Fixes in docs, scope in pom

exasol · Sep 23, 2024 · 5f25a2c · 5f25a2c
1 parent 3e24340
commit 5f25a2c
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/doc/changes/changes_2.0.8.md b/doc/changes/changes_2.0.8.md
@@ -1,11 +1,11 @@
-# Spark Connector Common Java 2.0.8, released 2024-09-24
+# Spark Connector Common Java 2.0.8, released 2024-09-23
 
 Code name: Fixed vulnerability CVE-2024-7254 in com.google.protobuf:protobuf-java:jar:3.19.6:provided
 
 ## Summary
-This release fixes vulnerability CVE-2024-7254 in com.google.protobuf:protobuf-java:jar:3.19.6:provided
+This release fixes vulnerability CVE-2024-7254 in com.google.protobuf:protobuf-java:jar:3.19.6:provided  which could lead to unbounded recursion.
 
-## Features
+## Security
 
 * #41: CVE-2024-7254: com.google.protobuf:protobuf-java:jar:3.19.6:provided
 

diff --git a/pom.xml b/pom.xml
@@ -80,54 +80,63 @@
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-compress</artifactId>
             <version>1.26.2</version>
+            <scope>provided</scope>
         </dependency>
         <dependency>
             <!-- Upgrade transitive dependency of org.apache.spark:spark-core_2.13 to fix CVE-2023-43642 and CVE-2022-46751 -->
             <groupId>org.xerial.snappy</groupId>
             <artifactId>snappy-java</artifactId>
             <version>1.1.10.5</version>
+            <scope>provided</scope>
         </dependency>
         <dependency>
             <!-- Upgrade transitive dependency of org.apache.spark:spark-core_2.13 to fix CVE-2022-46751 -->
             <groupId>org.apache.ivy</groupId>
             <artifactId>ivy</artifactId>
             <version>2.5.2</version>
+            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.apache.zookeeper</groupId>
             <!-- Upgrade transitive dependency of org.apache.spark:spark-core_2.13 to fix CVE-2023-44981 -->
             <artifactId>zookeeper</artifactId>
             <version>3.9.2</version>
+            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.apache.avro</groupId>
             <!-- Upgrade transitive dependency of org.apache.spark:spark-core_2.13 to fix CVE-2023-44981 -->
             <artifactId>avro</artifactId>
             <version>1.11.3</version>
+            <scope>provided</scope>
         </dependency>
         <dependency>
             <!-- Upgrade transitive dependency of org.apache.spark:spark-core_2.13 to fix CVE-2024-23080 -->
             <groupId>joda-time</groupId>
             <artifactId>joda-time</artifactId>
             <version>2.12.7</version>
+            <scope>provided</scope>
         </dependency>
         <dependency>
             <!-- Upgrade transitive dependency of org.apache.spark:spark-core_2.13 to fix CVE-2024-29025 -->
             <groupId>io.netty</groupId>
             <artifactId>netty-all</artifactId>
             <version>4.1.111.Final</version>
+            <scope>provided</scope>
         </dependency>
         <dependency>
             <!-- Upgrade transitive dependency of org.apache.spark:spark-core_2.13 to fix CVE-2023-33546 -->
             <groupId>org.codehaus.janino</groupId>
             <artifactId>janino</artifactId>
             <version>3.1.12</version>
+            <scope>provided</scope>
         </dependency>
         <dependency>
             <!-- Upgrade transitive dependency of org.apache.spark:spark-network-common_2.13 to fix CVE-2024-7254 -->
             <groupId>com.google.protobuf</groupId>
             <artifactId>protobuf-java</artifactId>
             <version>3.25.5</version>
+            <scope>provided</scope>
         </dependency>
         <!-- Test Dependencies -->
         <dependency>