#229: Fixed vulnerabilities (#230)

* #229: Fixed vulnerabilities Co-authored-by: Sebastian Bär <[email protected]>
exasol · Nov 21, 2022 · 702f0d9 · 702f0d9
1 parent a2698e3
commit 702f0d9
Show file tree

Hide file tree

Showing 7 changed files with 185 additions and 144 deletions.
diff --git a/dependencies.md b/dependencies.md
diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md
diff --git a/doc/changes/changes_2.6.1.md b/doc/changes/changes_2.6.1.md
@@ -0,0 +1,31 @@
+# Cloud Storage Extension 2.6.1, released 2022-11-21
+
+Code name: Dependency Upgrade to fix Vulnerabilities on top of 2.6.0
+
+## Summary
+
+Updated dependencies to fix vulnerabilities.
+
+## Bug Fixes
+
+* #229: Fixed vulnerabilities CVE-2022-37865 and CVE-2022-37866 by ugrading transitive dependency to `org.apache.ivy:ivy` required by `spark-sql`.
+
+
+## Dependency Updates
+
+### Compile Dependency Updates
+
+* Added `org.apache.ivy:ivy:2.5.1`
+
+### Plugin Dependency Updates
+
+* Updated `com.exasol:artifact-reference-checker-maven-plugin:0.4.0` to `0.4.2`
+* Updated `com.exasol:error-code-crawler-maven-plugin:1.1.2` to `1.2.1`
+* Updated `com.exasol:project-keeper-maven-plugin:2.8.0` to `2.9.1`
+* Updated `io.github.zlika:reproducible-build-maven-plugin:0.15` to `0.16`
+* Updated `org.apache.maven.plugins:maven-assembly-plugin:3.3.0` to `3.4.2`
+* Updated `org.apache.maven.plugins:maven-failsafe-plugin:3.0.0-M5` to `3.0.0-M7`
+* Updated `org.apache.maven.plugins:maven-jar-plugin:3.2.2` to `3.3.0`
+* Updated `org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M5` to `3.0.0-M7`
+* Updated `org.codehaus.mojo:flatten-maven-plugin:1.2.7` to `1.3.0`
+* Updated `org.codehaus.mojo:versions-maven-plugin:2.10.0` to `2.13.0`
diff --git a/doc/user_guide/user_guide.md b/doc/user_guide/user_guide.md
@@ -140,7 +140,7 @@ downloaded jar file is the same as the checksum provided in the releases.
 To check the SHA256 result of the local jar, run the command:
 
 ```sh
-sha256sum exasol-cloud-storage-extension-2.6.0.jar
+sha256sum exasol-cloud-storage-extension-2.6.1.jar
 ```
 
 ### Building From Source
@@ -170,7 +170,7 @@ mvn clean package -DskipTests=true
 ```
 
 The assembled jar file should be located at
-`target/exasol-cloud-storage-extension-2.6.0.jar`.
+`target/exasol-cloud-storage-extension-2.6.1.jar`.
 
 ### Create an Exasol Bucket
 
@@ -192,8 +192,8 @@ for the HTTP protocol.
 Upload the jar file using curl command:
 
 ```sh
-curl -X PUT -T exasol-cloud-storage-extension-2.6.0.jar \
-  http://w:<WRITE_PASSWORD>@exasol.datanode.domain.com:2580/<BUCKET>/exasol-cloud-storage-extension-2.6.0.jar
+curl -X PUT -T exasol-cloud-storage-extension-2.6.1.jar \
+  http://w:<WRITE_PASSWORD>@exasol.datanode.domain.com:2580/<BUCKET>/exasol-cloud-storage-extension-2.6.1.jar
 ```
 
 You can also check out the Exasol [BucketFS Client](https://github.com/exasol/bucketfs-client/) as an
@@ -224,7 +224,7 @@ OPEN SCHEMA CLOUD_STORAGE_EXTENSION;
 
 CREATE OR REPLACE JAVA SET SCRIPT IMPORT_PATH(...) EMITS (...) AS
   %scriptclass com.exasol.cloudetl.scriptclasses.FilesImportQueryGenerator;
-  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.0.jar;
+  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.1.jar;
 /
 
 CREATE OR REPLACE JAVA SCALAR SCRIPT IMPORT_METADATA(...) EMITS (
@@ -234,12 +234,12 @@ CREATE OR REPLACE JAVA SCALAR SCRIPT IMPORT_METADATA(...) EMITS (
   end_index DECIMAL(36, 0)
 ) AS
   %scriptclass com.exasol.cloudetl.scriptclasses.FilesMetadataReader;
-  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.0.jar;
+  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.1.jar;
 /
 
 CREATE OR REPLACE JAVA SET SCRIPT IMPORT_FILES(...) EMITS (...) AS
   %scriptclass com.exasol.cloudetl.scriptclasses.FilesDataImporter;
-  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.0.jar;
+  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.1.jar;
 /
 ```
 
@@ -259,7 +259,7 @@ OPEN SCHEMA CLOUD_STORAGE_EXTENSION;
 
 CREATE OR REPLACE JAVA SET SCRIPT IMPORT_PATH(...) EMITS (...) AS
   %scriptclass com.exasol.cloudetl.scriptclasses.DockerFilesImportQueryGenerator;
-  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.0.jar;
+  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.1.jar;
 /
 
 CREATE OR REPLACE JAVA SCALAR SCRIPT IMPORT_METADATA(...) EMITS (
@@ -269,12 +269,12 @@ CREATE OR REPLACE JAVA SCALAR SCRIPT IMPORT_METADATA(...) EMITS (
   end_index DECIMAL(36, 0)
 ) AS
   %scriptclass com.exasol.cloudetl.scriptclasses.DockerFilesMetadataReader;
-  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.0.jar;
+  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.1.jar;
 /
 
 CREATE OR REPLACE JAVA SET SCRIPT IMPORT_FILES(...) EMITS (...) AS
   %scriptclass com.exasol.cloudetl.scriptclasses.DockerFilesDataImporter;
-  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.0.jar;
+  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.1.jar;
 /
 ```
 
@@ -290,12 +290,12 @@ OPEN SCHEMA CLOUD_STORAGE_EXTENSION;
 
 CREATE OR REPLACE JAVA SET SCRIPT EXPORT_PATH(...) EMITS (...) AS
   %scriptclass com.exasol.cloudetl.scriptclasses.TableExportQueryGenerator;
-  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.0.jar;
+  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.1.jar;
 /
 
 CREATE OR REPLACE JAVA SET SCRIPT EXPORT_TABLE(...) EMITS (ROWS_AFFECTED INT) AS
   %scriptclass com.exasol.cloudetl.scriptclasses.TableDataExporter;
-  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.0.jar;
+  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.1.jar;
 /
 ```
 
@@ -315,12 +315,12 @@ OPEN SCHEMA CLOUD_STORAGE_EXTENSION;
 
 CREATE OR REPLACE JAVA SET SCRIPT EXPORT_PATH(...) EMITS (...) AS
   %scriptclass com.exasol.cloudetl.scriptclasses.DockerTableExportQueryGenerator;
-  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.0.jar;
+  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.1.jar;
 /
 
 CREATE OR REPLACE JAVA SET SCRIPT EXPORT_TABLE(...) EMITS (ROWS_AFFECTED INT) AS
   %scriptclass com.exasol.cloudetl.scriptclasses.DockerTableDataExporter;
-  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.0.jar;
+  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.1.jar;
 /
 ```
 
@@ -451,13 +451,13 @@ CREATE OR REPLACE JAVA SCALAR SCRIPT IMPORT_METADATA(...) EMITS (
 ) AS
   %jvmoption -DHTTPS_PROXY=http://username:password@10.10.1.10:1180
   %scriptclass com.exasol.cloudetl.scriptclasses.FilesMetadataReader;
-  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.0.jar;
+  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.1.jar;
 /
 
 CREATE OR REPLACE JAVA SET SCRIPT IMPORT_FILES(...) EMITS (...) AS
   %jvmoption -DHTTPS_PROXY=http://username:password@10.10.1.10:1180
   %scriptclass com.exasol.cloudetl.scriptclasses.FilesDataImporter;
-  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.0.jar;
+  %jar /buckets/bfsdefault/<BUCKET>/exasol-cloud-storage-extension-2.6.1.jar;
 /
 ```
 

diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom
diff --git a/pom.xml b/pom.xml
@@ -3,7 +3,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.exasol</groupId>
     <artifactId>cloud-storage-extension</artifactId>
-    <version>2.6.0</version>
+    <version>2.6.1</version>
     <name>Cloud Storage Extension</name>
     <description>Exasol Cloud Storage Import And Export Extension</description>
     <url>https://github.com/exasol/cloud-storage-extension/</url>
@@ -20,7 +20,7 @@
     <parent>
         <artifactId>cloud-storage-extension-generated-parent</artifactId>
         <groupId>com.exasol</groupId>
-        <version>2.6.0</version>
+        <version>2.6.1</version>
         <relativePath>pk_generated_parent.pom</relativePath>
     </parent>
     <repositories>
@@ -314,6 +314,12 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <!-- Upgrade transitive dependency of spark-sql to fix CVE-2022-37865 and CVE-2022-37866 -->
+        <dependency>
+            <groupId>org.apache.ivy</groupId>
+            <artifactId>ivy</artifactId>
+            <version>2.5.1</version>
+        </dependency>
         <dependency>
             <!-- Upgrade transitive dependency of spark-sql to fix
                 CWE-94: Improper Control of Generation of Code ('Code Injection') (9.8); https://ossindex.sonatype.org/vulnerability/CVE-2022-42889 -->
@@ -623,7 +629,7 @@
             <plugin>
                 <groupId>com.exasol</groupId>
                 <artifactId>project-keeper-maven-plugin</artifactId>
-                <version>2.8.0</version>
+                <version>2.9.1</version>
                 <executions>
                     <execution>
                         <goals>

diff --git a/src/test/java/com/exasol/cloudetl/extension/ExtensionIT.java b/src/test/java/com/exasol/cloudetl/extension/ExtensionIT.java
@@ -60,7 +60,7 @@ static void setup() throws FileNotFoundException, BucketAccessException, Timeout
     }
 
     private static Path getAdapterJar() {
-        final Path jar = Paths.get("target").resolve("exasol-cloud-storage-extension-2.6.0.jar").toAbsolutePath();
+        final Path jar = Paths.get("target").resolve("exasol-cloud-storage-extension-2.6.1.jar").toAbsolutePath();
         if (Files.exists(jar)) {
             return jar;
         } else {