#64: Fix CVE-2023-39410 in org.apache.avro:avro (#65)

exasol · Oct 24, 2023 · 4c0d835 · 4c0d835
1 parent 5f915fd
commit 4c0d835
Show file tree

Hide file tree

Showing 8 changed files with 173 additions and 106 deletions.
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -1,21 +1,24 @@
 {
-    "editor.formatOnSave": true,
-    "editor.codeActionsOnSave": {
-        "source.organizeImports": true,
-        "source.generate.finalModifiers": true,
-        "source.fixAll": true
-    },
-    "java.codeGeneration.useBlocks": true,
-    "java.saveActions.organizeImports": true,
-    "java.sources.organizeImports.starThreshold": 3,
-    "java.sources.organizeImports.staticStarThreshold": 3,
-    "java.test.config": {
-        "vmArgs": [
-            "-Djava.util.logging.config.file=src/test/resources/logging.properties"
-        ]
-    },
-    "sonarlint.connectedMode.project": {
-        "connectionId": "exasol",
-        "projectKey": "com.exasol:parquet-io-java"
-    }
-}
+  "editor.formatOnSave": true,
+  "editor.codeActionsOnSave": {
+    "source.organizeImports": true,
+    "source.generate.finalModifiers": true,
+    "source.fixAll": true
+  },
+  "java.codeGeneration.useBlocks": true,
+  "java.saveActions.organizeImports": true,
+  "java.sources.organizeImports.starThreshold": 3,
+  "java.sources.organizeImports.staticStarThreshold": 3,
+  "java.test.config": {
+    "vmArgs": [
+      "-Djava.util.logging.config.file=src/test/resources/logging.properties"
+    ]
+  },
+  "sonarlint.connectedMode.project": {
+    "connectionId": "exasol",
+    "projectKey": "com.exasol:parquet-io-java"
+  },
+  "files.watcherExclude": {
+    "**/target": true
+  }
+}
diff --git a/dependencies.md b/dependencies.md
diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md
diff --git a/doc/changes/changes_2.0.6.md b/doc/changes/changes_2.0.6.md
@@ -0,0 +1,27 @@
+# Parquet for Java 2.0.6, released 2023-10-24
+
+Code name: Fix CVE-2023-39410 and CVE-2023-42503
+
+## Summary
+
+This release fixes the following vulnerabilities:
+
+* CVE-2023-39410 in compile dependency `org.apache.avro:avro`
+* CVE-2023-42503 in compile dependency `org.apache.commons:commons-compress`
+
+## Security
+
+* #64: Fixed CVE-2023-39410 in `org.apache.avro:avro`
+
+## Dependency Updates
+
+### Compile Dependency Updates
+
+* Added `org.apache.avro:avro:1.11.3`
+* Added `org.apache.commons:commons-compress:1.24.0`
+
+### Test Dependency Updates
+
+* Added `nl.jqno.equalsverifier:equalsverifier:3.15.2`
+* Updated `org.mockito:mockito-core:5.5.0` to `5.6.0`
+* Updated `org.mockito:mockito-junit-jupiter:5.5.0` to `5.6.0`
diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom
diff --git a/pom.xml b/pom.xml
@@ -3,20 +3,20 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.exasol</groupId>
     <artifactId>parquet-io-java</artifactId>
-    <version>2.0.5</version>
+    <version>2.0.6</version>
     <name>Parquet for Java</name>
     <description>This project provides a library that reads Parquet files into Java objects.</description>
     <url>https://github.com/exasol/parquet-io-java/</url>
     <parent>
         <artifactId>parquet-io-java-generated-parent</artifactId>
         <groupId>com.exasol</groupId>
-        <version>2.0.5</version>
+        <version>2.0.6</version>
         <relativePath>pk_generated_parent.pom</relativePath>
     </parent>
     <properties>
         <scala.version>2.13.12</scala.version>
         <scala.compat.version>2.13</scala.compat.version>
-        <mockito.version>5.5.0</mockito.version>
+        <mockito.version>5.6.0</mockito.version>
     </properties>
     <dependencies>
         <dependency>
@@ -103,6 +103,18 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <dependency>
+            <!-- Upgrade transitive dependency of org.apache.hadoop:hadoop-client to fix CVE-2023-39410 -->
+            <groupId>org.apache.avro</groupId>
+            <artifactId>avro</artifactId>
+            <version>1.11.3</version>
+        </dependency>
+        <dependency>
+            <!-- Upgrade transitive dependency of org.apache.avro:avro to fix CVE-2023-42503 -->
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-compress</artifactId>
+            <version>1.24.0</version>
+        </dependency>
         <dependency>
             <groupId>org.scala-lang</groupId>
             <artifactId>scala-library</artifactId>
@@ -144,6 +156,12 @@
             <version>3.3.0-SNAP4</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>nl.jqno.equalsverifier</groupId>
+            <artifactId>equalsverifier</artifactId>
+            <version>3.15.2</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
     <build>
         <plugins>

diff --git a/src/main/java/com/exasol/parquetio/data/ChunkIntervalImpl.java b/src/main/java/com/exasol/parquetio/data/ChunkIntervalImpl.java
@@ -5,7 +5,7 @@
 /**
  * An implementation of {@link ChunkInterval} that holds {@code start} and {@code end} position of row group chunks.
  */
-public class ChunkIntervalImpl implements ChunkInterval {
+public final class ChunkIntervalImpl implements ChunkInterval {
 
     private final long start;
     private final long end;

diff --git a/src/test/java/com/exasol/parquetio/data/ChunkIntervalImplTest.java b/src/test/java/com/exasol/parquetio/data/ChunkIntervalImplTest.java
@@ -0,0 +1,12 @@
+package com.exasol.parquetio.data;
+
+import org.junit.jupiter.api.Test;
+
+import nl.jqno.equalsverifier.EqualsVerifier;
+
+class ChunkIntervalImplTest {
+    @Test
+    void verifyEqualsContract() {
+        EqualsVerifier.forClass(ChunkIntervalImpl.class).verify();
+    }
+}