diff --git a/.github/workflows/broken_links_checker.yml b/.github/workflows/broken_links_checker.yml
index d7a38b4..39612b7 100644
--- a/.github/workflows/broken_links_checker.yml
+++ b/.github/workflows/broken_links_checker.yml
@@ -13,6 +13,8 @@ on:
jobs:
linkChecker:
runs-on: ubuntu-latest
+ permissions:
+ contents: read
defaults:
run:
shell: "bash"
diff --git a/.github/workflows/ci-build-next-java.yml b/.github/workflows/ci-build-next-java.yml
index 8886e10..e8302fe 100644
--- a/.github/workflows/ci-build-next-java.yml
+++ b/.github/workflows/ci-build-next-java.yml
@@ -15,7 +15,6 @@ jobs:
shell: "bash"
permissions:
contents: read
- checks: write # Allow scacap/action-surefire-report
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
@@ -35,9 +34,3 @@ jobs:
mvn --batch-mode --update-snapshots clean package -DtrimStackTrace=false \
-Djava.version=17 \
-Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn
- - name: Publish Test Report for Java 17
- uses: scacap/action-surefire-report@v1
- if: ${{ always() && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]' }}
- with:
- github_token: ${{ secrets.GITHUB_TOKEN }}
- fail_if_no_tests: false
diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml
index fdbae26..1dfc749 100644
--- a/.github/workflows/ci-build.yml
+++ b/.github/workflows/ci-build.yml
@@ -17,7 +17,6 @@ jobs:
}
permissions: {
contents: read,
- checks: write,
issues: read
}
concurrency: {
diff --git a/.github/workflows/dependencies_update.yml b/.github/workflows/dependencies_update.yml
index 9f536ee..1bf502f 100644
--- a/.github/workflows/dependencies_update.yml
+++ b/.github/workflows/dependencies_update.yml
@@ -61,14 +61,6 @@ jobs:
env: {
CREATED_ISSUES: '${{ inputs.vulnerability_issues }}'
}
- - name: Project Keeper Fix
- id: project-keeper-fix
- run: |
- mvn --batch-mode com.exasol:project-keeper-maven-plugin:fix --projects .
- - name: Project Keeper Fix for updated Project Keeper version
- id: project-keeper-fix-2
- run: |
- mvn --batch-mode com.exasol:project-keeper-maven-plugin:fix --projects .
- name: Generate Pull Request comment
id: pr-comment
run: |
@@ -81,7 +73,11 @@ jobs:
echo 'It updates dependencies.' >> "$GITHUB_OUTPUT"
fi
echo >> "$GITHUB_OUTPUT"
- echo '# ⚠️ This PR does not trigger CI workflows by default ⚠️' >> "$GITHUB_OUTPUT"
+ echo '# ⚠️ Notes ⚠️' >> "$GITHUB_OUTPUT"
+ echo '## Run PK fix manually' >> "$GITHUB_OUTPUT"
+ echo 'Due to restrictions workflow `dependencies_update.yml` can't update other workflows, see https://github.com/exasol/project-keeper/issues/578 for details.' >> "$GITHUB_OUTPUT"
+ echo 'Please checkout this PR locally and run `mvn com.exasol:project-keeper-maven-plugin:fix --projects .`' >> "$GITHUB_OUTPUT"
+ echo '## This PR does not trigger CI workflows' >> "$GITHUB_OUTPUT"
echo 'Please click the **Close pull request** button and then **Reopen pull request** to trigger running checks.' >> "$GITHUB_OUTPUT"
echo 'See https://github.com/exasol/project-keeper/issues/534 for details.' >> "$GITHUB_OUTPUT"
echo 'EOF' >> "$GITHUB_OUTPUT"
diff --git a/dependencies.md b/dependencies.md
index e3e87bb..f66b662 100644
--- a/dependencies.md
+++ b/dependencies.md
@@ -6,100 +6,102 @@
| Dependency | License |
| --------------------------------- | --------------------------------------------- |
| [Apache Parquet Hadoop][0] | [The Apache Software License, Version 2.0][1] |
-| [snappy-java][2] | [Apache-2.0][3] |
-| Apache Hadoop Client Aggregator | [Apache-2.0][4] |
-| [Apache Avro][5] | [Apache-2.0][4] |
-| [Apache Commons Compress][6] | [Apache-2.0][4] |
-| [Apache Commons Configuration][7] | [Apache-2.0][4] |
-| [Scala Library][8] | [Apache-2.0][9] |
-| [error-reporting-java][10] | [MIT License][11] |
+| [aircompressor][2] | [Apache License 2.0][3] |
+| [snappy-java][4] | [Apache-2.0][3] |
+| Apache Hadoop Client Aggregator | [Apache-2.0][5] |
+| [Apache Avro][6] | [Apache-2.0][5] |
+| [Apache Commons Compress][7] | [Apache-2.0][5] |
+| [Apache Commons Configuration][8] | [Apache-2.0][5] |
+| [Scala Library][9] | [Apache-2.0][10] |
+| [error-reporting-java][11] | [MIT License][12] |
## Test Dependencies
| Dependency | License |
| ------------------------------------------ | ----------------------------------------- |
-| [JUnit Jupiter (Aggregator)][12] | [Eclipse Public License v2.0][13] |
-| [mockito-core][14] | [MIT][15] |
-| [mockito-junit-jupiter][14] | [MIT][15] |
-| [Hamcrest][16] | [BSD License 3][17] |
-| [scalatest][18] | [the Apache License, ASL Version 2.0][19] |
-| [EqualsVerifier \| release normal jar][20] | [Apache License, Version 2.0][4] |
+| [JUnit Jupiter (Aggregator)][13] | [Eclipse Public License v2.0][14] |
+| [mockito-core][15] | [MIT][16] |
+| [mockito-junit-jupiter][15] | [MIT][16] |
+| [Hamcrest][17] | [BSD License 3][18] |
+| [scalatest][19] | [the Apache License, ASL Version 2.0][20] |
+| [EqualsVerifier \| release normal jar][21] | [Apache License, Version 2.0][5] |
## Plugin Dependencies
| Dependency | License |
| ------------------------------------------------------- | ----------------------------------------- |
-| [SonarQube Scanner for Maven][21] | [GNU LGPL 3][22] |
-| [Apache Maven Toolchains Plugin][23] | [Apache License, Version 2.0][4] |
-| [Apache Maven Compiler Plugin][24] | [Apache-2.0][4] |
-| [Apache Maven Enforcer Plugin][25] | [Apache-2.0][4] |
-| [Maven Flatten Plugin][26] | [Apache Software Licenese][4] |
-| [org.sonatype.ossindex.maven:ossindex-maven-plugin][27] | [ASL2][1] |
-| [Maven Surefire Plugin][28] | [Apache-2.0][4] |
-| [Versions Maven Plugin][29] | [Apache License, Version 2.0][4] |
-| [scala-maven-plugin][30] | [Public domain (Unlicense)][31] |
-| [ScalaTest Maven Plugin][32] | [the Apache License, ASL Version 2.0][19] |
-| [OpenFastTrace Maven Plugin][33] | [GNU General Public License v3.0][34] |
-| [Project Keeper Maven plugin][35] | [The MIT License][36] |
-| [duplicate-finder-maven-plugin Maven Mojo][37] | [Apache License 2.0][38] |
-| [Apache Maven Deploy Plugin][39] | [Apache-2.0][4] |
-| [Apache Maven GPG Plugin][40] | [Apache-2.0][4] |
-| [Apache Maven Source Plugin][41] | [Apache License, Version 2.0][4] |
-| [Apache Maven Javadoc Plugin][42] | [Apache-2.0][4] |
-| [Nexus Staging Maven Plugin][43] | [Eclipse Public License][44] |
-| [Maven Failsafe Plugin][45] | [Apache-2.0][4] |
-| [JaCoCo :: Maven Plugin][46] | [EPL-2.0][47] |
-| [error-code-crawler-maven-plugin][48] | [MIT License][49] |
-| [Reproducible Build Maven Plugin][50] | [Apache 2.0][1] |
+| [SonarQube Scanner for Maven][22] | [GNU LGPL 3][23] |
+| [Apache Maven Toolchains Plugin][24] | [Apache-2.0][5] |
+| [Apache Maven Compiler Plugin][25] | [Apache-2.0][5] |
+| [Apache Maven Enforcer Plugin][26] | [Apache-2.0][5] |
+| [Maven Flatten Plugin][27] | [Apache Software Licenese][5] |
+| [org.sonatype.ossindex.maven:ossindex-maven-plugin][28] | [ASL2][1] |
+| [Maven Surefire Plugin][29] | [Apache-2.0][5] |
+| [Versions Maven Plugin][30] | [Apache License, Version 2.0][5] |
+| [scala-maven-plugin][31] | [Public domain (Unlicense)][32] |
+| [ScalaTest Maven Plugin][33] | [the Apache License, ASL Version 2.0][20] |
+| [OpenFastTrace Maven Plugin][34] | [GNU General Public License v3.0][35] |
+| [Project Keeper Maven plugin][36] | [The MIT License][37] |
+| [duplicate-finder-maven-plugin Maven Mojo][38] | [Apache License 2.0][39] |
+| [Apache Maven Deploy Plugin][40] | [Apache-2.0][5] |
+| [Apache Maven GPG Plugin][41] | [Apache-2.0][5] |
+| [Apache Maven Source Plugin][42] | [Apache License, Version 2.0][5] |
+| [Apache Maven Javadoc Plugin][43] | [Apache-2.0][5] |
+| [Nexus Staging Maven Plugin][44] | [Eclipse Public License][45] |
+| [Maven Failsafe Plugin][46] | [Apache-2.0][5] |
+| [JaCoCo :: Maven Plugin][47] | [EPL-2.0][48] |
+| [error-code-crawler-maven-plugin][49] | [MIT License][50] |
+| [Reproducible Build Maven Plugin][51] | [Apache 2.0][1] |
[0]: https://parquet.apache.org
[1]: http://www.apache.org/licenses/LICENSE-2.0.txt
-[2]: https://github.com/xerial/snappy-java
+[2]: https://github.com/airlift/aircompressor
[3]: https://www.apache.org/licenses/LICENSE-2.0.html
-[4]: https://www.apache.org/licenses/LICENSE-2.0.txt
-[5]: https://avro.apache.org
-[6]: https://commons.apache.org/proper/commons-compress/
-[7]: https://commons.apache.org/proper/commons-configuration/
-[8]: https://www.scala-lang.org/
-[9]: https://www.apache.org/licenses/LICENSE-2.0
-[10]: https://github.com/exasol/error-reporting-java/
-[11]: https://github.com/exasol/error-reporting-java/blob/main/LICENSE
-[12]: https://junit.org/junit5/
-[13]: https://www.eclipse.org/legal/epl-v20.html
-[14]: https://github.com/mockito/mockito
-[15]: https://opensource.org/licenses/MIT
-[16]: http://hamcrest.org/JavaHamcrest/
-[17]: http://opensource.org/licenses/BSD-3-Clause
-[18]: http://www.scalatest.org
-[19]: http://www.apache.org/licenses/LICENSE-2.0
-[20]: https://www.jqno.nl/equalsverifier
-[21]: http://sonarsource.github.io/sonar-scanner-maven/
-[22]: http://www.gnu.org/licenses/lgpl.txt
-[23]: https://maven.apache.org/plugins/maven-toolchains-plugin/
-[24]: https://maven.apache.org/plugins/maven-compiler-plugin/
-[25]: https://maven.apache.org/enforcer/maven-enforcer-plugin/
-[26]: https://www.mojohaus.org/flatten-maven-plugin/
-[27]: https://sonatype.github.io/ossindex-maven/maven-plugin/
-[28]: https://maven.apache.org/surefire/maven-surefire-plugin/
-[29]: https://www.mojohaus.org/versions/versions-maven-plugin/
-[30]: http://github.com/davidB/scala-maven-plugin
-[31]: http://unlicense.org/
-[32]: https://www.scalatest.org/user_guide/using_the_scalatest_maven_plugin
-[33]: https://github.com/itsallcode/openfasttrace-maven-plugin
-[34]: https://www.gnu.org/licenses/gpl-3.0.html
-[35]: https://github.com/exasol/project-keeper/
-[36]: https://github.com/exasol/project-keeper/blob/main/LICENSE
-[37]: https://basepom.github.io/duplicate-finder-maven-plugin
-[38]: http://www.apache.org/licenses/LICENSE-2.0.html
-[39]: https://maven.apache.org/plugins/maven-deploy-plugin/
-[40]: https://maven.apache.org/plugins/maven-gpg-plugin/
-[41]: https://maven.apache.org/plugins/maven-source-plugin/
-[42]: https://maven.apache.org/plugins/maven-javadoc-plugin/
-[43]: http://www.sonatype.com/public-parent/nexus-maven-plugins/nexus-staging/nexus-staging-maven-plugin/
-[44]: http://www.eclipse.org/legal/epl-v10.html
-[45]: https://maven.apache.org/surefire/maven-failsafe-plugin/
-[46]: https://www.jacoco.org/jacoco/trunk/doc/maven.html
-[47]: https://www.eclipse.org/legal/epl-2.0/
-[48]: https://github.com/exasol/error-code-crawler-maven-plugin/
-[49]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE
-[50]: http://zlika.github.io/reproducible-build-maven-plugin
+[4]: https://github.com/xerial/snappy-java
+[5]: https://www.apache.org/licenses/LICENSE-2.0.txt
+[6]: https://avro.apache.org
+[7]: https://commons.apache.org/proper/commons-compress/
+[8]: https://commons.apache.org/proper/commons-configuration/
+[9]: https://www.scala-lang.org/
+[10]: https://www.apache.org/licenses/LICENSE-2.0
+[11]: https://github.com/exasol/error-reporting-java/
+[12]: https://github.com/exasol/error-reporting-java/blob/main/LICENSE
+[13]: https://junit.org/junit5/
+[14]: https://www.eclipse.org/legal/epl-v20.html
+[15]: https://github.com/mockito/mockito
+[16]: https://opensource.org/licenses/MIT
+[17]: http://hamcrest.org/JavaHamcrest/
+[18]: http://opensource.org/licenses/BSD-3-Clause
+[19]: http://www.scalatest.org
+[20]: http://www.apache.org/licenses/LICENSE-2.0
+[21]: https://www.jqno.nl/equalsverifier
+[22]: http://sonarsource.github.io/sonar-scanner-maven/
+[23]: http://www.gnu.org/licenses/lgpl.txt
+[24]: https://maven.apache.org/plugins/maven-toolchains-plugin/
+[25]: https://maven.apache.org/plugins/maven-compiler-plugin/
+[26]: https://maven.apache.org/enforcer/maven-enforcer-plugin/
+[27]: https://www.mojohaus.org/flatten-maven-plugin/
+[28]: https://sonatype.github.io/ossindex-maven/maven-plugin/
+[29]: https://maven.apache.org/surefire/maven-surefire-plugin/
+[30]: https://www.mojohaus.org/versions/versions-maven-plugin/
+[31]: http://github.com/davidB/scala-maven-plugin
+[32]: http://unlicense.org/
+[33]: https://www.scalatest.org/user_guide/using_the_scalatest_maven_plugin
+[34]: https://github.com/itsallcode/openfasttrace-maven-plugin
+[35]: https://www.gnu.org/licenses/gpl-3.0.html
+[36]: https://github.com/exasol/project-keeper/
+[37]: https://github.com/exasol/project-keeper/blob/main/LICENSE
+[38]: https://basepom.github.io/duplicate-finder-maven-plugin
+[39]: http://www.apache.org/licenses/LICENSE-2.0.html
+[40]: https://maven.apache.org/plugins/maven-deploy-plugin/
+[41]: https://maven.apache.org/plugins/maven-gpg-plugin/
+[42]: https://maven.apache.org/plugins/maven-source-plugin/
+[43]: https://maven.apache.org/plugins/maven-javadoc-plugin/
+[44]: http://www.sonatype.com/public-parent/nexus-maven-plugins/nexus-staging/nexus-staging-maven-plugin/
+[45]: http://www.eclipse.org/legal/epl-v10.html
+[46]: https://maven.apache.org/surefire/maven-failsafe-plugin/
+[47]: https://www.jacoco.org/jacoco/trunk/doc/maven.html
+[48]: https://www.eclipse.org/legal/epl-2.0/
+[49]: https://github.com/exasol/error-code-crawler-maven-plugin/
+[50]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE
+[51]: http://zlika.github.io/reproducible-build-maven-plugin
diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md
index f508c71..08045b8 100644
--- a/doc/changes/changelog.md
+++ b/doc/changes/changelog.md
@@ -1,5 +1,6 @@
# Changes
+* [2.0.9](changes_2.0.9.md)
* [2.0.8](changes_2.0.8.md)
* [2.0.7](changes_2.0.7.md)
* [2.0.6](changes_2.0.6.md)
diff --git a/doc/changes/changes_2.0.9.md b/doc/changes/changes_2.0.9.md
new file mode 100644
index 0000000..9997431
--- /dev/null
+++ b/doc/changes/changes_2.0.9.md
@@ -0,0 +1,36 @@
+# Parquet for Java 2.0.9, released 2024-06-03
+
+Code name: Security update - fix for CVE-2024-36114
+
+## Summary
+
+Fixed CVE-2024-36114 https://github.com/advisories/GHSA-973x-65j7-xcf4 via transitive version update.
+Updated dependencies.
+
+## Security
+
+* #72: CVE-2024-36114: io.airlift:aircompressor:jar:0.21:compile
+
+## Dependency Updates
+
+### Compile Dependency Updates
+
+* Added `io.airlift:aircompressor:0.27`
+* Updated `org.apache.commons:commons-compress:1.26.1` to `1.26.2`
+
+### Test Dependency Updates
+
+* Updated `org.mockito:mockito-core:5.11.0` to `5.12.0`
+* Updated `org.mockito:mockito-junit-jupiter:5.11.0` to `5.12.0`
+
+### Plugin Dependency Updates
+
+* Updated `com.exasol:error-code-crawler-maven-plugin:2.0.2` to `2.0.3`
+* Updated `com.exasol:project-keeper-maven-plugin:4.3.0` to `4.3.2`
+* Updated `org.apache.maven.plugins:maven-deploy-plugin:3.1.1` to `3.1.2`
+* Updated `org.apache.maven.plugins:maven-enforcer-plugin:3.4.1` to `3.5.0`
+* Updated `org.apache.maven.plugins:maven-gpg-plugin:3.2.2` to `3.2.4`
+* Updated `org.apache.maven.plugins:maven-javadoc-plugin:3.6.3` to `3.7.0`
+* Updated `org.apache.maven.plugins:maven-toolchains-plugin:3.1.0` to `3.2.0`
+* Updated `org.sonarsource.scanner.maven:sonar-maven-plugin:3.11.0.3922` to `4.0.0.4121`
+* Updated `org.sonatype.plugins:nexus-staging-maven-plugin:1.6.13` to `1.7.0`
diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom
index 9463900..3516bd3 100644
--- a/pk_generated_parent.pom
+++ b/pk_generated_parent.pom
@@ -3,7 +3,7 @@
4.0.0
com.exasol
parquet-io-java-generated-parent
- 2.0.8
+ 2.0.9
pom
UTF-8
@@ -50,12 +50,12 @@
org.sonarsource.scanner.maven
sonar-maven-plugin
- 3.11.0.3922
+ 4.0.0.4121
org.apache.maven.plugins
maven-toolchains-plugin
- 3.1.0
+ 3.2.0
@@ -88,7 +88,7 @@
org.apache.maven.plugins
maven-enforcer-plugin
- 3.4.1
+ 3.5.0
enforce-maven
@@ -215,7 +215,7 @@
org.apache.maven.plugins
maven-deploy-plugin
- 3.1.1
+ 3.1.2
true
@@ -223,7 +223,7 @@
org.apache.maven.plugins
maven-gpg-plugin
- 3.2.2
+ 3.2.4
sign-artifacts
@@ -244,8 +244,8 @@
org.apache.maven.plugins
maven-source-plugin
+ Failed to execute goal org.apache.maven.plugins:maven-source-plugin:3.3.0:jar-no-fork (attach-sources) on project project-keeper-shared-model-classes: Presumably you have configured maven-source-plugn to execute twice times in your build. You have to configure a classifier for at least on of them.
+ Using goal "jar-no-fork" didn't help. See https://stackoverflow.com/questions/76305897/maven-build-fails-after-upgrading-to-maven-source-plugin-from-3-2-1-to-3-3-0 -->
3.2.1
@@ -259,7 +259,7 @@
org.apache.maven.plugins
maven-javadoc-plugin
- 3.6.3
+ 3.7.0
attach-javadocs
@@ -281,7 +281,7 @@
org.sonatype.plugins
nexus-staging-maven-plugin
- 1.6.13
+ 1.7.0
true
ossrh
@@ -363,7 +363,7 @@
com.exasol
error-code-crawler-maven-plugin
- 2.0.2
+ 2.0.3
verify
diff --git a/pom.xml b/pom.xml
index b878db7..0f35f12 100644
--- a/pom.xml
+++ b/pom.xml
@@ -3,20 +3,20 @@
4.0.0
com.exasol
parquet-io-java
- 2.0.8
+ 2.0.9
Parquet for Java
This project provides a library that reads Parquet files into Java objects.
https://github.com/exasol/parquet-io-java/
parquet-io-java-generated-parent
com.exasol
- 2.0.8
+ 2.0.9
pk_generated_parent.pom
2.13.13
2.13
- 5.11.0
+ 5.12.0
@@ -24,6 +24,12 @@
parquet-hadoop
1.13.1
+
+
+ io.airlift
+ aircompressor
+ 0.27
+
org.xerial.snappy
@@ -133,7 +139,7 @@
org.apache.commons
commons-compress
- 1.26.1
+ 1.26.2
@@ -281,7 +287,7 @@
com.exasol
project-keeper-maven-plugin
- 4.3.0
+ 4.3.2