Maven
         run: |
-          mvn --batch-mode clean verify \
+          JAVA_HOME=$JAVA_HOME_11_X64 mvn --batch-mode clean verify \
               -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
               -DtrimStackTrace=false
       - name: Publish Test Report
@@ -44,12 +46,12 @@ jobs:
       - name: Sonar analysis
         if: ${{ env.SONAR_TOKEN != null }}
         run: |
-          mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
+          JAVA_HOME=$JAVA_HOME_17_X64 mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
               -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
               -DtrimStackTrace=false \
               -Dsonar.organization=exasol \
               -Dsonar.host.url=https://sonarcloud.io \
-              -Dsonar.login=$SONAR_TOKEN
+              -Dsonar.token=$SONAR_TOKEN
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/.github/workflows/dependencies_check.yml b/.github/workflows/dependencies_check.yml
diff --git a/.github/workflows/release_droid_prepare_original_checksum.yml b/.github/workflows/release_droid_prepare_original_checksum.yml
@@ -5,18 +5,18 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04 # UDFs fail with "VM error: Internal error: VM crashed" on ubuntu-latest
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up JDK 11
         uses: actions/setup-java@v3
         with:
-          distribution: 'temurin'
+          distribution: "temurin"
           java-version: 11
-          cache: 'maven'
+          cache: "maven"
       - name: Enable testcontainer reuse
         run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties"
       - name: Run tests and build with Maven
@@ -28,4 +28,4 @@ jobs:
         with:
           name: original_checksum
           retention-days: 5
-          path: original_checksum
+          path: original_checksum
diff --git a/.github/workflows/release_droid_print_quick_checksum.yml b/.github/workflows/release_droid_print_quick_checksum.yml
diff --git a/.github/workflows/release_droid_upload_github_release_assets.yml b/.github/workflows/release_droid_upload_github_release_assets.yml
diff --git a/.project-keeper.yml b/.project-keeper.yml
@@ -5,3 +5,6 @@ sources:
       - jar_artifact
       - integration_tests
       - udf_coverage
+excludes:
+  - "E-PK-CORE-18: Outdated content: '.github/workflows/ci-build.yml'"
+  - "E-PK-CORE-18: Outdated content: '.github/workflows/release_droid_prepare_original_checksum.yml'"
diff --git a/.settings/org.eclipse.jdt.core.prefs b/.settings/org.eclipse.jdt.core.prefs
diff --git a/dependencies.md b/dependencies.md
diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md
diff --git a/doc/changes/changes_2.1.3.md b/doc/changes/changes_2.1.3.md
@@ -0,0 +1,49 @@
+# Virtual Schema for DB2 2.1.3, released 2023-09-29
+
+Code name: Fix CVE-2023-42503 in test dependency
+
+## Summary
+
+This release fixes CVE-2023-42503 in test dependency `org.apache.commons:commons-compress`.
+
+## Security
+
+* #30: Fixed CVE-2023-42503 in test dependency `org.apache.commons:commons-compress`
+
+## Refactoring
+
+* #29: Simplified test dependencies
+
+## Dependency Updates
+
+### Compile Dependency Updates
+
+* Updated `com.exasol:virtual-schema-common-jdbc:10.5.0` to `11.0.2`
+
+### Test Dependency Updates
+
+* Removed `com.exasol:exasol-test-setup-abstraction-java:2.0.2`
+* Added `com.exasol:exasol-testcontainers:6.6.2`
+* Updated `com.exasol:hamcrest-resultset-matcher:1.6.0` to `1.6.1`
+* Updated `com.exasol:test-db-builder-java:3.4.2` to `3.5.1`
+* Updated `com.exasol:udf-debugging-java:0.6.8` to `0.6.11`
+* Updated `com.exasol:virtual-schema-common-jdbc:10.5.0` to `11.0.2`
+* Updated `org.jacoco:org.jacoco.agent:0.8.9` to `0.8.10`
+* Updated `org.junit.jupiter:junit-jupiter:5.9.3` to `5.10.0`
+* Updated `org.mockito:mockito-junit-jupiter:5.4.0` to `5.5.0`
+* Updated `org.slf4j:slf4j-jdk14:2.0.7` to `2.0.9`
+* Updated `org.testcontainers:db2:1.18.3` to `1.19.0`
+* Updated `org.testcontainers:junit-jupiter:1.18.3` to `1.19.0`
+
+### Plugin Dependency Updates
+
+* Updated `com.exasol:error-code-crawler-maven-plugin:1.2.3` to `1.3.0`
+* Updated `com.exasol:project-keeper-maven-plugin:2.9.7` to `2.9.12`
+* Updated `org.apache.maven.plugins:maven-assembly-plugin:3.5.0` to `3.6.0`
+* Updated `org.apache.maven.plugins:maven-enforcer-plugin:3.3.0` to `3.4.0`
+* Updated `org.apache.maven.plugins:maven-failsafe-plugin:3.0.0` to `3.1.2`
+* Updated `org.apache.maven.plugins:maven-surefire-plugin:3.0.0` to `3.1.2`
+* Updated `org.basepom.maven:duplicate-finder-maven-plugin:1.5.1` to `2.0.1`
+* Updated `org.codehaus.mojo:flatten-maven-plugin:1.4.1` to `1.5.0`
+* Updated `org.codehaus.mojo:versions-maven-plugin:2.15.0` to `2.16.0`
+* Updated `org.jacoco:jacoco-maven-plugin:0.8.9` to `0.8.10`
diff --git a/doc/user_guide/db2_user_guide.md b/doc/user_guide/db2_user_guide.md
@@ -56,7 +56,7 @@ The SQL statement below creates the adapter script, defines the Java class that
 ```sql
 CREATE OR REPLACE JAVA ADAPTER SCRIPT ADAPTER.JDBC_ADAPTER AS
   %scriptclass com.exasol.adapter.RequestDispatcher;
-  %jar /buckets/<BFS service>/<bucket>/virtual-schema-dist-10.5.0-db2-2.1.2.jar;
+  %jar /buckets/<BFS service>/<bucket>/virtual-schema-dist-11.0.2-db2-2.1.3.jar;
   %jar /buckets/<BFS service>/<bucket>/db2jcc4.jar;
   %jar /buckets/<BFS service>/<bucket>/db2jcc_license_cu.jar;
 /
@@ -68,7 +68,7 @@ CREATE OR REPLACE JAVA ADAPTER SCRIPT ADAPTER.JDBC_ADAPTER AS
 ```sql
 CREATE OR REPLACE JAVA ADAPTER SCRIPT ADAPTER.JDBC_ADAPTER AS
   %scriptclass com.exasol.adapter.RequestDispatcher;
-  %jar /buckets/<BFS service>/<bucket>/virtual-schema-dist-10.5.0-db2-2.1.2.jar;
+  %jar /buckets/<BFS service>/<bucket>/virtual-schema-dist-11.0.2-db2-2.1.3.jar;
   %jar /buckets/<BFS service>/<bucket>/db2jcc4.jar;
   %jar /buckets/<BFS service>/<bucket>/db2jcc_license_cu.jar;
   %jar /buckets/<BFS service>/<bucket>/db2jcc_license_cisuz.jar;