#24: Excluded vulnerable transitive dependency (#25)

Fixes #24
exasol · Aug 5, 2021 · e879893 · e879893
1 parent 3a4b889
commit e879893
Show file tree

Hide file tree

Showing 4 changed files with 98 additions and 68 deletions.
diff --git a/dependencies.md b/dependencies.md
@@ -8,85 +8,87 @@
 | [Apache Parquet Hadoop][0]                 | [The Apache Software License, Version 2.0][1] |
 | Apache Hadoop Client Aggregator            | [Apache License, Version 2.0][2]              |
 | [Guava: Google Core Libraries for Java][3] | [Apache License, Version 2.0][1]              |
-| [Scala Library][5]                         | [Apache-2.0][6]                               |
+| [Apache Commons Compress][5]               | [Apache License, Version 2.0][2]              |
+| [Scala Library][7]                         | [Apache-2.0][8]                               |
 
 ## Test Dependencies
 
 | Dependency                      | License                                   |
 | ------------------------------- | ----------------------------------------- |
-| [JUnit Jupiter (Aggregator)][7] | [Eclipse Public License v2.0][8]          |
-| [mockito-core][9]               | [The MIT License][10]                     |
-| [mockito-junit-jupiter][9]      | [The MIT License][10]                     |
-| [Hamcrest][13]                  | [BSD License 3][14]                       |
-| [scalatest][15]                 | [the Apache License, ASL Version 2.0][16] |
+| [JUnit Jupiter (Aggregator)][9] | [Eclipse Public License v2.0][10]         |
+| [mockito-core][11]              | [The MIT License][12]                     |
+| [mockito-junit-jupiter][11]     | [The MIT License][12]                     |
+| [Hamcrest][15]                  | [BSD License 3][16]                       |
+| [scalatest][17]                 | [the Apache License, ASL Version 2.0][18] |
 
 ## Plugin Dependencies
 
 | Dependency                                              | License                                   |
 | ------------------------------------------------------- | ----------------------------------------- |
-| [scala-maven-plugin][17]                                | [Public domain (Unlicense)][18]           |
-| [Apache Maven Compiler Plugin][19]                      | [Apache License, Version 2.0][2]          |
-| [Maven Surefire Plugin][21]                             | [Apache License, Version 2.0][2]          |
-| [ScalaTest Maven Plugin][23]                            | [the Apache License, ASL Version 2.0][16] |
-| [Apache Maven Assembly Plugin][25]                      | [Apache License, Version 2.0][2]          |
-| [JaCoCo :: Maven Plugin][27]                            | [Eclipse Public License 2.0][28]          |
-| [Versions Maven Plugin][29]                             | [Apache License, Version 2.0][2]          |
-| [org.sonatype.ossindex.maven:ossindex-maven-plugin][31] | [ASL2][1]                                 |
-| [Apache Maven Enforcer Plugin][33]                      | [Apache License, Version 2.0][2]          |
-| [OpenFastTrace Maven Plugin][35]                        | [GNU General Public License v3.0][36]     |
-| [Maven Failsafe Plugin][37]                             | [Apache License, Version 2.0][2]          |
-| [Apache Maven GPG Plugin][39]                           | [Apache License, Version 2.0][2]          |
-| [Apache Maven Deploy Plugin][41]                        | [Apache License, Version 2.0][2]          |
-| [Nexus Staging Maven Plugin][43]                        | [Eclipse Public License][44]              |
-| [Apache Maven Source Plugin][45]                        | [Apache License, Version 2.0][2]          |
-| [Apache Maven Javadoc Plugin][47]                       | [Apache License, Version 2.0][2]          |
-| [Reproducible Build Maven Plugin][49]                   | [Apache 2.0][1]                           |
-| [Project keeper maven plugin][51]                       | [MIT][52]                                 |
-| [Apache Maven Clean Plugin][53]                         | [Apache License, Version 2.0][2]          |
-| [Apache Maven Resources Plugin][55]                     | [Apache License, Version 2.0][2]          |
-| [Apache Maven JAR Plugin][57]                           | [Apache License, Version 2.0][2]          |
-| [Apache Maven Install Plugin][59]                       | [Apache License, Version 2.0][1]          |
-| [Apache Maven Site Plugin][61]                          | [Apache License, Version 2.0][2]          |
+| [scala-maven-plugin][19]                                | [Public domain (Unlicense)][20]           |
+| [Apache Maven Compiler Plugin][21]                      | [Apache License, Version 2.0][2]          |
+| [Maven Surefire Plugin][23]                             | [Apache License, Version 2.0][2]          |
+| [ScalaTest Maven Plugin][25]                            | [the Apache License, ASL Version 2.0][18] |
+| [Apache Maven Assembly Plugin][27]                      | [Apache License, Version 2.0][2]          |
+| [JaCoCo :: Maven Plugin][29]                            | [Eclipse Public License 2.0][30]          |
+| [Versions Maven Plugin][31]                             | [Apache License, Version 2.0][2]          |
+| [org.sonatype.ossindex.maven:ossindex-maven-plugin][33] | [ASL2][1]                                 |
+| [Apache Maven Enforcer Plugin][35]                      | [Apache License, Version 2.0][2]          |
+| [OpenFastTrace Maven Plugin][37]                        | [GNU General Public License v3.0][38]     |
+| [Maven Failsafe Plugin][39]                             | [Apache License, Version 2.0][2]          |
+| [Apache Maven GPG Plugin][41]                           | [Apache License, Version 2.0][2]          |
+| [Apache Maven Deploy Plugin][43]                        | [Apache License, Version 2.0][2]          |
+| [Nexus Staging Maven Plugin][45]                        | [Eclipse Public License][46]              |
+| [Apache Maven Source Plugin][47]                        | [Apache License, Version 2.0][2]          |
+| [Apache Maven Javadoc Plugin][49]                       | [Apache License, Version 2.0][2]          |
+| [Reproducible Build Maven Plugin][51]                   | [Apache 2.0][1]                           |
+| [Project keeper maven plugin][53]                       | [MIT][54]                                 |
+| [Apache Maven Clean Plugin][55]                         | [Apache License, Version 2.0][2]          |
+| [Apache Maven Resources Plugin][57]                     | [Apache License, Version 2.0][2]          |
+| [Apache Maven JAR Plugin][59]                           | [Apache License, Version 2.0][2]          |
+| [Apache Maven Install Plugin][61]                       | [Apache License, Version 2.0][1]          |
+| [Apache Maven Site Plugin][63]                          | [Apache License, Version 2.0][2]          |
 
-[51]: https://github.com/exasol/project-keeper-maven-plugin
-[16]: http://www.apache.org/licenses/LICENSE-2.0
+[53]: https://github.com/exasol/project-keeper-maven-plugin
+[18]: http://www.apache.org/licenses/LICENSE-2.0
 [1]: http://www.apache.org/licenses/LICENSE-2.0.txt
 [3]: https://github.com/google/guava
-[21]: https://maven.apache.org/surefire/maven-surefire-plugin/
-[43]: http://www.sonatype.com/public-parent/nexus-maven-plugins/nexus-staging/nexus-staging-maven-plugin/
-[15]: http://www.scalatest.org
-[9]: https://github.com/mockito/mockito
-[37]: https://maven.apache.org/surefire/maven-failsafe-plugin/
-[52]: https://opensource.org/licenses/MIT
-[29]: http://www.mojohaus.org/versions-maven-plugin/
-[14]: http://opensource.org/licenses/BSD-3-Clause
-[19]: https://maven.apache.org/plugins/maven-compiler-plugin/
-[55]: https://maven.apache.org/plugins/maven-resources-plugin/
-[35]: https://github.com/itsallcode/openfasttrace-maven-plugin
-[53]: https://maven.apache.org/plugins/maven-clean-plugin/
-[28]: https://www.eclipse.org/legal/epl-2.0/
-[5]: https://www.scala-lang.org/
-[41]: https://maven.apache.org/plugins/maven-deploy-plugin/
-[44]: http://www.eclipse.org/legal/epl-v10.html
-[18]: http://unlicense.org/
-[6]: https://www.apache.org/licenses/LICENSE-2.0
-[23]: https://www.scalatest.org/user_guide/using_the_scalatest_maven_plugin
-[27]: https://www.jacoco.org/jacoco/trunk/doc/maven.html
-[10]: https://github.com/mockito/mockito/blob/main/LICENSE
-[49]: http://zlika.github.io/reproducible-build-maven-plugin
-[61]: https://maven.apache.org/plugins/maven-site-plugin/
-[36]: https://www.gnu.org/licenses/gpl-3.0.html
+[23]: https://maven.apache.org/surefire/maven-surefire-plugin/
+[45]: http://www.sonatype.com/public-parent/nexus-maven-plugins/nexus-staging/nexus-staging-maven-plugin/
+[17]: http://www.scalatest.org
+[11]: https://github.com/mockito/mockito
+[39]: https://maven.apache.org/surefire/maven-failsafe-plugin/
+[54]: https://opensource.org/licenses/MIT
+[5]: https://commons.apache.org/proper/commons-compress/
+[31]: http://www.mojohaus.org/versions-maven-plugin/
+[16]: http://opensource.org/licenses/BSD-3-Clause
+[21]: https://maven.apache.org/plugins/maven-compiler-plugin/
+[57]: https://maven.apache.org/plugins/maven-resources-plugin/
+[37]: https://github.com/itsallcode/openfasttrace-maven-plugin
+[55]: https://maven.apache.org/plugins/maven-clean-plugin/
+[30]: https://www.eclipse.org/legal/epl-2.0/
+[7]: https://www.scala-lang.org/
+[43]: https://maven.apache.org/plugins/maven-deploy-plugin/
+[46]: http://www.eclipse.org/legal/epl-v10.html
+[20]: http://unlicense.org/
+[8]: https://www.apache.org/licenses/LICENSE-2.0
+[25]: https://www.scalatest.org/user_guide/using_the_scalatest_maven_plugin
+[29]: https://www.jacoco.org/jacoco/trunk/doc/maven.html
+[12]: https://github.com/mockito/mockito/blob/main/LICENSE
+[51]: http://zlika.github.io/reproducible-build-maven-plugin
+[63]: https://maven.apache.org/plugins/maven-site-plugin/
+[38]: https://www.gnu.org/licenses/gpl-3.0.html
 [0]: https://parquet.apache.org
 [2]: https://www.apache.org/licenses/LICENSE-2.0.txt
-[33]: https://maven.apache.org/enforcer/maven-enforcer-plugin/
-[8]: https://www.eclipse.org/legal/epl-v20.html
-[59]: http://maven.apache.org/plugins/maven-install-plugin/
-[7]: https://junit.org/junit5/
-[31]: https://sonatype.github.io/ossindex-maven/maven-plugin/
-[39]: https://maven.apache.org/plugins/maven-gpg-plugin/
-[17]: http://github.com/davidB/scala-maven-plugin
-[45]: https://maven.apache.org/plugins/maven-source-plugin/
-[13]: http://hamcrest.org/JavaHamcrest/
-[47]: https://maven.apache.org/plugins/maven-javadoc-plugin/
-[57]: https://maven.apache.org/plugins/maven-jar-plugin/
-[25]: https://maven.apache.org/plugins/maven-assembly-plugin/
+[35]: https://maven.apache.org/enforcer/maven-enforcer-plugin/
+[10]: https://www.eclipse.org/legal/epl-v20.html
+[61]: http://maven.apache.org/plugins/maven-install-plugin/
+[9]: https://junit.org/junit5/
+[33]: https://sonatype.github.io/ossindex-maven/maven-plugin/
+[41]: https://maven.apache.org/plugins/maven-gpg-plugin/
+[19]: http://github.com/davidB/scala-maven-plugin
+[47]: https://maven.apache.org/plugins/maven-source-plugin/
+[15]: http://hamcrest.org/JavaHamcrest/
+[49]: https://maven.apache.org/plugins/maven-javadoc-plugin/
+[59]: https://maven.apache.org/plugins/maven-jar-plugin/
+[27]: https://maven.apache.org/plugins/maven-assembly-plugin/
diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md
@@ -1,5 +1,6 @@
 # Changes
 
+* [1.0.3](changes_1.0.3.md)
 * [1.0.2](changes_1.0.2.md)
 * [1.0.1](changes_1.0.1.md)
 * [1.0.0](changes_1.0.0.md)
diff --git a/doc/changes/changes_1.0.3.md b/doc/changes/changes_1.0.3.md
@@ -0,0 +1,17 @@
+# Parquet for Java 1.0.3, released 2021-08-05
+
+Code name: Excluded vulnerable dependency
+
+## Summary
+
+This releases excludes a vulnerable (CVE-2021-35516, CVE-2021-35515, CVE-2021-35517, CVE-2021-36090) transitive dependency and adds updated version of it.
+
+## Refactoring
+
+* #24: Excluded older version of commons-compress which included vulnerabilities
+
+## Dependency Updates
+
+### Compile Dependency Updates
+
+* Added `org.apache.commons:commons-compress:1.21`
diff --git a/pom.xml b/pom.xml
@@ -4,7 +4,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.exasol</groupId>
     <artifactId>parquet-io-java</artifactId>
-    <version>1.0.2</version>
+    <version>1.0.3</version>
     <name>Parquet for Java</name>
     <description>This project provides a library that reads Parquet files into Java objects.</description>
     <url>https://github.com/exasol/parquet-io-java</url>
@@ -77,6 +77,10 @@
                     <groupId>org.apache.httpcomponents</groupId>
                     <artifactId>httpclient</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-compress</artifactId>
+                </exclusion>
                 <exclusion>
                     <groupId>com.fasterxml.jackson.core</groupId>
                     <artifactId>jackson-databind</artifactId>
@@ -101,6 +105,12 @@
             <artifactId>guava</artifactId>
             <version>30.1.1-jre</version>
         </dependency>
+        <!-- Adding updated version of commons-compress without vulnerabilities. -->
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-compress</artifactId>
+            <version>1.21</version>
+        </dependency>
         <dependency>
             <groupId>org.scala-lang</groupId>
             <artifactId>scala-library</artifactId>