Fixed vulnerabilities CVE-2023-44981 and CVE-2023-46120 (#282)

* Fixed vulnerabilities CVE-2023-44981 and CVE-2023-46120 * Downgraded scala back to 2.13.11 and ran pk fix * Limited tests for Extension Manager to Exasol DB v8 * enhanced test matrix to cover versions 7 and 8 * Changed Scala tests to use correct version of Exasol DB * fixed indention in build script * Update src/test/java/com/exasol/cloudetl/extension/ExtensionIT.java Co-authored-by: Christoph Pirkl <[email protected]>
exasol · Oct 27, 2023 · aec80bf · aec80bf
1 parent f97397e
commit aec80bf
Show file tree

Hide file tree

Showing 12 changed files with 292 additions and 227 deletions.
diff --git a/.gitattributes b/.gitattributes
@@ -1,13 +1,10 @@
 *.sh text eol=lf
-
 .github/workflows/broken_links_checker.yml                      linguist-generated=true
 .github/workflows/dependencies_check.yml                        linguist-generated=true
 .github/workflows/release_droid_print_quick_checksum.yml        linguist-generated=true
-
-dependencies.md             linguist-generated=true
-pk_generated_parent.pom     linguist-generated=true
-doc/changes/changelog.md    linguist-generated=true
-extension/package-lock.json linguist-generated=true
-
-.settings/org.eclipse.jdt.core.prefs linguist-generated=true
-.settings/org.eclipse.jdt.ui.prefs   linguist-generated=true
+.settings/org.eclipse.jdt.core.prefs                            linguist-generated=true
+.settings/org.eclipse.jdt.ui.prefs                              linguist-generated=true
+dependencies.md                                                 linguist-generated=true
+doc/changes/changelog.md                                        linguist-generated=true
+extension/package-lock.json                                     linguist-generated=true
+pk_generated_parent.pom                                         linguist-generated=true
diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml
@@ -8,17 +8,17 @@ on:
 
 jobs:
   build:
-    name: Build with Exasol ${{ matrix.exasol-docker-version }}
+    name: Build with Exasol ${{ matrix.exasol_db_version }}
     runs-on: ubuntu-20.04 # UDFs fail with "VM error: Internal error: VM crashed" on ubuntu-latest
     concurrency:
-      group: ${{ github.workflow }}-${{ github.ref }}-exasol-${{ matrix.exasol-docker-version }}
+      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.exasol_db_version }}
       cancel-in-progress: true
     strategy:
       fail-fast: false
       matrix:
-        exasol-docker-version: ["7.1.23"]
+        exasol_db_version: ["7.1.23", "8.23.0"]
     env:
-      DEFAULT_DOCKER_DB_VERSION: "7.1.23"
+      DEFAULT_EXASOL_DB_VERSION: "8.23.0"
     steps:
       - name: Free Disk Space
         run: |
@@ -64,25 +64,32 @@ jobs:
       - name: Run scalafix linting
         run: mvn --batch-mode clean compile test-compile scalastyle:check scalafix:scalafix
       - name: Run tests and build with Maven
-        run: |
-          JAVA_HOME=$JAVA_HOME_11_X64 mvn --batch-mode clean verify \
-              -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
-              -DtrimStackTrace=false \
-              -Dcom.exasol.dockerdb.image=${{ matrix.exasol-docker-version }}
+        run: >
+          JAVA_HOME=$JAVA_HOME_11_X64
+          mvn --batch-mode clean verify
+          -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn
+          -DtrimStackTrace=false
+          -Dcom.exasol.dockerdb.image=${{ matrix.exasol_db_version }}
+        env:
+          # Passing system property via -Dcom.exasol.dockerdb.image does not work because the scalatest plugin does
+          # not forward it to the test. So we use this environment variable,
+          # see BaseIntegrationTest.scala.getExasolDockerImageVersion()
+          EXASOL_DB_VERSION: ${{ matrix.exasol_db_version }}
       - name: Publish Test Report
         uses: scacap/action-surefire-report@v1
         if: ${{ always() && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]' }}
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
       - name: Sonar analysis
-        if: ${{ env.SONAR_TOKEN != null && matrix.exasol-docker-version == env.DEFAULT_DOCKER_DB_VERSION }}
-        run: |
-          JAVA_HOME=$JAVA_HOME_17_X64 mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
-              -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
-              -DtrimStackTrace=false \
-              -Dsonar.organization=exasol \
-              -Dsonar.host.url=https://sonarcloud.io \
-              -Dsonar.token=$SONAR_TOKEN
+        if: ${{ env.SONAR_TOKEN != null && matrix.exasol_db_version == env.DEFAULT_EXASOL_DB_VERSION }}
+        run: >
+          JAVA_HOME=$JAVA_HOME_17_X64
+          mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
+          -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn
+          -DtrimStackTrace=false
+          -Dsonar.organization=exasol
+          -Dsonar.host.url=https://sonarcloud.io
+          -Dsonar.token=$SONAR_TOKEN
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/.gitignore b/.gitignore
@@ -47,6 +47,8 @@ tmp/
 /.settings/org.eclipse.core.resources.prefs
 /.settings/org.eclipse.jdt.apt.core.prefs
 /.settings/org.eclipse.m2e.core.prefs
+/.settings/org.moreunit.prefs
+/.settings/org.sonarlint.eclipse.core.prefs
 
 # Ensime
 .ensime

diff --git a/.project-keeper.yml b/.project-keeper.yml
@@ -9,16 +9,6 @@ sources:
 version:
   fromSource: pom.xml
 linkReplacements:
-  - "http://wiki.fasterxml.com/JacksonModuleScala|https://github.com/FasterXML/jackson-module-scala"
-  - "https://netty.io/netty-all/|https://netty.io/"
-  - "https://www.alluxio.io/alluxio-core/alluxio-core-client/alluxio-core-client-hdfs/|https://www.alluxio.io"
-  - "https://developers.google.com/protocol-buffers/protobuf-java/|https://github.com/protocolbuffers/protobuf/tree/main/java"
-  - "https://github.com/GoogleCloudPlatform/BigData-interop/gcs-connector/|https://github.com/GoogleCloudDataproc/hadoop-connectors/tree/master/gcs"
-  - "https://github.com/googleapis/google-oauth-java-client/google-oauth-client|https://github.com/googleapis/google-oauth-java-client"
-  - "https://orc.apache.org/orc-core|https://orc.apache.org/"
-  - "http://jackson.codehaus.org|https://github.com/codehaus/jackson"
-  - "http://nexus.sonatype.org/oss-repository-hosting.html/scalatest-maven-plugin|https://github.com/scalatest/scalatest-maven-plugin"
-  - "https://logging.apache.org/log4j/2.x/log4j-1.2-api/|https://logging.apache.org/log4j/2.x/"
 excludes:
   - "E-PK-CORE-18: Outdated content: '.github/workflows/ci-build.yml'"
   - "E-PK-CORE-18: Outdated content: '.github/workflows/ci-build-next-java.yml'"