Skip to content

Commit

Permalink
updated dependencies (#40)
Browse files Browse the repository at this point in the history
  • Loading branch information
@ckunki
ckunki authored Jul 4, 2023
1 parent f24baa7 commit 3358d85
Show file tree
Hide file tree
Showing 4 changed files with 55 additions and 101 deletions.
1 change: 1 addition & 0 deletions doc/changes/changelog.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

30 changes: 30 additions & 0 deletions doc/changes/changes_1.1.6.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Parquet EDML Generator 1.1.6, released 2023-07-04

Code name: Dependency Updgrade on top of 1.1.5

## Summary

This release fixes the following vulnerabilities in transitive compile-time-dependency `org.xerial.snappy:snappy-java` via `org.apache.parquet:parquet-hadoop` by overriding the transitive dependency:
* CVE-2023-34453, severity CWE-190: Integer Overflow or Wraparound (7.5)
* CVE-2023-34454, severity CWE-190: Integer Overflow or Wraparound (7.5)
* CVE-2023-34455, severity CWE-770: Allocation of Resources Without Limits or Throttling (7.5)

## Features

* #39: Updated dependencies

## Dependency Updates

### Compile Dependency Updates

* Updated `info.picocli:picocli:4.7.3` to `4.7.4`
* Updated `org.apache.hadoop:hadoop-client:3.3.5` to `3.3.6`
* Updated `org.apache.parquet:parquet-hadoop:1.13.0` to `1.13.1`
* Added `org.xerial.snappy:snappy-java:1.1.10.1`

### Test Dependency Updates

* Updated `org.junit.jupiter:junit-jupiter-api:5.9.2` to `5.9.3`
* Updated `org.junit.jupiter:junit-jupiter-engine:5.9.2` to `5.9.3`
* Updated `org.junit.jupiter:junit-jupiter-params:5.9.2` to `5.9.3`
* Updated `org.mockito:mockito-junit-jupiter:5.3.1` to `5.4.0`
2 changes: 1 addition & 1 deletion pk_generated_parent.pom
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

123 changes: 23 additions & 100 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,12 @@
<modelVersion>4.0.0</modelVersion>
<groupId>com.exasol</groupId>
<artifactId>parquet-edml-generator</artifactId>
<version>1.1.5</version>
<version>1.1.6</version>
<name>Parquet EDML Generator</name>
<description>Tool that generates EDML definitions for Parquet files.</description>
<url>https://github.com/exasol/parquet-edml-generator/</url>
<properties>
<junit.version>5.9.2</junit.version>
<junit.version>5.9.3</junit.version>
</properties>
<profiles>
<profile>
Expand All @@ -28,16 +28,6 @@
</properties>
</profile>
</profiles>
<distributionManagement>
<snapshotRepository>
<id>ossrh</id>
<url>https://oss.sonatype.org/content/repositories/snapshots</url>
</snapshotRepository>
<repository>
<id>ossrh</id>
<url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
</repository>
</distributionManagement>
<dependencies>
<dependency>
<groupId>com.exasol</groupId>
Expand All @@ -47,7 +37,15 @@
<dependency>
<groupId>org.apache.parquet</groupId>
<artifactId>parquet-hadoop</artifactId>
<version>1.13.0</version>
<version>1.13.1</version>
</dependency>
<!-- override dependency of org.apache.parquet:parquet-hadoop
to fix vulnerabilities
CVE-2023-34453, CVE-2023-34454, and CVE-2023-34455 -->
<dependency>
<groupId>org.xerial.snappy</groupId>
<artifactId>snappy-java</artifactId>
<version>1.1.10.1</version>
</dependency>
<dependency>
<groupId>com.exasol</groupId>
Expand All @@ -57,7 +55,7 @@
<dependency>
<groupId>info.picocli</groupId>
<artifactId>picocli</artifactId>
<version>4.7.3</version>
<version>4.7.4</version>
</dependency>
<dependency>
<groupId>com.exasol</groupId>
Expand All @@ -72,93 +70,28 @@
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-client</artifactId>
<version>3.3.5</version>
<version>3.3.6</version>
<!-- Excluding transitive dependencies with vulnerabilities. -->
<exclusions>
<!-- CVE-2021-22569 and CVE-2022-3509 -->
<exclusion>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
</exclusion>
<exclusion>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
</exclusion>
<!-- CVE-2017-7525 and CVE-2019-10172 -->
<exclusion>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-mapper-asl</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
</exclusion>
<exclusion>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
</exclusion>
<exclusion>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-http</artifactId>
</exclusion>
<exclusion>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-io</artifactId>
</exclusion>
<!-- CVE-2023-2976 and CVE-2020-8908 -->
<exclusion>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</exclusion>
<!-- duplicate to jakarta.xml.bind:jakarta.xml.bind-api -->
<exclusion>
<groupId>net.minidev</groupId>
<artifactId>json-smart</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.zookeeper</groupId>
<artifactId>*</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.curator</groupId>
<artifactId>*</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.avro</groupId>
<artifactId>*</artifactId>
</exclusion>
<exclusion>
<groupId>com.google.protobuf</groupId>
<artifactId>protobuf-java</artifactId>
</exclusion>
<exclusion>
<groupId>com.squareup.okhttp</groupId>
<artifactId>okhttp</artifactId>
</exclusion>
<exclusion>
<!-- Fix CVE-2022-2047 -->
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-client</artifactId>
</exclusion>
<exclusion>
<!-- Fix CVE-2021-37533 and https://ossindex.sonatype.org/vulnerability/sonatype-2022-6438 -->
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
</exclusion>
<exclusion>
<!-- Fix CVE-2021-37533 -->
<groupId>commons-net</groupId>
<artifactId>commons-net</artifactId>
</exclusion>
<exclusion>
<!-- Fix CVE-2023-26048 -->
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-util</artifactId>
</exclusion>
<exclusion>
<!-- Contains the same classes as jakarta.xml.bind:jakarta.xml.bind-api -->
<groupId>javax.xml.bind</groupId>
<artifactId>jaxb-api</artifactId>
<groupId>javax.xml.bind</groupId>
<artifactId>jaxb-api</artifactId>
</exclusion>
</exclusions>
</dependency>
Expand Down Expand Up @@ -190,7 +123,7 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-junit-jupiter</artifactId>
<version>5.3.1</version>
<version>5.4.0</version>
<scope>test</scope>
</dependency>
</dependencies>
Expand Down Expand Up @@ -262,16 +195,6 @@
<useModulePath>false</useModulePath>
</configuration>
</plugin>
<plugin>
<groupId>org.sonatype.ossindex.maven</groupId>
<artifactId>ossindex-maven-plugin</artifactId>
<configuration>
<excludeVulnerabilityIds>
<!-- org.apache.hadoop:hadoop-hdfs-client:jar:3.3.4: XXE attack in command line tool "hdfs ec"; not used by the connector -->
<exclude>sonatype-2022-5732</exclude>
</excludeVulnerabilityIds>
</configuration>
</plugin>
<plugin>
<groupId>org.basepom.maven</groupId>
<artifactId>duplicate-finder-maven-plugin</artifactId>
Expand All @@ -287,7 +210,7 @@
<parent>
<artifactId>parquet-edml-generator-generated-parent</artifactId>
<groupId>com.exasol</groupId>
<version>1.1.5</version>
<version>1.1.6</version>
<relativePath>pk_generated_parent.pom</relativePath>
</parent>
</project>

0 comments on commit 3358d85

Please sign in to comment.