From 3672581b2a94ec5574815dd4f255cfc777986881 Mon Sep 17 00:00:00 2001 From: ckunki Date: Mon, 11 Mar 2024 14:22:33 +0100 Subject: [PATCH 01/10] Fixed vulnerabilities --- .gitattributes | 2 + .github/workflows/broken_links_checker.yml | 2 + .github/workflows/ci-build-next-java.yml | 8 +- .github/workflows/ci-build.yml | 24 +-- .github/workflows/dependencies_check.yml | 62 ++++++- .github/workflows/dependencies_update.yml | 169 ++++++++++++++++++ ...elease_droid_prepare_original_checksum.yml | 20 ++- .../release_droid_print_quick_checksum.yml | 11 +- ...ase_droid_upload_github_release_assets.yml | 11 +- .project-keeper.yml | 2 - dependencies.md | 98 +++++----- doc/changes/changelog.md | 1 + doc/changes/changes_2.1.4.md | 46 +++++ doc/user_guide/db2_user_guide.md | 4 +- pk_generated_parent.pom | 70 ++++++-- pom.xml | 26 +-- .../db2/IntegrationTestConfiguration.java | 2 +- 17 files changed, 436 insertions(+), 122 deletions(-) create mode 100644 .github/workflows/dependencies_update.yml create mode 100644 doc/changes/changes_2.1.4.md diff --git a/.gitattributes b/.gitattributes index b8179d0..ca67710 100644 --- a/.gitattributes +++ b/.gitattributes @@ -2,8 +2,10 @@ dependencies.md linguist-genera doc/changes/changelog.md linguist-generated=true pk_generated_parent.pom linguist-generated=true .github/workflows/broken_links_checker.yml linguist-generated=true +.github/workflows/ci-build.yml linguist-generated=true .github/workflows/ci-build-next-java.yml linguist-generated=true .github/workflows/dependencies_check.yml linguist-generated=true +.github/workflows/release_droid_prepare_original_checksum.yml linguist-generated=true .github/workflows/release_droid_print_quick_checksum.yml linguist-generated=true .github/workflows/release_droid_upload_github_release_assets.yml linguist-generated=true diff --git a/.github/workflows/broken_links_checker.yml b/.github/workflows/broken_links_checker.yml index 82ec1cd..0fbcad5 100644 --- a/.github/workflows/broken_links_checker.yml +++ b/.github/workflows/broken_links_checker.yml @@ -1,3 +1,5 @@ +# Generated by Project Keeper +# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/broken_links_checker.yml name: Broken Links Checker on: diff --git a/.github/workflows/ci-build-next-java.yml b/.github/workflows/ci-build-next-java.yml index 7cbab08..e3acdb7 100644 --- a/.github/workflows/ci-build-next-java.yml +++ b/.github/workflows/ci-build-next-java.yml @@ -1,5 +1,6 @@ +# Generated by Project Keeper +# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/ci-build-next-java.yml name: CI Build next Java - on: push: branches: @@ -18,7 +19,7 @@ jobs: with: fetch-depth: 0 - name: Set up JDK 17 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: distribution: "temurin" java-version: 17 @@ -26,8 +27,9 @@ jobs: - name: Run tests and build with Maven run: | mvn --batch-mode --update-snapshots clean package -DtrimStackTrace=false \ + -Djava.version=17 \ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn - - name: Publish Test Report + - name: Publish Test Report for Java 17 uses: scacap/action-surefire-report@v1 if: ${{ always() && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]' }} with: diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml index 47d57c5..8852bbe 100644 --- a/.github/workflows/ci-build.yml +++ b/.github/workflows/ci-build.yml @@ -1,5 +1,6 @@ +# Generated by Project Keeper +# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/ci-build.yml name: CI Build - on: push: branches: @@ -8,25 +9,30 @@ on: jobs: build: - runs-on: ubuntu-20.04 # UDFs fail with "VM error: Internal error: VM crashed" on ubuntu-latest + runs-on: ubuntu-latest concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true steps: + - name: Free Disk Space + if: ${{ false }} + run: | + sudo rm -rf /usr/local/lib/android + sudo rm -rf /usr/share/dotnet - name: Checkout the repository uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up JDK 11 & 17 - uses: actions/setup-java@v3 + - name: Set up JDKs + uses: actions/setup-java@v4 with: distribution: "temurin" java-version: | - 17 11 + 17 cache: "maven" - name: Cache SonarCloud packages - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: ~/.sonar/cache key: ${{ runner.os }}-sonar @@ -35,7 +41,7 @@ jobs: run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties" - name: Run tests and build with Maven run: | - JAVA_HOME=$JAVA_HOME_11_X64 mvn --batch-mode clean verify \ + mvn --batch-mode clean verify \ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ -DtrimStackTrace=false - name: Publish Test Report @@ -46,11 +52,9 @@ jobs: - name: Sonar analysis if: ${{ env.SONAR_TOKEN != null }} run: | - JAVA_HOME=$JAVA_HOME_17_X64 mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \ + mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ -DtrimStackTrace=false \ - -Dsonar.organization=exasol \ - -Dsonar.host.url=https://sonarcloud.io \ -Dsonar.token=$SONAR_TOKEN env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/dependencies_check.yml b/.github/workflows/dependencies_check.yml index 3059964..6926e55 100644 --- a/.github/workflows/dependencies_check.yml +++ b/.github/workflows/dependencies_check.yml @@ -1,20 +1,64 @@ -name: Dependencies Check - +# Generated by Project Keeper +# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/dependencies_check.yml +name: Report Security Issues on: + workflow_dispatch: schedule: - cron: "0 2 * * *" jobs: - build: + report_security_issues: runs-on: ubuntu-latest - + permissions: + contents: read + issues: write + outputs: + created-issues: ${{ steps.security-issues.outputs.created-issues }} steps: - uses: actions/checkout@v4 - - name: Set up JDK 11 - uses: actions/setup-java@v3 + + - name: Set up JDKs + uses: actions/setup-java@v4 with: distribution: "temurin" - java-version: 11 + java-version: | + 11 + 17 cache: "maven" - - name: Checking dependencies for vulnerabilities - run: mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f pom.xml + + - name: Generate ossindex report + run: | + mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit \ + org.sonatype.ossindex.maven:ossindex-maven-plugin:audit-aggregate \ + -Dossindex.reportFile=$(pwd)/ossindex-report.json \ + -Dossindex.fail=false + + - name: Report Security Issues + id: security-issues + uses: exasol/python-toolbox/.github/actions/security-issues@main + with: + format: "maven" + command: "cat ossindex-report.json" + github-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Output security issues (Debugging) + run: | + echo "$CREATED_ISSUES" > test.jsonl + cat test.jsonl + env: + CREATED_ISSUES: ${{ steps.security-issues.outputs.created-issues }} + + start_dependency_udpate: + needs: report_security_issues + if: ${{ needs.report_security_issues.outputs.created-issues }} + concurrency: + cancel-in-progress: true + group: "dependency_update" + # Workflow needs secret INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK + secrets: inherit + permissions: + contents: write + pull-requests: write + uses: ./.github/workflows/dependencies_update.yml + with: + vulnerability_issues: ${{ needs.report_security_issues.outputs.created-issues }} diff --git a/.github/workflows/dependencies_update.yml b/.github/workflows/dependencies_update.yml new file mode 100644 index 0000000..58222ba --- /dev/null +++ b/.github/workflows/dependencies_update.yml @@ -0,0 +1,169 @@ +# Generated by Project Keeper +# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/dependencies_update.yml +name: Update dependencies +on: + workflow_call: + inputs: + vulnerability_issues: + description: "GitHub issues for vulnerable dependencies as JSONL" + required: true + type: string + workflow_dispatch: + +jobs: + update_dependencies: + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up JDKs + uses: actions/setup-java@v4 + with: + distribution: "temurin" + java-version: | + 11 + 17 + cache: "maven" + + - name: Print issues + run: | + echo "Issues from Action input: $ISSUES" + env: + ISSUES: ${{ inputs.vulnerability_issues }} + + - name: Fail if not running on a branch + if: ${{ !startsWith(github.ref, 'refs/heads/') }} + uses: actions/github-script@v7 + with: + script: | + core.setFailed('Not running on a branch, github.ref is ${{ github.ref }}. Please start this workflow only on main or a branch') + + - name: Update dependencies + run: | + mvn --batch-mode com.exasol:project-keeper-maven-plugin:update-dependencies --projects . \ + -Dproject-keeper:vulnerabilities="$CREATED_ISSUES" + env: + CREATED_ISSUES: ${{ inputs.vulnerability_issues }} + + - name: Project Keeper Fix + run: | + mvn --batch-mode com.exasol:project-keeper-maven-plugin:fix --projects . + + - name: Project Keeper Fix for updated Project Keeper version + # Calling PK fix a second time is necessary because the first invocation potentially updated PK itself. + # So we need to run PK fix again with the latest PK version. + # [impl->dsn~dependency-updater.workflow.start-pk-fix~1] + run: | + mvn --batch-mode com.exasol:project-keeper-maven-plugin:fix --projects . + + - name: Generate Pull Request comment + id: pr-comment + # [impl->dsn~dependency-updater.workflow.pull-request-trigger-ci-build~1] + run: | + echo 'comment<> "$GITHUB_OUTPUT" + echo 'This Pull Request was created by [`dependencies_update.yml`](https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/dependencies_update.yml) workflow.' >> "$GITHUB_OUTPUT" + if [ -n "$CREATED_ISSUES" ]; then + echo 'It updates dependencies to fix the following vulnerabilities:' >> "$GITHUB_OUTPUT" + echo $CREATED_ISSUES | jq --raw-output '. | "* Closes " + .issue_url + " (" + .cve + ")"' >> "$GITHUB_OUTPUT" + else + echo 'It updates dependencies.' >> "$GITHUB_OUTPUT" + fi + echo >> "$GITHUB_OUTPUT" + echo '# ⚠️ This PR does not trigger CI workflows by default ⚠️' >> "$GITHUB_OUTPUT" + echo 'Please click the **Close pull request** button and then **Reopen pull request** to trigger running checks.' >> "$GITHUB_OUTPUT" + echo 'See https://github.com/exasol/project-keeper/issues/534 for details.' >> "$GITHUB_OUTPUT" + echo 'EOF' >> "$GITHUB_OUTPUT" + + cat "$GITHUB_OUTPUT" + env: + CREATED_ISSUES: ${{ inputs.vulnerability_issues }} + + - name: Generate Pull Request Title + id: pr-title + run: | + if [ -n "$CREATED_ISSUES" ]; then + echo "Security issues are available" + echo "title=🔐 Update dependencies to fix vulnerabilities" >> "$GITHUB_OUTPUT" + else + echo "Security issues are not available" + echo "title=Update dependencies" >> "$GITHUB_OUTPUT" + fi + + cat "$GITHUB_OUTPUT" + env: + CREATED_ISSUES: ${{ inputs.vulnerability_issues }} + + - name: Configure git + run: | + git config --global user.email "opensource@exasol.com" + git config --global user.name "Automatic Dependency Updater" + + - name: Create branch + if: ${{ github.ref == 'refs/heads/main' }} + run: | + branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")" + echo "Creating branch $branch_name" + git checkout -b "$branch_name" + + - name: Commit changes & push + if: ${{ startsWith(github.ref, 'refs/heads/' ) }} + run: | + branch_name=$(git rev-parse --abbrev-ref HEAD) + echo "Current branch: $branch_name" + echo "git diff --stat" + git diff --stat + echo "git diff --numstat" + git diff --numstat + echo "git diff --name-status" + git diff --name-status + echo "Adding untracked files:" + git add . --verbose --all + echo "Committing changes..." + git commit --message "$TITLE" + echo "Pushing branch $branch_name..." + git push --set-upstream origin "$branch_name" + echo "Done." + env: + TITLE: ${{ steps.pr-title.outputs.title }} + + - name: Create pull request + id: create-pr + if: ${{ github.ref == 'refs/heads/main' }} + run: | + pr_url=$(gh pr create --base main --title "$TITLE" --body "$COMMENT") + echo "Created Pull Request: $pr_url" + echo "pr_url=$pr_url" >> "$GITHUB_OUTPUT" + env: + COMMENT: ${{ steps.pr-comment.outputs.comment }} + TITLE: ${{ steps.pr-title.outputs.title }} + GH_TOKEN: ${{ github.token }} + + - name: Report failure Status to Slack channel + # Also run this step in case of failures + if: ${{ always() }} + uses: ravsamhq/notify-slack-action@v2 + with: + status: ${{ job.status }} + token: ${{ secrets.GITHUB_TOKEN }} + notification_title: "Dependency check in {repo} has {status_message}" + message_format: "{emoji} *{workflow}* {status_message} in <{repo_url}|{repo}>" + notify_when: "failure,cancelled,warnings" + env: + SLACK_WEBHOOK_URL: ${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }} + + - name: Report new Pull Request to Slack channel + if: ${{ steps.create-pr.outputs.pr_url }} + uses: ravsamhq/notify-slack-action@v2 + with: + status: ${{ job.status }} + token: ${{ secrets.GITHUB_TOKEN }} + notification_title: "Dependency update for {repo} created a Pull Request" + message_format: "{workflow} created Pull Request ${{ steps.create-pr.outputs.pr_url }}" + env: + SLACK_WEBHOOK_URL: ${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }} diff --git a/.github/workflows/release_droid_prepare_original_checksum.yml b/.github/workflows/release_droid_prepare_original_checksum.yml index e7381af..9801107 100644 --- a/.github/workflows/release_droid_prepare_original_checksum.yml +++ b/.github/workflows/release_droid_prepare_original_checksum.yml @@ -1,21 +1,29 @@ +# Generated by Project Keeper +# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/release_droid_prepare_original_checksum.yml name: Release Droid - Prepare Original Checksum - on: workflow_dispatch: jobs: build: - runs-on: ubuntu-20.04 # UDFs fail with "VM error: Internal error: VM crashed" on ubuntu-latest + runs-on: ubuntu-latest steps: + - name: Free Disk Space + if: ${{ false }} + run: | + sudo rm -rf /usr/local/lib/android + sudo rm -rf /usr/share/dotnet - name: Checkout the repository uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up JDK 11 - uses: actions/setup-java@v3 + - name: Set up JDKs + uses: actions/setup-java@v4 with: distribution: "temurin" - java-version: 11 + java-version: | + 11 + 17 cache: "maven" - name: Enable testcontainer reuse run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties" @@ -24,7 +32,7 @@ jobs: - name: Prepare checksum run: find target -maxdepth 1 -name *.jar -exec sha256sum "{}" + > original_checksum - name: Upload checksum to the artifactory - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: original_checksum retention-days: 5 diff --git a/.github/workflows/release_droid_print_quick_checksum.yml b/.github/workflows/release_droid_print_quick_checksum.yml index aed4444..86979cd 100644 --- a/.github/workflows/release_droid_print_quick_checksum.yml +++ b/.github/workflows/release_droid_print_quick_checksum.yml @@ -1,5 +1,6 @@ +# Generated by Project Keeper +# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/release_droid_print_quick_checksum.yml name: Release Droid - Print Quick Checksum - on: workflow_dispatch: @@ -11,11 +12,13 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up JDK 11 - uses: actions/setup-java@v3 + - name: Set up JDKs + uses: actions/setup-java@v4 with: distribution: "temurin" - java-version: 11 + java-version: | + 11 + 17 cache: "maven" - name: Build with Maven skipping tests run: mvn --batch-mode clean verify -DskipTests diff --git a/.github/workflows/release_droid_upload_github_release_assets.yml b/.github/workflows/release_droid_upload_github_release_assets.yml index 7ae8bbb..b19f7cf 100644 --- a/.github/workflows/release_droid_upload_github_release_assets.yml +++ b/.github/workflows/release_droid_upload_github_release_assets.yml @@ -1,5 +1,6 @@ +# Generated by Project Keeper +# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/release_droid_upload_github_release_assets.yml name: Release Droid - Upload GitHub Release Assets - on: workflow_dispatch: inputs: @@ -15,11 +16,13 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up JDK 11 - uses: actions/setup-java@v3 + - name: Set up JDKs + uses: actions/setup-java@v4 with: distribution: "temurin" - java-version: 11 + java-version: | + 11 + 17 cache: "maven" - name: Build with Maven skipping tests run: mvn --batch-mode clean verify -DskipTests diff --git a/.project-keeper.yml b/.project-keeper.yml index fa29fee..caa31ac 100644 --- a/.project-keeper.yml +++ b/.project-keeper.yml @@ -6,5 +6,3 @@ sources: - integration_tests - udf_coverage excludes: - - "E-PK-CORE-18: Outdated content: '.github/workflows/ci-build.yml'" - - "E-PK-CORE-18: Outdated content: '.github/workflows/release_droid_prepare_original_checksum.yml'" diff --git a/dependencies.md b/dependencies.md index b67b9ad..e0eb701 100644 --- a/dependencies.md +++ b/dependencies.md @@ -16,7 +16,7 @@ | [udf-debugging-java][4] | [MIT License][5] | | [Hamcrest][6] | [BSD License 3][7] | | [JUnit Jupiter (Aggregator)][8] | [Eclipse Public License v2.0][9] | -| [mockito-junit-jupiter][10] | [The MIT License][11] | +| [mockito-junit-jupiter][10] | [MIT][11] | | [Test containers for Exasol on Docker][12] | [MIT License][13] | | [Testcontainers :: JUnit Jupiter Extension][14] | [MIT][15] | | [Testcontainers :: JDBC :: DB2][14] | [MIT][15] | @@ -34,30 +34,26 @@ ## Plugin Dependencies -| Dependency | License | -| ------------------------------------------------------- | ---------------------------------------------- | -| [SonarQube Scanner for Maven][28] | [GNU LGPL 3][29] | -| [Apache Maven Compiler Plugin][30] | [Apache-2.0][31] | -| [Apache Maven Enforcer Plugin][32] | [Apache-2.0][31] | -| [Maven Flatten Plugin][33] | [Apache Software Licenese][31] | -| [org.sonatype.ossindex.maven:ossindex-maven-plugin][34] | [ASL2][35] | -| [Maven Surefire Plugin][36] | [Apache-2.0][31] | -| [Versions Maven Plugin][37] | [Apache License, Version 2.0][31] | -| [duplicate-finder-maven-plugin Maven Mojo][38] | [Apache License 2.0][39] | -| [Apache Maven Assembly Plugin][40] | [Apache-2.0][31] | -| [Apache Maven JAR Plugin][41] | [Apache License, Version 2.0][31] | -| [Artifact reference checker and unifier][42] | [MIT License][43] | -| [Project keeper maven plugin][44] | [The MIT License][45] | -| [Apache Maven Dependency Plugin][46] | [Apache License, Version 2.0][31] | -| [Maven Failsafe Plugin][47] | [Apache-2.0][31] | -| [JaCoCo :: Maven Plugin][48] | [Eclipse Public License 2.0][24] | -| [error-code-crawler-maven-plugin][49] | [MIT License][50] | -| [Reproducible Build Maven Plugin][51] | [Apache 2.0][35] | -| [Maven Clean Plugin][52] | [The Apache Software License, Version 2.0][35] | -| [Maven Resources Plugin][53] | [The Apache Software License, Version 2.0][35] | -| [Maven Install Plugin][54] | [The Apache Software License, Version 2.0][35] | -| [Maven Deploy Plugin][55] | [The Apache Software License, Version 2.0][35] | -| [Maven Site Plugin 3][56] | [The Apache Software License, Version 2.0][35] | +| Dependency | License | +| ------------------------------------------------------- | --------------------------------- | +| [SonarQube Scanner for Maven][28] | [GNU LGPL 3][29] | +| [Apache Maven Toolchains Plugin][30] | [Apache License, Version 2.0][31] | +| [Apache Maven Compiler Plugin][32] | [Apache-2.0][31] | +| [Apache Maven Enforcer Plugin][33] | [Apache-2.0][31] | +| [Maven Flatten Plugin][34] | [Apache Software Licenese][31] | +| [org.sonatype.ossindex.maven:ossindex-maven-plugin][35] | [ASL2][36] | +| [Maven Surefire Plugin][37] | [Apache-2.0][31] | +| [Versions Maven Plugin][38] | [Apache License, Version 2.0][31] | +| [duplicate-finder-maven-plugin Maven Mojo][39] | [Apache License 2.0][40] | +| [Apache Maven Assembly Plugin][41] | [Apache-2.0][31] | +| [Apache Maven JAR Plugin][42] | [Apache License, Version 2.0][31] | +| [Artifact reference checker and unifier][43] | [MIT License][44] | +| [Project Keeper Maven plugin][45] | [The MIT License][46] | +| [Apache Maven Dependency Plugin][47] | [Apache License, Version 2.0][31] | +| [Maven Failsafe Plugin][48] | [Apache-2.0][31] | +| [JaCoCo :: Maven Plugin][49] | [Eclipse Public License 2.0][24] | +| [error-code-crawler-maven-plugin][50] | [MIT License][51] | +| [Reproducible Build Maven Plugin][52] | [Apache 2.0][36] | [0]: https://github.com/exasol/virtual-schema-common-jdbc/ [1]: https://github.com/exasol/virtual-schema-common-jdbc/blob/main/LICENSE @@ -70,7 +66,7 @@ [8]: https://junit.org/junit5/ [9]: https://www.eclipse.org/legal/epl-v20.html [10]: https://github.com/mockito/mockito -[11]: https://github.com/mockito/mockito/blob/main/LICENSE +[11]: https://opensource.org/licenses/MIT [12]: https://github.com/exasol/exasol-testcontainers/ [13]: https://github.com/exasol/exasol-testcontainers/blob/main/LICENSE [14]: https://java.testcontainers.org @@ -79,7 +75,7 @@ [17]: https://github.com/exasol/hamcrest-resultset-matcher/blob/main/LICENSE [18]: https://github.com/exasol/test-db-builder-java/ [19]: https://github.com/exasol/test-db-builder-java/blob/main/LICENSE -[20]: https://www.ibm.com/support/customer/csol/terms/?ref=L-KHAI-CASRX7-01-10-2022-zz-en +[20]: https://www.ibm.com/support/customer/csol/terms/?ref=L-AJVM-KLN94L-01-11-2023-zz-en [21]: http://www.slf4j.org [22]: http://www.opensource.org/licenses/mit-license.php [23]: https://www.eclemma.org/jacoco/index.html @@ -89,30 +85,26 @@ [27]: https://projects.eclipse.org/license/secondary-gpl-2.0-cp [28]: http://sonarsource.github.io/sonar-scanner-maven/ [29]: http://www.gnu.org/licenses/lgpl.txt -[30]: https://maven.apache.org/plugins/maven-compiler-plugin/ +[30]: https://maven.apache.org/plugins/maven-toolchains-plugin/ [31]: https://www.apache.org/licenses/LICENSE-2.0.txt -[32]: https://maven.apache.org/enforcer/maven-enforcer-plugin/ -[33]: https://www.mojohaus.org/flatten-maven-plugin/ -[34]: https://sonatype.github.io/ossindex-maven/maven-plugin/ -[35]: http://www.apache.org/licenses/LICENSE-2.0.txt -[36]: https://maven.apache.org/surefire/maven-surefire-plugin/ -[37]: https://www.mojohaus.org/versions/versions-maven-plugin/ -[38]: https://basepom.github.io/duplicate-finder-maven-plugin -[39]: http://www.apache.org/licenses/LICENSE-2.0.html -[40]: https://maven.apache.org/plugins/maven-assembly-plugin/ -[41]: https://maven.apache.org/plugins/maven-jar-plugin/ -[42]: https://github.com/exasol/artifact-reference-checker-maven-plugin/ -[43]: https://github.com/exasol/artifact-reference-checker-maven-plugin/blob/main/LICENSE -[44]: https://github.com/exasol/project-keeper/ -[45]: https://github.com/exasol/project-keeper/blob/main/LICENSE -[46]: https://maven.apache.org/plugins/maven-dependency-plugin/ -[47]: https://maven.apache.org/surefire/maven-failsafe-plugin/ -[48]: https://www.jacoco.org/jacoco/trunk/doc/maven.html -[49]: https://github.com/exasol/error-code-crawler-maven-plugin/ -[50]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE -[51]: http://zlika.github.io/reproducible-build-maven-plugin -[52]: http://maven.apache.org/plugins/maven-clean-plugin/ -[53]: http://maven.apache.org/plugins/maven-resources-plugin/ -[54]: http://maven.apache.org/plugins/maven-install-plugin/ -[55]: http://maven.apache.org/plugins/maven-deploy-plugin/ -[56]: http://maven.apache.org/plugins/maven-site-plugin/ +[32]: https://maven.apache.org/plugins/maven-compiler-plugin/ +[33]: https://maven.apache.org/enforcer/maven-enforcer-plugin/ +[34]: https://www.mojohaus.org/flatten-maven-plugin/ +[35]: https://sonatype.github.io/ossindex-maven/maven-plugin/ +[36]: http://www.apache.org/licenses/LICENSE-2.0.txt +[37]: https://maven.apache.org/surefire/maven-surefire-plugin/ +[38]: https://www.mojohaus.org/versions/versions-maven-plugin/ +[39]: https://basepom.github.io/duplicate-finder-maven-plugin +[40]: http://www.apache.org/licenses/LICENSE-2.0.html +[41]: https://maven.apache.org/plugins/maven-assembly-plugin/ +[42]: https://maven.apache.org/plugins/maven-jar-plugin/ +[43]: https://github.com/exasol/artifact-reference-checker-maven-plugin/ +[44]: https://github.com/exasol/artifact-reference-checker-maven-plugin/blob/main/LICENSE +[45]: https://github.com/exasol/project-keeper/ +[46]: https://github.com/exasol/project-keeper/blob/main/LICENSE +[47]: https://maven.apache.org/plugins/maven-dependency-plugin/ +[48]: https://maven.apache.org/surefire/maven-failsafe-plugin/ +[49]: https://www.jacoco.org/jacoco/trunk/doc/maven.html +[50]: https://github.com/exasol/error-code-crawler-maven-plugin/ +[51]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE +[52]: http://zlika.github.io/reproducible-build-maven-plugin diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md index d004da4..6fa2987 100644 --- a/doc/changes/changelog.md +++ b/doc/changes/changelog.md @@ -1,5 +1,6 @@ # Changes +* [2.1.4](changes_2.1.4.md) * [2.1.3](changes_2.1.3.md) * [2.1.2](changes_2.1.2.md) * [2.1.1](changes_2.1.1.md) diff --git a/doc/changes/changes_2.1.4.md b/doc/changes/changes_2.1.4.md new file mode 100644 index 0000000..89ce88e --- /dev/null +++ b/doc/changes/changes_2.1.4.md @@ -0,0 +1,46 @@ +# Virtual Schema for DB2 2.1.4, released 2024-11-03 + +Code name: Fixed vulnerabilities CVE-2024-25710 and CVE-2024-26308 in test dependencies + +This is a security release in which we updated test dependency `com.exasol:udf-debugging-java` to fix vulnerabilities CVE-2024-25710 and CVE-2024-26308 in its transitive dependencies. + +## Summary + +## Security + +* #32: Fixed vulnerabilities CVE-2024-25710 and CVE-2024-26308 in test dependency `org.apache.commons:commons-compress` + +## Dependency Updates + +### Compile Dependency Updates + +* Updated `com.exasol:virtual-schema-common-jdbc:11.0.2` to `12.0.0` + +### Test Dependency Updates + +* Updated `com.exasol:exasol-testcontainers:6.6.2` to `7.0.1` +* Updated `com.exasol:hamcrest-resultset-matcher:1.6.1` to `1.6.5` +* Updated `com.exasol:test-db-builder-java:3.5.1` to `3.5.3` +* Updated `com.exasol:udf-debugging-java:0.6.11` to `0.6.12` +* Updated `com.exasol:virtual-schema-common-jdbc:11.0.2` to `12.0.0` +* Updated `com.ibm.db2:jcc:11.5.8.0` to `11.5.9.0` +* Updated `org.jacoco:org.jacoco.agent:0.8.10` to `0.8.11` +* Updated `org.junit.jupiter:junit-jupiter:5.10.0` to `5.10.2` +* Updated `org.mockito:mockito-junit-jupiter:5.5.0` to `5.11.0` +* Updated `org.slf4j:slf4j-jdk14:2.0.9` to `2.0.12` +* Updated `org.testcontainers:db2:1.19.0` to `1.19.7` +* Updated `org.testcontainers:junit-jupiter:1.19.0` to `1.19.7` + +### Plugin Dependency Updates + +* Updated `com.exasol:error-code-crawler-maven-plugin:1.3.0` to `2.0.0` +* Updated `com.exasol:project-keeper-maven-plugin:2.9.12` to `4.1.0` +* Updated `org.apache.maven.plugins:maven-compiler-plugin:3.11.0` to `3.12.1` +* Updated `org.apache.maven.plugins:maven-enforcer-plugin:3.4.0` to `3.4.1` +* Updated `org.apache.maven.plugins:maven-failsafe-plugin:3.1.2` to `3.2.5` +* Updated `org.apache.maven.plugins:maven-surefire-plugin:3.1.2` to `3.2.5` +* Added `org.apache.maven.plugins:maven-toolchains-plugin:3.1.0` +* Updated `org.codehaus.mojo:flatten-maven-plugin:1.5.0` to `1.6.0` +* Updated `org.codehaus.mojo:versions-maven-plugin:2.16.0` to `2.16.2` +* Updated `org.jacoco:jacoco-maven-plugin:0.8.10` to `0.8.11` +* Updated `org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.1.2184` to `3.10.0.2594` diff --git a/doc/user_guide/db2_user_guide.md b/doc/user_guide/db2_user_guide.md index 406daaa..dc6d48a 100644 --- a/doc/user_guide/db2_user_guide.md +++ b/doc/user_guide/db2_user_guide.md @@ -56,7 +56,7 @@ The SQL statement below creates the adapter script, defines the Java class that ```sql CREATE OR REPLACE JAVA ADAPTER SCRIPT ADAPTER.JDBC_ADAPTER AS %scriptclass com.exasol.adapter.RequestDispatcher; - %jar /buckets///virtual-schema-dist-11.0.2-db2-2.1.3.jar; + %jar /buckets///virtual-schema-dist-12.0.0-db2-2.1.4.jar; %jar /buckets///db2jcc4.jar; %jar /buckets///db2jcc_license_cu.jar; / @@ -68,7 +68,7 @@ CREATE OR REPLACE JAVA ADAPTER SCRIPT ADAPTER.JDBC_ADAPTER AS ```sql CREATE OR REPLACE JAVA ADAPTER SCRIPT ADAPTER.JDBC_ADAPTER AS %scriptclass com.exasol.adapter.RequestDispatcher; - %jar /buckets///virtual-schema-dist-11.0.2-db2-2.1.3.jar; + %jar /buckets///virtual-schema-dist-12.0.0-db2-2.1.4.jar; %jar /buckets///db2jcc4.jar; %jar /buckets///db2jcc_license_cu.jar; %jar /buckets///db2jcc_license_cisuz.jar; diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom index 4c2e5ed..ed37059 100644 --- a/pk_generated_parent.pom +++ b/pk_generated_parent.pom @@ -3,12 +3,14 @@ 4.0.0 com.exasol db2-virtual-schema-generated-parent - 2.1.3 + 2.1.4 pom UTF-8 UTF-8 11 + exasol + https://sonarcloud.io @@ -35,7 +37,7 @@ org.jacoco org.jacoco.agent - 0.8.10 + 0.8.11 test runtime @@ -45,21 +47,46 @@ org.sonarsource.scanner.maven sonar-maven-plugin - 3.9.1.2184 + 3.10.0.2594 + + + org.apache.maven.plugins + maven-toolchains-plugin + 3.1.0 + + + + toolchain + + + + + + + ${java.version} + + + org.apache.maven.plugins maven-compiler-plugin - 3.11.0 + 3.12.1 ${java.version} ${java.version} + true + + + -Xlint:all,-processing + + org.apache.maven.plugins maven-enforcer-plugin - 3.4.0 + 3.4.1 enforce-maven @@ -69,8 +96,11 @@ - [3.8.7,3.9.0) + 3.6.3 + + 17 + @@ -79,7 +109,7 @@ org.codehaus.mojo flatten-maven-plugin - 1.5.0 + 1.6.0 true oss @@ -118,7 +148,7 @@ org.apache.maven.plugins maven-surefire-plugin - 3.1.2 + 3.2.5 @@ -129,7 +159,7 @@ org.codehaus.mojo versions-maven-plugin - 2.16.0 + 2.16.2 display-updates @@ -142,6 +172,17 @@ file:///${project.basedir}/versionsMavenPluginRules.xml + false + true + true + true + false + true + true + true + false + true + true @@ -222,7 +263,7 @@ org.apache.maven.plugins maven-dependency-plugin - 3.6.0 + 3.6.1 copy-jacoco @@ -242,10 +283,9 @@ org.apache.maven.plugins maven-failsafe-plugin - 3.1.2 + 3.2.5 - + -Djava.util.logging.config.file=src/test/resources/logging.properties ${argLine} true @@ -265,7 +305,7 @@ org.jacoco jacoco-maven-plugin - 0.8.10 + 0.8.11 prepare-agent @@ -312,7 +352,7 @@ com.exasol error-code-crawler-maven-plugin - 1.3.0 + 2.0.0 verify diff --git a/pom.xml b/pom.xml index c174fe8..e76648e 100644 --- a/pom.xml +++ b/pom.xml @@ -3,13 +3,13 @@ 4.0.0 com.exasol db2-virtual-schema - 2.1.3 + 2.1.4 Virtual Schema for DB2 Virtual Schema for connecting DB2 as a data source to Exasol https://github.com/exasol/db2-virtual-schema/ - 11.0.2 - 1.19.0 + 12.0.0 + 1.19.7 @@ -41,7 +41,7 @@ com.exasol udf-debugging-java - 0.6.11 + 0.6.12 test @@ -53,20 +53,20 @@ org.junit.jupiter junit-jupiter - 5.10.0 + 5.10.2 test org.mockito mockito-junit-jupiter - 5.5.0 + 5.11.0 test com.exasol exasol-testcontainers - 6.6.2 + 7.0.1 test @@ -84,26 +84,26 @@ com.exasol hamcrest-resultset-matcher - 1.6.1 + 1.6.5 test com.exasol test-db-builder-java - 3.5.1 + 3.5.3 test com.ibm.db2 jcc - 11.5.8.0 + 11.5.9.0 test org.slf4j slf4j-jdk14 - 2.0.9 + 2.0.12 test @@ -119,7 +119,7 @@ com.exasol project-keeper-maven-plugin - 2.9.12 + 4.1.0 @@ -173,7 +173,7 @@ db2-virtual-schema-generated-parent com.exasol - 2.1.3 + 2.1.4 pk_generated_parent.pom diff --git a/src/test/java/com/exasol/adapter/dialects/db2/IntegrationTestConfiguration.java b/src/test/java/com/exasol/adapter/dialects/db2/IntegrationTestConfiguration.java index 396a670..4e58a86 100644 --- a/src/test/java/com/exasol/adapter/dialects/db2/IntegrationTestConfiguration.java +++ b/src/test/java/com/exasol/adapter/dialects/db2/IntegrationTestConfiguration.java @@ -8,7 +8,7 @@ public class IntegrationTestConfiguration { public static final String EXASOL_DOCKER_REFERENCE = "7.1.19"; public static final DockerImageName DB2_DOCKER_REFERENCE = DockerImageName .parse("icr.io/db2_community/db2:11.5.8.0").asCompatibleSubstituteFor("ibmcom/db2"); - public static final String VIRTUAL_SCHEMAS_JAR_NAME_AND_VERSION = "virtual-schema-dist-11.0.2-db2-2.1.3.jar"; + public static final String VIRTUAL_SCHEMAS_JAR_NAME_AND_VERSION = "virtual-schema-dist-12.0.0-db2-2.1.4.jar"; public static final Path PATH_TO_VIRTUAL_SCHEMAS_JAR = Path.of("target", VIRTUAL_SCHEMAS_JAR_NAME_AND_VERSION); public static final int DB2_PORT = 50000; public static final String JDBC_DRIVER_CONFIGURATION_FILE_NAME = "settings.cfg"; From 9b011c0820eea6967390cd51b4ad782a47bb7b46 Mon Sep 17 00:00:00 2001 From: ckunki Date: Mon, 11 Mar 2024 14:30:13 +0100 Subject: [PATCH 02/10] Updated changes file and report warnings as errors --- doc/changes/changes_2.1.4.md | 4 ++-- pom.xml | 10 ++++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/doc/changes/changes_2.1.4.md b/doc/changes/changes_2.1.4.md index 89ce88e..00e7b08 100644 --- a/doc/changes/changes_2.1.4.md +++ b/doc/changes/changes_2.1.4.md @@ -2,10 +2,10 @@ Code name: Fixed vulnerabilities CVE-2024-25710 and CVE-2024-26308 in test dependencies -This is a security release in which we updated test dependency `com.exasol:udf-debugging-java` to fix vulnerabilities CVE-2024-25710 and CVE-2024-26308 in its transitive dependencies. - ## Summary +This is a security release in which we updated test dependency `com.exasol:udf-debugging-java` to fix vulnerabilities CVE-2024-25710 and CVE-2024-26308 in its transitive dependencies. + ## Security * #32: Fixed vulnerabilities CVE-2024-25710 and CVE-2024-26308 in test dependency `org.apache.commons:commons-compress` diff --git a/pom.xml b/pom.xml index e76648e..24a00e9 100644 --- a/pom.xml +++ b/pom.xml @@ -148,6 +148,16 @@ + + org.apache.maven.plugins + maven-compiler-plugin + + + -Xlint:all + -Werror + + + org.apache.maven.plugins maven-failsafe-plugin From 5d7f0afcc514db99dc02000a99d20c824d97cf73 Mon Sep 17 00:00:00 2001 From: ckunki Date: Mon, 11 Mar 2024 14:48:58 +0100 Subject: [PATCH 03/10] Added options for building with ubuntu-20 and matrix build --- .project-keeper.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.project-keeper.yml b/.project-keeper.yml index caa31ac..4cca49b 100644 --- a/.project-keeper.yml +++ b/.project-keeper.yml @@ -5,4 +5,9 @@ sources: - jar_artifact - integration_tests - udf_coverage +build: + runnerOs: ubuntu-20.04 + exasolDbVersions: + - "8.25.0" + - "7.1.25" excludes: From dd5fe2de4c3859ec66e56edece35e77bbbc26249 Mon Sep 17 00:00:00 2001 From: ckunki Date: Mon, 11 Mar 2024 14:49:55 +0100 Subject: [PATCH 04/10] pk fix --- .github/workflows/ci-build.yml | 31 ++++++++++++++----- ...elease_droid_prepare_original_checksum.yml | 2 +- 2 files changed, 25 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml index 8852bbe..726cf2a 100644 --- a/.github/workflows/ci-build.yml +++ b/.github/workflows/ci-build.yml @@ -1,5 +1,5 @@ # Generated by Project Keeper -# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/ci-build.yml +# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/ci-build-db-version-matrix.yml name: CI Build on: push: @@ -8,11 +8,17 @@ on: pull_request: jobs: - build: - runs-on: ubuntu-latest + matrix-build: + runs-on: ubuntu-20.04 concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.exasol_db_version }} cancel-in-progress: true + strategy: + fail-fast: false + matrix: + exasol_db_version: ["8.25.0", "7.1.25"] + env: + DEFAULT_EXASOL_DB_VERSION: "8.25.0" steps: - name: Free Disk Space if: ${{ false }} @@ -43,14 +49,19 @@ jobs: run: | mvn --batch-mode clean verify \ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ - -DtrimStackTrace=false - - name: Publish Test Report + -DtrimStackTrace=false \ + -Dcom.exasol.dockerdb.image=${{ matrix.exasol_db_version }} + env: + # Set additional environment variable as in scala projects the scalatest plugin does not forward + # the system property -Dcom.exasol.dockerdb.image to the test's implementation. + EXASOL_DB_VERSION: ${{ matrix.exasol_db_version }} + - name: Publish Test Report for Exasol ${{ matrix.exasol_db_version }} uses: scacap/action-surefire-report@v1 if: ${{ always() && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]' }} with: github_token: ${{ secrets.GITHUB_TOKEN }} - name: Sonar analysis - if: ${{ env.SONAR_TOKEN != null }} + if: ${{ env.SONAR_TOKEN != null && matrix.exasol_db_version == env.DEFAULT_EXASOL_DB_VERSION }} run: | mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ @@ -59,3 +70,9 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + + build: + needs: matrix-build + runs-on: ubuntu-latest + steps: + - run: echo "Build successful" diff --git a/.github/workflows/release_droid_prepare_original_checksum.yml b/.github/workflows/release_droid_prepare_original_checksum.yml index 9801107..2ff28b3 100644 --- a/.github/workflows/release_droid_prepare_original_checksum.yml +++ b/.github/workflows/release_droid_prepare_original_checksum.yml @@ -6,7 +6,7 @@ on: jobs: build: - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 steps: - name: Free Disk Space if: ${{ false }} From 927ee0e088a85114e9edb2e51e109752c1493755 Mon Sep 17 00:00:00 2001 From: ckunki Date: Mon, 11 Mar 2024 15:27:19 +0100 Subject: [PATCH 05/10] Fixed warnings reported by maven-compiler-plugin --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 24a00e9..a795d80 100644 --- a/pom.xml +++ b/pom.xml @@ -153,7 +153,7 @@ maven-compiler-plugin - -Xlint:all + -Xlint:all,-path -Werror From 8d4546428db6923668bdec07cd3de542992fa443 Mon Sep 17 00:00:00 2001 From: ckunki Date: Mon, 11 Mar 2024 16:01:51 +0100 Subject: [PATCH 06/10] Removed V8 from test matrix --- .project-keeper.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.project-keeper.yml b/.project-keeper.yml index 4cca49b..9d9c179 100644 --- a/.project-keeper.yml +++ b/.project-keeper.yml @@ -8,6 +8,5 @@ sources: build: runnerOs: ubuntu-20.04 exasolDbVersions: - - "8.25.0" - "7.1.25" excludes: From 75c05d9aa4fe4d275a90a7db55cba5ed32727248 Mon Sep 17 00:00:00 2001 From: ckunki Date: Mon, 11 Mar 2024 16:16:48 +0100 Subject: [PATCH 07/10] Removed V8 from test matrix - pk fix --- .github/workflows/ci-build.yml | 4 ++-- doc/changes/changes_2.1.4.md | 2 +- pom.xml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml index 726cf2a..2a2d109 100644 --- a/.github/workflows/ci-build.yml +++ b/.github/workflows/ci-build.yml @@ -16,9 +16,9 @@ jobs: strategy: fail-fast: false matrix: - exasol_db_version: ["8.25.0", "7.1.25"] + exasol_db_version: ["7.1.25"] env: - DEFAULT_EXASOL_DB_VERSION: "8.25.0" + DEFAULT_EXASOL_DB_VERSION: "7.1.25" steps: - name: Free Disk Space if: ${{ false }} diff --git a/doc/changes/changes_2.1.4.md b/doc/changes/changes_2.1.4.md index 00e7b08..f3a66c6 100644 --- a/doc/changes/changes_2.1.4.md +++ b/doc/changes/changes_2.1.4.md @@ -34,7 +34,7 @@ This is a security release in which we updated test dependency `com.exasol:udf-d ### Plugin Dependency Updates * Updated `com.exasol:error-code-crawler-maven-plugin:1.3.0` to `2.0.0` -* Updated `com.exasol:project-keeper-maven-plugin:2.9.12` to `4.1.0` +* Updated `com.exasol:project-keeper-maven-plugin:2.9.12` to `4.2.0` * Updated `org.apache.maven.plugins:maven-compiler-plugin:3.11.0` to `3.12.1` * Updated `org.apache.maven.plugins:maven-enforcer-plugin:3.4.0` to `3.4.1` * Updated `org.apache.maven.plugins:maven-failsafe-plugin:3.1.2` to `3.2.5` diff --git a/pom.xml b/pom.xml index a795d80..9a139f8 100644 --- a/pom.xml +++ b/pom.xml @@ -119,7 +119,7 @@ com.exasol project-keeper-maven-plugin - 4.1.0 + 4.2.0 From 5d8fe89290911d0de07869cc00421702cd0ae2a9 Mon Sep 17 00:00:00 2001 From: ckunki Date: Mon, 11 Mar 2024 16:40:07 +0100 Subject: [PATCH 08/10] Updated to PK 4.2.0 --- .gitattributes | 1 + .github/workflows/broken_links_checker.yml | 3 + .github/workflows/ci-build-next-java.yml | 6 + .github/workflows/ci-build.yml | 60 +++++- .github/workflows/dependencies_check.yml | 6 +- .github/workflows/dependencies_update.yml | 6 + .github/workflows/release.yml | 193 ++++++++++++++++++ ...elease_droid_prepare_original_checksum.yml | 39 ---- .../release_droid_print_quick_checksum.yml | 26 --- ...ase_droid_upload_github_release_assets.yml | 47 ----- doc/changes/changes_2.1.4.md | 2 +- pk_generated_parent.pom | 2 +- 12 files changed, 274 insertions(+), 117 deletions(-) create mode 100644 .github/workflows/release.yml delete mode 100644 .github/workflows/release_droid_prepare_original_checksum.yml delete mode 100644 .github/workflows/release_droid_print_quick_checksum.yml delete mode 100644 .github/workflows/release_droid_upload_github_release_assets.yml diff --git a/.gitattributes b/.gitattributes index ca67710..6ce7951 100644 --- a/.gitattributes +++ b/.gitattributes @@ -5,6 +5,7 @@ pk_generated_parent.pom linguist-genera .github/workflows/ci-build.yml linguist-generated=true .github/workflows/ci-build-next-java.yml linguist-generated=true .github/workflows/dependencies_check.yml linguist-generated=true +.github/workflows/release.yml linguist-generated=true .github/workflows/release_droid_prepare_original_checksum.yml linguist-generated=true .github/workflows/release_droid_print_quick_checksum.yml linguist-generated=true .github/workflows/release_droid_upload_github_release_assets.yml linguist-generated=true diff --git a/.github/workflows/broken_links_checker.yml b/.github/workflows/broken_links_checker.yml index 0fbcad5..d7a38b4 100644 --- a/.github/workflows/broken_links_checker.yml +++ b/.github/workflows/broken_links_checker.yml @@ -13,6 +13,9 @@ on: jobs: linkChecker: runs-on: ubuntu-latest + defaults: + run: + shell: "bash" concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/ci-build-next-java.yml b/.github/workflows/ci-build-next-java.yml index e3acdb7..8886e10 100644 --- a/.github/workflows/ci-build-next-java.yml +++ b/.github/workflows/ci-build-next-java.yml @@ -10,6 +10,12 @@ on: jobs: java-17-compatibility: runs-on: ubuntu-latest + defaults: + run: + shell: "bash" + permissions: + contents: read + checks: write # Allow scacap/action-surefire-report concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml index 2a2d109..881b474 100644 --- a/.github/workflows/ci-build.yml +++ b/.github/workflows/ci-build.yml @@ -3,13 +3,18 @@ name: CI Build on: push: - branches: - - main + branches: ["main"] pull_request: jobs: matrix-build: runs-on: ubuntu-20.04 + defaults: + run: + shell: "bash" + permissions: + contents: read + checks: write # Allow scacap/action-surefire-report concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.exasol_db_version }} cancel-in-progress: true @@ -46,6 +51,7 @@ jobs: - name: Enable testcontainer reuse run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties" - name: Run tests and build with Maven + id: pk-verify run: | mvn --batch-mode clean verify \ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ @@ -71,8 +77,58 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + - name: Verify Release Artifacts + run: | + print_message() { + local -r message=$1 + echo "$message" + echo "$message" >> "$GITHUB_STEP_SUMMARY" + } + + print_message "# Release Artifacts" + + IFS=$'\n' artifacts_array=($ARTIFACTS) + missing_files=() + for file in "${artifacts_array[@]}"; + do + echo "Checking if file $file exists..." + if ! [[ -f "$file" ]]; then + print_message "* ⚠️ \`$file\` does not exist ⚠️" + echo "Content of directory $(dirname "$file"):" + ls "$(dirname "$file")" + missing_files+=("$file") + else + print_message "* \`$file\` ✅" + fi + done + print_message "" + number_of_missing_files=${#missing_files[@]} + if [[ $number_of_missing_files -gt 0 ]]; then + print_message "⚠️ $number_of_missing_files release artifact(s) missing ⚠️" + exit 1 + else + print_message "All ${#artifacts_array[@]} artifact(s) present ✅" + fi + env: + ARTIFACTS: ${{ steps.pk-verify.outputs.release-artifacts }} + build: needs: matrix-build runs-on: ubuntu-latest steps: - run: echo "Build successful" + + # [impl->dsn~release-workflow.ci-build-starts-release~1] + start_release: + needs: build + if: ${{ github.ref == 'refs/heads/main' }} + concurrency: + cancel-in-progress: false + group: "release" + secrets: inherit + permissions: + contents: write + actions: read + uses: ./.github/workflows/release.yml + with: + started-from-ci: true diff --git a/.github/workflows/dependencies_check.yml b/.github/workflows/dependencies_check.yml index 6926e55..bd26ab6 100644 --- a/.github/workflows/dependencies_check.yml +++ b/.github/workflows/dependencies_check.yml @@ -9,6 +9,9 @@ on: jobs: report_security_issues: runs-on: ubuntu-latest + defaults: + run: + shell: "bash" permissions: contents: read issues: write @@ -50,10 +53,11 @@ jobs: start_dependency_udpate: needs: report_security_issues + # [impl->dsn~trigger-dependency-updates~1] if: ${{ needs.report_security_issues.outputs.created-issues }} concurrency: cancel-in-progress: true - group: "dependency_update" + group: "dependencies_update" # Workflow needs secret INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK secrets: inherit permissions: diff --git a/.github/workflows/dependencies_update.yml b/.github/workflows/dependencies_update.yml index 58222ba..0f6b816 100644 --- a/.github/workflows/dependencies_update.yml +++ b/.github/workflows/dependencies_update.yml @@ -4,6 +4,7 @@ name: Update dependencies on: workflow_call: inputs: + # [impl->dsn~dependency-updater.workflow.vulnerability-info~1] vulnerability_issues: description: "GitHub issues for vulnerable dependencies as JSONL" required: true @@ -13,6 +14,9 @@ on: jobs: update_dependencies: runs-on: ubuntu-latest + defaults: + run: + shell: "bash" permissions: contents: write pull-requests: write @@ -45,6 +49,7 @@ jobs: core.setFailed('Not running on a branch, github.ref is ${{ github.ref }}. Please start this workflow only on main or a branch') - name: Update dependencies + # [impl->dsn~dependency-updater.workflow.start-pk-update~1] run: | mvn --batch-mode com.exasol:project-keeper-maven-plugin:update-dependencies --projects . \ -Dproject-keeper:vulnerabilities="$CREATED_ISSUES" @@ -64,6 +69,7 @@ jobs: - name: Generate Pull Request comment id: pr-comment + # [impl->dsn~dependency-updater.workflow.create-pull-request~1] # [impl->dsn~dependency-updater.workflow.pull-request-trigger-ci-build~1] run: | echo 'comment<> "$GITHUB_OUTPUT" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..7a2dc9c --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,193 @@ +# Generated by Project Keeper +# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/release.yml +name: Release +on: + # [impl->dsn~release-workflow.triggers~1] + workflow_call: + inputs: + started-from-ci: + description: "Marks this release as started from CI, skipping precondition check" + type: boolean + required: true + default: false + workflow_dispatch: + inputs: + skip-maven-central: + description: "Skip deployment to Maven Central" + required: true + type: boolean + default: false + skip-github-release: + description: "Skip creating the GitHub release" + required: true + type: boolean + default: false + +jobs: + release: + runs-on: ubuntu-latest + defaults: + run: + shell: "bash" + concurrency: + group: ${{ github.workflow }} + cancel-in-progress: false + permissions: + contents: write + actions: read + steps: + - name: Checkout the repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Set up Maven Central Repository + if: ${{ false }} + uses: actions/setup-java@v4 + with: + distribution: "temurin" + java-version: | + 11 + 17 + cache: "maven" + server-id: ossrh + server-username: MAVEN_USERNAME + server-password: MAVEN_PASSWORD + gpg-private-key: ${{ secrets.OSSRH_GPG_SECRET_KEY }} + gpg-passphrase: MAVEN_GPG_PASSPHRASE + - name: Set up JDKs + if: ${{ ! false }} + uses: actions/setup-java@v4 + with: + distribution: "temurin" + java-version: | + 11 + 17 + cache: "maven" + + # Check preconditions + + - name: Fail if not running on main branch + if: ${{ github.ref != 'refs/heads/main' }} + uses: actions/github-script@v7 + with: + script: | + core.setFailed('Not running on main branch, github.ref is ${{ github.ref }}. Please start this workflow only on main') + + # [impl->dsn~release-workflow.verify-ci-build-success~1] + - name: Check CI build of this commit succeeded + # We skip this check if this was started from ci-build.yml, because the build status would be "in progress". + if: ${{ ! inputs.started-from-ci }} + run: | + echo "Commit SHA: $COMMIT_SHA" + gh run list --workflow ci-build.yml --branch main --event push --commit $COMMIT_SHA + ci_build_status=$(gh run list --workflow ci-build.yml --branch main --event push --commit $COMMIT_SHA --json conclusion --template '{{range .}}{{.conclusion}}{{"\n"}}{{end}}') + echo "CI build status at commit $COMMIT_SHA was '$ci_build_status'" + if [[ "$ci_build_status" != "success" ]]; then + gh run list --workflow ci-build.yml --commit $COMMIT_SHA >> $GITHUB_STEP_SUMMARY + echo "Status of CI build for commit $COMMIT_SHA was '$ci_build_status', expected 'success'" >> $GITHUB_STEP_SUMMARY + cat $GITHUB_STEP_SUMMARY + exit 1 + fi + env: + COMMIT_SHA: ${{ github.sha }} + GH_TOKEN: ${{ github.token }} + # [impl->dsn~release-workflow.run-verify-release~1] + - name: Verify release preconditions + id: verify-release + run: | + mvn --batch-mode com.exasol:project-keeper-maven-plugin:verify-release --projects . + echo "$GITHUB_OUTPUT" + env: + GITHUB_TOKEN: ${{ github.token }} + # [impl->dsn~release-workflow.verify-skip-tests~1] + - name: Build project + run: mvn --batch-mode -DskipTests clean verify + + # Maven Central Deployment + - name: List secret GPG keys + if: ${{ false && (! inputs.skip-maven-central) }} + run: gpg --list-secret-keys + # [impl->dsn~release-workflow.deploy-maven-central~1] + - name: Publish to Central Repository + if: ${{ false && (! inputs.skip-maven-central) }} + run: | + mvn --batch-mode -Dgpg.skip=false -DskipTests deploy + echo "Published to Maven Central" >> "$GITHUB_STEP_SUMMARY" + env: + MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }} + MAVEN_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} + MAVEN_GPG_PASSPHRASE: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} + + # Create GitHub releasse + + - name: Calculate Artifact Checksums + id: artifact-checksum + if: ${{ ! inputs.skip-github-release }} + run: | + ls target/ + echo "Calculating sha256 checksum for artifact files" + echo "artifacts<> "$GITHUB_OUTPUT" + IFS=$'\n' artifacts_array=($ARTIFACTS) + for file in "${artifacts_array[@]}"; + do + full_path=$(realpath "$file") + echo "Calculate sha256sum for file '$full_path'" + file_dir="$(dirname "$full_path")" + file_name=$(basename "$full_path") + pushd "$file_dir" + checksum_file_name="${file_name}.sha256" + sha256sum "$file_name" > "$checksum_file_name" + echo "$full_path" >> "$GITHUB_OUTPUT" + echo "${file_dir}/$checksum_file_name" >> "$GITHUB_OUTPUT" + popd + done + echo "EOF" >> "$GITHUB_OUTPUT" + echo "Full artifact file list" + cat "$GITHUB_OUTPUT" + env: + ARTIFACTS: ${{ steps.verify-release.outputs.release-artifacts }} + + # [impl->dsn~release-workflow.create-github-release~1] + - name: Create GitHub Release + id: create-github-release + if: ${{ ! inputs.skip-github-release }} + run: | + IFS=$'\n' artifacts_array=($ARTIFACTS) + for file in "${artifacts_array[@]}"; + do + echo "Attaching file '$file'" + done + release_url=$(gh release create --draft --latest --title "$TITLE" --notes "$NOTES" --target main $TAG "${artifacts_array[@]}") + echo "Created release $TAG with title '$TITLE' at $release_url" >> "$GITHUB_STEP_SUMMARY" + echo "release-url=$release_url" >> "$GITHUB_OUTPUT" + git fetch --tags origin + env: + GH_TOKEN: ${{ github.token }} + TAG: ${{ steps.verify-release.outputs.version }} + NOTES: ${{ steps.verify-release.outputs.release-notes }} + TITLE: ${{ steps.verify-release.outputs.release-title }} + ARTIFACTS: ${{ steps.artifact-checksum.outputs.artifacts }} + + - name: Report failure Status to Slack channel + # Also run this step in case of failures + if: ${{ always() }} + uses: ravsamhq/notify-slack-action@v2 + with: + status: ${{ job.status }} + token: ${{ github.token }} + notification_title: "Release build in {repo} has {status_message}" + message_format: "{emoji} *{workflow}* {status_message} in <{repo_url}|{repo}>" + notify_when: "failure,cancelled,warnings,skipped" + env: + SLACK_WEBHOOK_URL: ${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }} + + - name: Report new release to Slack channel + if: ${{ steps.create-github-release.outputs.release-url }} + uses: ravsamhq/notify-slack-action@v2 + with: + status: ${{ job.status }} + token: ${{ github.token }} + notification_title: "Release build for {repo} created a new release" + message_format: "{workflow} created release ${{ steps.create-github-release.outputs.release-url }}" + env: + SLACK_WEBHOOK_URL: ${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }} diff --git a/.github/workflows/release_droid_prepare_original_checksum.yml b/.github/workflows/release_droid_prepare_original_checksum.yml deleted file mode 100644 index 2ff28b3..0000000 --- a/.github/workflows/release_droid_prepare_original_checksum.yml +++ /dev/null @@ -1,39 +0,0 @@ -# Generated by Project Keeper -# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/release_droid_prepare_original_checksum.yml -name: Release Droid - Prepare Original Checksum -on: - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-20.04 - steps: - - name: Free Disk Space - if: ${{ false }} - run: | - sudo rm -rf /usr/local/lib/android - sudo rm -rf /usr/share/dotnet - - name: Checkout the repository - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Set up JDKs - uses: actions/setup-java@v4 - with: - distribution: "temurin" - java-version: | - 11 - 17 - cache: "maven" - - name: Enable testcontainer reuse - run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties" - - name: Run tests and build with Maven - run: mvn --batch-mode clean verify --file pom.xml - - name: Prepare checksum - run: find target -maxdepth 1 -name *.jar -exec sha256sum "{}" + > original_checksum - - name: Upload checksum to the artifactory - uses: actions/upload-artifact@v4 - with: - name: original_checksum - retention-days: 5 - path: original_checksum diff --git a/.github/workflows/release_droid_print_quick_checksum.yml b/.github/workflows/release_droid_print_quick_checksum.yml deleted file mode 100644 index 86979cd..0000000 --- a/.github/workflows/release_droid_print_quick_checksum.yml +++ /dev/null @@ -1,26 +0,0 @@ -# Generated by Project Keeper -# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/release_droid_print_quick_checksum.yml -name: Release Droid - Print Quick Checksum -on: - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Checkout the repository - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Set up JDKs - uses: actions/setup-java@v4 - with: - distribution: "temurin" - java-version: | - 11 - 17 - cache: "maven" - - name: Build with Maven skipping tests - run: mvn --batch-mode clean verify -DskipTests - - name: Print checksum - run: echo 'checksum_start==';find target -maxdepth 1 -name *.jar -exec sha256sum "{}" + | xargs;echo '==checksum_end' diff --git a/.github/workflows/release_droid_upload_github_release_assets.yml b/.github/workflows/release_droid_upload_github_release_assets.yml deleted file mode 100644 index b19f7cf..0000000 --- a/.github/workflows/release_droid_upload_github_release_assets.yml +++ /dev/null @@ -1,47 +0,0 @@ -# Generated by Project Keeper -# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/release_droid_upload_github_release_assets.yml -name: Release Droid - Upload GitHub Release Assets -on: - workflow_dispatch: - inputs: - upload_url: - description: "Assets upload URL" - required: true - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Checkout the repository - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Set up JDKs - uses: actions/setup-java@v4 - with: - distribution: "temurin" - java-version: | - 11 - 17 - cache: "maven" - - name: Build with Maven skipping tests - run: mvn --batch-mode clean verify -DskipTests - - name: Generate sha256sum files - run: | - cd target - find . -maxdepth 1 -name \*.jar -exec bash -c 'sha256sum {} > {}.sha256' \; - - name: Upload assets to the GitHub release draft - uses: shogo82148/actions-upload-release-asset@v1 - with: - upload_url: ${{ github.event.inputs.upload_url }} - asset_path: target/*.jar - - name: Upload sha256sum files - uses: shogo82148/actions-upload-release-asset@v1 - with: - upload_url: ${{ github.event.inputs.upload_url }} - asset_path: target/*.sha256 - - name: Upload error-code-report - uses: shogo82148/actions-upload-release-asset@v1 - with: - upload_url: ${{ github.event.inputs.upload_url }} - asset_path: target/error_code_report.json diff --git a/doc/changes/changes_2.1.4.md b/doc/changes/changes_2.1.4.md index f3a66c6..0fbb5a0 100644 --- a/doc/changes/changes_2.1.4.md +++ b/doc/changes/changes_2.1.4.md @@ -33,7 +33,7 @@ This is a security release in which we updated test dependency `com.exasol:udf-d ### Plugin Dependency Updates -* Updated `com.exasol:error-code-crawler-maven-plugin:1.3.0` to `2.0.0` +* Updated `com.exasol:error-code-crawler-maven-plugin:1.3.0` to `2.0.1` * Updated `com.exasol:project-keeper-maven-plugin:2.9.12` to `4.2.0` * Updated `org.apache.maven.plugins:maven-compiler-plugin:3.11.0` to `3.12.1` * Updated `org.apache.maven.plugins:maven-enforcer-plugin:3.4.0` to `3.4.1` diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom index ed37059..0fe0e10 100644 --- a/pk_generated_parent.pom +++ b/pk_generated_parent.pom @@ -352,7 +352,7 @@ com.exasol error-code-crawler-maven-plugin - 2.0.0 + 2.0.1 verify From ac7bffb3a1b610f19271ff71f94dd10a86ad4df8 Mon Sep 17 00:00:00 2001 From: ckunki Date: Mon, 11 Mar 2024 16:57:22 +0100 Subject: [PATCH 09/10] Adjusted release date --- doc/changes/changes_2.1.4.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/changes/changes_2.1.4.md b/doc/changes/changes_2.1.4.md index 0fbb5a0..17d9f8f 100644 --- a/doc/changes/changes_2.1.4.md +++ b/doc/changes/changes_2.1.4.md @@ -1,4 +1,4 @@ -# Virtual Schema for DB2 2.1.4, released 2024-11-03 +# Virtual Schema for DB2 2.1.4, released 2024-03-12 Code name: Fixed vulnerabilities CVE-2024-25710 and CVE-2024-26308 in test dependencies From 6c863b8da88d08b1d82b8754aee46646a09a184b Mon Sep 17 00:00:00 2001 From: ckunki Date: Mon, 11 Mar 2024 17:50:14 +0100 Subject: [PATCH 10/10] fixed review findings --- .gitattributes | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitattributes b/.gitattributes index 6ce7951..0ee860c 100644 --- a/.gitattributes +++ b/.gitattributes @@ -5,6 +5,7 @@ pk_generated_parent.pom linguist-genera .github/workflows/ci-build.yml linguist-generated=true .github/workflows/ci-build-next-java.yml linguist-generated=true .github/workflows/dependencies_check.yml linguist-generated=true +.github/workflows/dependencies_update.yml linguist-generated=true .github/workflows/release.yml linguist-generated=true .github/workflows/release_droid_prepare_original_checksum.yml linguist-generated=true .github/workflows/release_droid_print_quick_checksum.yml linguist-generated=true