#37: Fix vulnerability in dependencies (#38)

exasol · Apr 24, 2023 · f24baa7 · f24baa7
1 parent c8b1437
commit f24baa7
Show file tree

Hide file tree

Showing 5 changed files with 103 additions and 31 deletions.
diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml
@@ -13,7 +13,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [macos-latest, windows-latest, ubuntu-latest]
+        os: [windows-latest, ubuntu-latest]
     concurrency:
       group: ${{ github.workflow }}-${{ matrix.os }}-${{ github.ref }}
       cancel-in-progress: true

diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md
diff --git a/doc/changes/changes_1.1.5.md b/doc/changes/changes_1.1.5.md
@@ -0,0 +1,38 @@
+# Parquet EDML Generator 1.1.5, released 2023-04-24
+
+Code name: Fix CVE-2023-26048
+
+## Summary
+
+This release fixes vulnerability CVE-2023-26048 (Uncontrolled Resource Consumption) in transitive dependency `org.eclipse.jetty:jetty-util:jar:9.4.48.v20220622` by excluding it as it is not used.
+
+## Security
+
+* #37: Fixed CVE-2023-26048
+
+## Dependency Updates
+
+### Compile Dependency Updates
+
+* Removed `com.fasterxml.woodstox:woodstox-core:6.5.0`
+* Updated `info.picocli:picocli:4.7.1` to `4.7.3`
+* Updated `org.apache.hadoop:hadoop-client:3.3.4` to `3.3.5`
+* Updated `org.apache.parquet:parquet-hadoop:1.12.3` to `1.13.0`
+* Removed `org.slf4j:slf4j-jdk14:1.7.36`
+
+### Test Dependency Updates
+
+* Updated `org.mockito:mockito-junit-jupiter:5.2.0` to `5.3.1`
+
+### Plugin Dependency Updates
+
+* Updated `com.exasol:error-code-crawler-maven-plugin:1.2.2` to `1.2.3`
+* Updated `com.exasol:project-keeper-maven-plugin:2.9.4` to `2.9.7`
+* Updated `org.apache.maven.plugins:maven-compiler-plugin:3.10.1` to `3.11.0`
+* Updated `org.apache.maven.plugins:maven-enforcer-plugin:3.2.1` to `3.3.0`
+* Updated `org.apache.maven.plugins:maven-failsafe-plugin:3.0.0-M8` to `3.0.0`
+* Updated `org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M8` to `3.0.0`
+* Added `org.basepom.maven:duplicate-finder-maven-plugin:1.5.1`
+* Updated `org.codehaus.mojo:flatten-maven-plugin:1.3.0` to `1.4.1`
+* Updated `org.codehaus.mojo:versions-maven-plugin:2.14.2` to `2.15.0`
+* Updated `org.jacoco:jacoco-maven-plugin:0.8.8` to `0.8.9`
diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom
diff --git a/pom.xml b/pom.xml
@@ -3,7 +3,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.exasol</groupId>
     <artifactId>parquet-edml-generator</artifactId>
-    <version>1.1.4</version>
+    <version>1.1.5</version>
     <name>Parquet EDML Generator</name>
     <description>Tool that generates EDML definitions for Parquet files.</description>
     <url>https://github.com/exasol/parquet-edml-generator/</url>
@@ -47,7 +47,7 @@
         <dependency>
             <groupId>org.apache.parquet</groupId>
             <artifactId>parquet-hadoop</artifactId>
-            <version>1.12.3</version>
+            <version>1.13.0</version>
         </dependency>
         <dependency>
             <groupId>com.exasol</groupId>
@@ -57,7 +57,7 @@
         <dependency>
             <groupId>info.picocli</groupId>
             <artifactId>picocli</artifactId>
-            <version>4.7.1</version>
+            <version>4.7.3</version>
         </dependency>
         <dependency>
             <groupId>com.exasol</groupId>
@@ -69,15 +69,10 @@
             <artifactId>junit5-system-extensions</artifactId>
             <version>1.2.0</version>
         </dependency>
-        <dependency>
-            <groupId>org.slf4j</groupId>
-            <artifactId>slf4j-jdk14</artifactId>
-            <version>1.7.36</version>
-        </dependency>
         <dependency>
             <groupId>org.apache.hadoop</groupId>
             <artifactId>hadoop-client</artifactId>
-            <version>3.3.4</version>
+            <version>3.3.5</version>
             <!-- Excluding transitive dependencies with vulnerabilities. -->
             <exclusions>
                 <exclusion>
@@ -155,14 +150,18 @@
                     <groupId>commons-net</groupId>
                     <artifactId>commons-net</artifactId>
                 </exclusion>
+                <exclusion>
+                    <!-- Fix CVE-2023-26048 -->
+                    <groupId>org.eclipse.jetty</groupId>
+                    <artifactId>jetty-util</artifactId>
+                </exclusion>
+                <exclusion>
+                    <!-- Contains the same classes as jakarta.xml.bind:jakarta.xml.bind-api -->
+                    <groupId>javax.xml.bind</groupId>
+                    <artifactId>jaxb-api</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
-        <!-- Explicitly upgrade transitive dependency of hadoop-client to fix CVE-2022-40152 -->
-        <dependency>
-            <groupId>com.fasterxml.woodstox</groupId>
-            <artifactId>woodstox-core</artifactId>
-            <version>6.5.0</version>
-        </dependency>
         <!-- test dependencies -->
         <dependency>
             <groupId>org.hamcrest</groupId>
@@ -191,7 +190,7 @@
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-junit-jupiter</artifactId>
-            <version>5.2.0</version>
+            <version>5.3.1</version>
             <scope>test</scope>
         </dependency>
     </dependencies>
@@ -200,7 +199,7 @@
             <plugin>
                 <groupId>com.exasol</groupId>
                 <artifactId>project-keeper-maven-plugin</artifactId>
-                <version>2.9.4</version>
+                <version>2.9.7</version>
                 <executions>
                     <execution>
                         <goals>
@@ -270,17 +269,25 @@
                     <excludeVulnerabilityIds>
                         <!-- org.apache.hadoop:hadoop-hdfs-client:jar:3.3.4: XXE attack in command line tool "hdfs ec"; not used by the connector -->
                         <exclude>sonatype-2022-5732</exclude>
-                        <!-- org.apache.hadoop:hadoop-common:jar:3.3.4: Same root cause as above, but according to HADOOP-18469 does not result in known issue -->
-                        <exclude>sonatype-2022-5820</exclude>
                     </excludeVulnerabilityIds>
                 </configuration>
             </plugin>
+            <plugin>
+                <groupId>org.basepom.maven</groupId>
+                <artifactId>duplicate-finder-maven-plugin</artifactId>
+                <configuration>
+                    <!-- org.apache.parquet:parquet-column and org.apache.parquet:parquet-hadoop both contain classes shaded.parquet.it.unimi.dsi.fastutil.** -->
+                    <failBuildInCaseOfEqualContentConflict>false</failBuildInCaseOfEqualContentConflict>
+                    <failBuildInCaseOfConflict>false</failBuildInCaseOfConflict>
+                    <printEqualFiles>false</printEqualFiles>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
     <parent>
         <artifactId>parquet-edml-generator-generated-parent</artifactId>
         <groupId>com.exasol</groupId>
-        <version>1.1.4</version>
+        <version>1.1.5</version>
         <relativePath>pk_generated_parent.pom</relativePath>
     </parent>
 </project>