From 6539527bd5bf3f3acbf913949d9340c758ec9f0e Mon Sep 17 00:00:00 2001 From: Christoph Pirkl Date: Mon, 25 Sep 2023 13:30:17 +0200 Subject: [PATCH 1/9] #65: Upgrade dependencies --- doc/changes/changelog.md | 1 + doc/changes/changes_2.0.4.md | 10 ++++++++++ pk_generated_parent.pom | 2 +- pom.xml | 12 ++++++------ 4 files changed, 18 insertions(+), 7 deletions(-) create mode 100644 doc/changes/changes_2.0.4.md diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md index 514cdae..cbfb85d 100644 --- a/doc/changes/changelog.md +++ b/doc/changes/changelog.md @@ -1,5 +1,6 @@ # Changes +* [2.0.4](changes_2.0.4.md) * [2.0.3](changes_2.0.3.md) * [2.0.2](changes_2.0.2.md) * [2.0.1](changes_2.0.1.md) diff --git a/doc/changes/changes_2.0.4.md b/doc/changes/changes_2.0.4.md new file mode 100644 index 0000000..625e5bf --- /dev/null +++ b/doc/changes/changes_2.0.4.md @@ -0,0 +1,10 @@ +# Exasol Test Setup Abstraction Java 2.0.4, released 2023-??-?? + +Code name: + +## Summary + +## Features + +* ISSUE_NUMBER: description + diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom index 9352bcc..dbab2dc 100644 --- a/pk_generated_parent.pom +++ b/pk_generated_parent.pom @@ -3,7 +3,7 @@ 4.0.0 com.exasol exasol-test-setup-abstraction-java-generated-parent - 2.0.3 + 2.0.4 pom UTF-8 diff --git a/pom.xml b/pom.xml index 52765d4..61e4c04 100644 --- a/pom.xml +++ b/pom.xml @@ -2,13 +2,13 @@ 4.0.0 exasol-test-setup-abstraction-java - 2.0.3 + 2.0.4 exasol-test-setup-abstraction-java Common interface for testing with an exasol database local and on AWS using Java. https://github.com/exasol/exasol-test-setup-abstraction-java/ 5.10.0 - 2.20.137 + 2.20.153 @@ -95,7 +95,7 @@ nl.jqno.equalsverifier equalsverifier - 3.15.1 + 3.15.2 test @@ -108,7 +108,7 @@ org.slf4j slf4j-jdk14 - 2.0.7 + 2.0.9 test @@ -146,7 +146,7 @@ org.basepom.maven duplicate-finder-maven-plugin - 1.5.1 + 2.0.1 default @@ -174,7 +174,7 @@ exasol-test-setup-abstraction-java-generated-parent com.exasol - 2.0.3 + 2.0.4 pk_generated_parent.pom From 80afa0501a2f26fcb3ee9922a3cb7b005e0a5908 Mon Sep 17 00:00:00 2001 From: Christoph Pirkl Date: Mon, 25 Sep 2023 14:47:33 +0200 Subject: [PATCH 2/9] Upgrade testcontainers & project-keeper --- .github/workflows/broken_links_checker.yml | 6 +++--- .github/workflows/ci-build-next-java.yml | 6 +++--- .github/workflows/dependencies_check.yml | 8 ++++---- .../release_droid_print_quick_checksum.yml | 7 +++---- .../release_droid_release_on_maven_central.yml | 8 ++++---- ...lease_droid_upload_github_release_assets.yml | 8 ++++---- dependencies.md | 4 ++-- doc/changes/changes_2.0.4.md | 17 +++++++++++++++++ pom.xml | 4 ++-- 9 files changed, 42 insertions(+), 26 deletions(-) diff --git a/.github/workflows/broken_links_checker.yml b/.github/workflows/broken_links_checker.yml index f2079ec..82ec1cd 100644 --- a/.github/workflows/broken_links_checker.yml +++ b/.github/workflows/broken_links_checker.yml @@ -15,7 +15,7 @@ jobs: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Configure broken links checker run: | mkdir -p ./target @@ -27,6 +27,6 @@ jobs: ']}' > ./target/broken_links_checker.json - uses: gaurav-nelson/github-action-markdown-link-check@v1 with: - use-quiet-mode: 'yes' - use-verbose-mode: 'yes' + use-quiet-mode: "yes" + use-verbose-mode: "yes" config-file: ./target/broken_links_checker.json diff --git a/.github/workflows/ci-build-next-java.yml b/.github/workflows/ci-build-next-java.yml index e0c15cf..7cbab08 100644 --- a/.github/workflows/ci-build-next-java.yml +++ b/.github/workflows/ci-build-next-java.yml @@ -14,15 +14,15 @@ jobs: cancel-in-progress: true steps: - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up JDK 17 uses: actions/setup-java@v3 with: - distribution: 'temurin' + distribution: "temurin" java-version: 17 - cache: 'maven' + cache: "maven" - name: Run tests and build with Maven run: | mvn --batch-mode --update-snapshots clean package -DtrimStackTrace=false \ diff --git a/.github/workflows/dependencies_check.yml b/.github/workflows/dependencies_check.yml index b2ab231..3059964 100644 --- a/.github/workflows/dependencies_check.yml +++ b/.github/workflows/dependencies_check.yml @@ -9,12 +9,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up JDK 11 uses: actions/setup-java@v3 with: - distribution: 'temurin' + distribution: "temurin" java-version: 11 - cache: 'maven' + cache: "maven" - name: Checking dependencies for vulnerabilities - run: mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f pom.xml \ No newline at end of file + run: mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f pom.xml diff --git a/.github/workflows/release_droid_print_quick_checksum.yml b/.github/workflows/release_droid_print_quick_checksum.yml index 8add957..aed4444 100644 --- a/.github/workflows/release_droid_print_quick_checksum.yml +++ b/.github/workflows/release_droid_print_quick_checksum.yml @@ -8,17 +8,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up JDK 11 uses: actions/setup-java@v3 with: - distribution: 'temurin' + distribution: "temurin" java-version: 11 - cache: 'maven' + cache: "maven" - name: Build with Maven skipping tests run: mvn --batch-mode clean verify -DskipTests - name: Print checksum run: echo 'checksum_start==';find target -maxdepth 1 -name *.jar -exec sha256sum "{}" + | xargs;echo '==checksum_end' - diff --git a/.github/workflows/release_droid_release_on_maven_central.yml b/.github/workflows/release_droid_release_on_maven_central.yml index b467607..dfdbd6a 100644 --- a/.github/workflows/release_droid_release_on_maven_central.yml +++ b/.github/workflows/release_droid_release_on_maven_central.yml @@ -8,15 +8,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up Maven Central Repository uses: actions/setup-java@v3 with: - distribution: 'temurin' + distribution: "temurin" java-version: 11 - cache: 'maven' + cache: "maven" server-id: ossrh server-username: MAVEN_USERNAME server-password: MAVEN_PASSWORD @@ -27,4 +27,4 @@ jobs: env: MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }} MAVEN_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - MAVEN_GPG_PASSPHRASE: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} \ No newline at end of file + MAVEN_GPG_PASSPHRASE: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} diff --git a/.github/workflows/release_droid_upload_github_release_assets.yml b/.github/workflows/release_droid_upload_github_release_assets.yml index 7350faf..7ae8bbb 100644 --- a/.github/workflows/release_droid_upload_github_release_assets.yml +++ b/.github/workflows/release_droid_upload_github_release_assets.yml @@ -4,7 +4,7 @@ on: workflow_dispatch: inputs: upload_url: - description: 'Assets upload URL' + description: "Assets upload URL" required: true jobs: @@ -12,15 +12,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up JDK 11 uses: actions/setup-java@v3 with: - distribution: 'temurin' + distribution: "temurin" java-version: 11 - cache: 'maven' + cache: "maven" - name: Build with Maven skipping tests run: mvn --batch-mode clean verify -DskipTests - name: Generate sha256sum files diff --git a/dependencies.md b/dependencies.md index 62cc5c4..58d1655 100644 --- a/dependencies.md +++ b/dependencies.md @@ -24,7 +24,7 @@ | [Hamcrest][18] | [BSD License 3][19] | | [EqualsVerifier \| release normal jar][20] | [Apache License, Version 2.0][21] | | [System Lambda][22] | [MIT License][23] | -| [SLF4J JDK14 Binding][24] | [MIT License][25] | +| [SLF4J JDK14 Provider][24] | [MIT License][25] | ## Runtime Dependencies @@ -98,7 +98,7 @@ [35]: https://www.mojohaus.org/versions/versions-maven-plugin/ [36]: https://github.com/exasol/project-keeper/ [37]: https://github.com/exasol/project-keeper/blob/main/LICENSE -[38]: https://github.com/basepom/duplicate-finder-maven-plugin +[38]: https://basepom.github.io/duplicate-finder-maven-plugin [39]: http://www.apache.org/licenses/LICENSE-2.0.html [40]: https://maven.apache.org/plugins/maven-deploy-plugin/ [41]: https://maven.apache.org/plugins/maven-gpg-plugin/ diff --git a/doc/changes/changes_2.0.4.md b/doc/changes/changes_2.0.4.md index 625e5bf..debf14a 100644 --- a/doc/changes/changes_2.0.4.md +++ b/doc/changes/changes_2.0.4.md @@ -8,3 +8,20 @@ Code name: * ISSUE_NUMBER: description +## Dependency Updates + +### Compile Dependency Updates + +* Updated `com.exasol:exasol-testcontainers:6.6.1` to `6.6.2` +* Updated `software.amazon.awssdk:cloudformation:2.20.137` to `2.20.153` +* Updated `software.amazon.awssdk:ec2:2.20.137` to `2.20.153` + +### Test Dependency Updates + +* Updated `nl.jqno.equalsverifier:equalsverifier:3.15.1` to `3.15.2` +* Updated `org.slf4j:slf4j-jdk14:2.0.7` to `2.0.9` + +### Plugin Dependency Updates + +* Updated `com.exasol:project-keeper-maven-plugin:2.9.11` to `2.9.12` +* Updated `org.basepom.maven:duplicate-finder-maven-plugin:1.5.1` to `2.0.1` diff --git a/pom.xml b/pom.xml index 61e4c04..7f0f717 100644 --- a/pom.xml +++ b/pom.xml @@ -30,7 +30,7 @@ com.exasol exasol-testcontainers - 6.6.1 + 6.6.2 fr.turri @@ -134,7 +134,7 @@ com.exasol project-keeper-maven-plugin - 2.9.11 + 2.9.12 From 0b7440a1477ccf36a8d4ab8acc47c92e6a948eb4 Mon Sep 17 00:00:00 2001 From: Christoph Pirkl Date: Mon, 25 Sep 2023 14:50:37 +0200 Subject: [PATCH 3/9] Update changelog --- doc/changes/changes_2.0.4.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/doc/changes/changes_2.0.4.md b/doc/changes/changes_2.0.4.md index debf14a..bc98511 100644 --- a/doc/changes/changes_2.0.4.md +++ b/doc/changes/changes_2.0.4.md @@ -1,12 +1,14 @@ -# Exasol Test Setup Abstraction Java 2.0.4, released 2023-??-?? +# Exasol Test Setup Abstraction Java 2.0.4, released 2023-09-25 -Code name: +Code name: Fix CVE-2023-42503 ## Summary -## Features +This release fixes CVE-2023-42503 in `org.apache.commons:commons-compress`. Please note that transitive dependency `netty-handler` still contains CVE-2023-4586. See [issue #65](https://github.com/exasol/exasol-test-setup-abstraction-java/issues/65) for details. -* ISSUE_NUMBER: description +## Security + +* #67 Fixed CVE-2023-42503 in `org.apache.commons:commons-compress` ## Dependency Updates From 7ebd44f3638f6a305b5cafe9e5bf38503707c6d9 Mon Sep 17 00:00:00 2001 From: Christoph Pirkl Date: Mon, 25 Sep 2023 14:54:02 +0200 Subject: [PATCH 4/9] Mark file as generated --- .gitattributes | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitattributes b/.gitattributes index bdc1221..7965072 100644 --- a/.gitattributes +++ b/.gitattributes @@ -5,6 +5,7 @@ doc/changes/changelog.md linguist-genera .github/workflows/dependencies_check.yml linguist-generated=true .github/workflows/ci-build-next-java.yml linguist-generated=true .github/workflows/release_droid_print_quick_checksum.yml linguist-generated=true +.github/workflows/release_droid_release_on_maven_central.yml linguist-generated=true .github/workflows/release_droid_upload_github_release_assets.yml linguist-generated=true cloudSetup/.terraform.lock.hcl linguist-generated=true From 8f64b3aec80f8c274711371f302da202268224b3 Mon Sep 17 00:00:00 2001 From: Christoph Pirkl Date: Mon, 25 Sep 2023 15:25:23 +0200 Subject: [PATCH 5/9] Improve changelog --- doc/changes/changes_2.0.4.md | 4 +++- pom.xml | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/doc/changes/changes_2.0.4.md b/doc/changes/changes_2.0.4.md index bc98511..46ea368 100644 --- a/doc/changes/changes_2.0.4.md +++ b/doc/changes/changes_2.0.4.md @@ -4,7 +4,9 @@ Code name: Fix CVE-2023-42503 ## Summary -This release fixes CVE-2023-42503 in `org.apache.commons:commons-compress`. Please note that transitive dependency `netty-handler` still contains CVE-2023-4586. See [issue #65](https://github.com/exasol/exasol-test-setup-abstraction-java/issues/65) for details. +This release fixes CVE-2023-42503 in `org.apache.commons:commons-compress`. + +Known issue: Transitive dependency `io.netty:netty-handler` (via `software.amazon.awssdk:cloudformation`) still contains CVE-2023-4586. See [issue #65](https://github.com/exasol/exasol-test-setup-abstraction-java/issues/65) for details. ## Security diff --git a/pom.xml b/pom.xml index 7f0f717..ed2aaa9 100644 --- a/pom.xml +++ b/pom.xml @@ -32,6 +32,7 @@ exasol-testcontainers 6.6.2 + fr.turri aXMLRPC From b5f294f8340faa662705ba0af30828241606e731 Mon Sep 17 00:00:00 2001 From: Christoph Pirkl Date: Mon, 25 Sep 2023 15:27:16 +0200 Subject: [PATCH 6/9] Update Exasol version --- doc/changes/changes_2.0.4.md | 4 +++- .../testcontainers/ExasolTestcontainerTestSetup.java | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/doc/changes/changes_2.0.4.md b/doc/changes/changes_2.0.4.md index 46ea368..774f5fe 100644 --- a/doc/changes/changes_2.0.4.md +++ b/doc/changes/changes_2.0.4.md @@ -6,7 +6,9 @@ Code name: Fix CVE-2023-42503 This release fixes CVE-2023-42503 in `org.apache.commons:commons-compress`. -Known issue: Transitive dependency `io.netty:netty-handler` (via `software.amazon.awssdk:cloudformation`) still contains CVE-2023-4586. See [issue #65](https://github.com/exasol/exasol-test-setup-abstraction-java/issues/65) for details. +The release also updates the default Exasol DB version to 7.1.23. + +**Known issue:** Transitive dependency `io.netty:netty-handler` (via `software.amazon.awssdk:cloudformation`) still contains CVE-2023-4586. See [issue #65](https://github.com/exasol/exasol-test-setup-abstraction-java/issues/65) for details. ## Security diff --git a/src/main/java/com/exasol/exasoltestsetup/testcontainers/ExasolTestcontainerTestSetup.java b/src/main/java/com/exasol/exasoltestsetup/testcontainers/ExasolTestcontainerTestSetup.java index d2f1e6f..af9c94e 100644 --- a/src/main/java/com/exasol/exasoltestsetup/testcontainers/ExasolTestcontainerTestSetup.java +++ b/src/main/java/com/exasol/exasoltestsetup/testcontainers/ExasolTestcontainerTestSetup.java @@ -22,7 +22,7 @@ */ public class ExasolTestcontainerTestSetup implements ExasolTestSetup { private static final int SSH_PORT = 22; - private final ExasolContainer> exasolContainer = new ExasolContainer<>("7.1.22") + private final ExasolContainer> exasolContainer = new ExasolContainer<>("7.1.23") .withReuse(true); private final SshConnection sshConnection; private final KeyPair keyPair; From 65be313dcf43eff6968f6560e3d61817d679fc67 Mon Sep 17 00:00:00 2001 From: Christoph Pirkl Date: Mon, 25 Sep 2023 16:36:52 +0200 Subject: [PATCH 7/9] Update workflows --- .github/workflows/ci-build.yml | 18 ++++++++++++------ ...release_droid_prepare_original_checksum.yml | 6 +++++- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml index a26a9d3..3fd2588 100644 --- a/.github/workflows/ci-build.yml +++ b/.github/workflows/ci-build.yml @@ -14,15 +14,21 @@ jobs: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true steps: + - name: Free Disk Space + run: | + sudo rm -rf /usr/local/lib/android + sudo rm -rf /usr/share/dotnet - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up JDK 11 + - name: Set up JDK 11 & 17 uses: actions/setup-java@v3 with: distribution: "temurin" - java-version: 11 + java-version: | + 17 + 11 cache: "maven" - name: Cache SonarCloud packages uses: actions/cache@v3 @@ -49,7 +55,7 @@ jobs: DEPUTY: ${{ secrets.AWS_TAG_DEPUTY }} - name: Run tests and build with Maven run: | - mvn --batch-mode clean verify \ + JAVA_HOME=$JAVA_HOME_11_X64 mvn --batch-mode clean verify \ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ -DtrimStackTrace=false - name: Publish Test Report @@ -60,12 +66,12 @@ jobs: - name: Sonar analysis if: ${{ env.SONAR_TOKEN != null }} run: | - mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \ + JAVA_HOME=$JAVA_HOME_17_X64 mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ -DtrimStackTrace=false \ -Dsonar.organization=exasol \ -Dsonar.host.url=https://sonarcloud.io \ - -Dsonar.login=$SONAR_TOKEN + -Dsonar.token=$SONAR_TOKEN env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/release_droid_prepare_original_checksum.yml b/.github/workflows/release_droid_prepare_original_checksum.yml index ad1a73b..54b53a5 100644 --- a/.github/workflows/release_droid_prepare_original_checksum.yml +++ b/.github/workflows/release_droid_prepare_original_checksum.yml @@ -8,8 +8,12 @@ jobs: runs-on: ubuntu-latest environment: aws steps: + - name: Free Disk Space + run: | + sudo rm -rf /usr/local/lib/android + sudo rm -rf /usr/share/dotnet - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up JDK 11 From 2124a5dfd544287e710429a9be0f65e60fc7ebf3 Mon Sep 17 00:00:00 2001 From: Christoph Pirkl Date: Mon, 25 Sep 2023 16:37:07 +0200 Subject: [PATCH 8/9] Cleanup project keeper configuration --- .project-keeper.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.project-keeper.yml b/.project-keeper.yml index 889a0ed..b36d5f3 100644 --- a/.project-keeper.yml +++ b/.project-keeper.yml @@ -8,5 +8,3 @@ excludes: - "E-PK-CORE-18: Outdated content: '.github/workflows/ci-build.yml'" - "E-PK-CORE-18: Outdated content: '.github/workflows/release_droid_prepare_original_checksum.yml'" linkReplacements: - - https://github.com/eclipse-ee4j/parsson/parsson|https://github.com/eclipse-ee4j/parsson - - https://netty.io/netty-handler/|https://netty.io/ From bda7e24b0833adbad2602e8e644caa474dfb27c2 Mon Sep 17 00:00:00 2001 From: Christoph Pirkl Date: Mon, 25 Sep 2023 16:37:50 +0200 Subject: [PATCH 9/9] Update release date --- doc/changes/changes_2.0.4.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/changes/changes_2.0.4.md b/doc/changes/changes_2.0.4.md index 774f5fe..45bab03 100644 --- a/doc/changes/changes_2.0.4.md +++ b/doc/changes/changes_2.0.4.md @@ -1,4 +1,4 @@ -# Exasol Test Setup Abstraction Java 2.0.4, released 2023-09-25 +# Exasol Test Setup Abstraction Java 2.0.4, released 2023-09-26 Code name: Fix CVE-2023-42503