From 0f27280faf9d0b35f6d484f2434085e70ba7efc9 Mon Sep 17 00:00:00 2001 From: Christoph Kuhnke Date: Tue, 24 Oct 2023 17:52:30 +0200 Subject: [PATCH] Fixed vulnerability CVE-2023-42503 (#35) * Fixed vulnerability CVE-2023-42503 * Fixed test Co-authored-by: Christoph Pirkl --- .gitattributes | 16 +++--- .github/workflows/broken_links_checker.yml | 6 +-- .github/workflows/ci-build-next-java.yml | 6 +-- .github/workflows/ci-build.yml | 12 +++-- .github/workflows/dependencies_check.yml | 8 +-- ...elease_droid_prepare_original_checksum.yml | 2 +- .../release_droid_print_quick_checksum.yml | 7 ++- .gitignore | 7 +-- dependencies.md | 54 ++++++++----------- doc/changes/changelog.md | 1 + doc/changes/changes_1.1.4.md | 36 +++++++++++++ pk_generated_parent.pom | 14 ++--- pom.xml | 46 ++++------------ .../com/exasol/bucketfs/ProcessExecutor.java | 2 +- .../bucketfs/client/DeleteCommandIT.java | 5 +- 15 files changed, 112 insertions(+), 110 deletions(-) create mode 100644 doc/changes/changes_1.1.4.md diff --git a/.gitattributes b/.gitattributes index c2a2ac8..15ea9ae 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,16 +1,12 @@ *.sh text eol=lf *.bat text eol=crlf - -pk_generated_parent.pom linguist-generated=true -dependencies.md linguist-generated=true -doc/changes/changelog.md linguist-generated=true - +pk_generated_parent.pom linguist-generated=true +dependencies.md linguist-generated=true +doc/changes/changelog.md linguist-generated=true .github/workflows/broken_links_checker.yml linguist-generated=true .github/workflows/ci-build-next-java.yml linguist-generated=true -.github/workflows/ci-build.yml linguist-generated=true .github/workflows/dependencies_check.yml linguist-generated=true -.github/workflows/release_droid_prepare_original_checksum.yml linguist-generated=true .github/workflows/release_droid_print_quick_checksum.yml linguist-generated=true - -.settings/org.eclipse.jdt.core.prefs linguist-generated=true -.settings/org.eclipse.jdt.ui.prefs linguist-generated=true +.github/workflows/release_droid_prepare_original_checksum.yml linguist-generated=true +.settings/org.eclipse.jdt.core.prefs linguist-generated=true +.settings/org.eclipse.jdt.ui.prefs linguist-generated=true diff --git a/.github/workflows/broken_links_checker.yml b/.github/workflows/broken_links_checker.yml index f2079ec..82ec1cd 100644 --- a/.github/workflows/broken_links_checker.yml +++ b/.github/workflows/broken_links_checker.yml @@ -15,7 +15,7 @@ jobs: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Configure broken links checker run: | mkdir -p ./target @@ -27,6 +27,6 @@ jobs: ']}' > ./target/broken_links_checker.json - uses: gaurav-nelson/github-action-markdown-link-check@v1 with: - use-quiet-mode: 'yes' - use-verbose-mode: 'yes' + use-quiet-mode: "yes" + use-verbose-mode: "yes" config-file: ./target/broken_links_checker.json diff --git a/.github/workflows/ci-build-next-java.yml b/.github/workflows/ci-build-next-java.yml index e0c15cf..7cbab08 100644 --- a/.github/workflows/ci-build-next-java.yml +++ b/.github/workflows/ci-build-next-java.yml @@ -14,15 +14,15 @@ jobs: cancel-in-progress: true steps: - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up JDK 17 uses: actions/setup-java@v3 with: - distribution: 'temurin' + distribution: "temurin" java-version: 17 - cache: 'maven' + cache: "maven" - name: Run tests and build with Maven run: | mvn --batch-mode --update-snapshots clean package -DtrimStackTrace=false \ diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml index 6e90d53..513047f 100644 --- a/.github/workflows/ci-build.yml +++ b/.github/workflows/ci-build.yml @@ -12,9 +12,9 @@ jobs: strategy: fail-fast: false matrix: - docker_db_version: ["7.1.22", "8.22.0"] + docker_db_version: ["7.1.23", "8.23.0"] env: - DEFAULT_DB_VERSION: "7.1.22" + DEFAULT_DB_VERSION: "8.23.0" concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.docker_db_version }} cancel-in-progress: true @@ -24,7 +24,7 @@ jobs: sudo rm -rf /usr/local/lib/android sudo rm -rf /usr/share/dotnet - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up JDK 11 & 17 @@ -45,7 +45,8 @@ jobs: run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties" - name: Run tests and build with Maven run: | - JAVA_HOME=$JAVA_HOME_11_X64 mvn --batch-mode clean verify \ + JAVA_HOME=$JAVA_HOME_11_X64 \ + mvn --batch-mode clean verify \ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ -DtrimStackTrace=false - name: Publish Test Report @@ -56,7 +57,8 @@ jobs: - name: Sonar analysis if: ${{ env.SONAR_TOKEN != null && env.DEFAULT_DB_VERSION == matrix.docker_db_version }} run: | - JAVA_HOME=$JAVA_HOME_17_X64 mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \ + JAVA_HOME=$JAVA_HOME_17_X64 \ + mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \ -DtrimStackTrace=false \ -Dsonar.organization=exasol \ diff --git a/.github/workflows/dependencies_check.yml b/.github/workflows/dependencies_check.yml index b2ab231..3059964 100644 --- a/.github/workflows/dependencies_check.yml +++ b/.github/workflows/dependencies_check.yml @@ -9,12 +9,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up JDK 11 uses: actions/setup-java@v3 with: - distribution: 'temurin' + distribution: "temurin" java-version: 11 - cache: 'maven' + cache: "maven" - name: Checking dependencies for vulnerabilities - run: mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f pom.xml \ No newline at end of file + run: mvn --batch-mode org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -f pom.xml diff --git a/.github/workflows/release_droid_prepare_original_checksum.yml b/.github/workflows/release_droid_prepare_original_checksum.yml index 0e2d3e7..aa0f78f 100644 --- a/.github/workflows/release_droid_prepare_original_checksum.yml +++ b/.github/workflows/release_droid_prepare_original_checksum.yml @@ -12,7 +12,7 @@ jobs: sudo rm -rf /usr/local/lib/android sudo rm -rf /usr/share/dotnet - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up JDK 11 diff --git a/.github/workflows/release_droid_print_quick_checksum.yml b/.github/workflows/release_droid_print_quick_checksum.yml index 8add957..aed4444 100644 --- a/.github/workflows/release_droid_print_quick_checksum.yml +++ b/.github/workflows/release_droid_print_quick_checksum.yml @@ -8,17 +8,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up JDK 11 uses: actions/setup-java@v3 with: - distribution: 'temurin' + distribution: "temurin" java-version: 11 - cache: 'maven' + cache: "maven" - name: Build with Maven skipping tests run: mvn --batch-mode clean verify -DskipTests - name: Print checksum run: echo 'checksum_start==';find target -maxdepth 1 -name *.jar -exec sha256sum "{}" + | xargs;echo '==checksum_end' - diff --git a/.gitignore b/.gitignore index 82ae8a3..7daf156 100644 --- a/.gitignore +++ b/.gitignore @@ -18,9 +18,10 @@ target dependency-reduced-pom.xml .project .classpath -.settings/org.eclipse.jdt.apt.core.prefs -.settings/org.eclipse.core.resources.prefs -.settings/org.eclipse.m2e.core.prefs +/.settings/org.eclipse.core.resources.prefs +/.settings/org.eclipse.jdt.apt.core.prefs +/.settings/org.eclipse.m2e.core.prefs +/.settings/org.sonarlint.eclipse.core.prefs pom.xml.versionsBackup ~* *.orig diff --git a/dependencies.md b/dependencies.md index 359d2ff..bd294c9 100644 --- a/dependencies.md +++ b/dependencies.md @@ -17,40 +17,35 @@ | [JUnit Jupiter (Aggregator)][7] | [Eclipse Public License v2.0][8] | | [JUnit Jupiter Params][7] | [Eclipse Public License v2.0][8] | | [Hamcrest][9] | [BSD License 3][10] | -| [mockito-junit-jupiter][11] | [The MIT License][12] | +| [mockito-junit-jupiter][11] | [MIT][12] | | [Test containers for Exasol on Docker][13] | [MIT License][14] | | [Testcontainers :: JUnit Jupiter Extension][15] | [MIT][16] | | [EqualsVerifier \| release normal jar][17] | [Apache License, Version 2.0][18] | | [JUnit5 System Extensions][19] | [Eclipse Public License v2.0][20] | | [junit-pioneer][21] | [Eclipse Public License v2.0][8] | -| [SLF4J JDK14 Binding][22] | [MIT License][23] | +| [SLF4J JDK14 Provider][22] | [MIT License][23] | ## Plugin Dependencies -| Dependency | License | -| ------------------------------------------------------- | --------------------------------------------- | -| [SonarQube Scanner for Maven][24] | [GNU LGPL 3][25] | -| [OpenFastTrace Maven Plugin][26] | [GNU General Public License v3.0][27] | -| [Project keeper maven plugin][28] | [The MIT License][29] | -| [Apache Maven Compiler Plugin][30] | [Apache-2.0][18] | -| [Apache Maven Enforcer Plugin][31] | [Apache-2.0][18] | -| [Maven Flatten Plugin][32] | [Apache Software Licenese][18] | -| [org.sonatype.ossindex.maven:ossindex-maven-plugin][33] | [ASL2][5] | -| [Maven Surefire Plugin][34] | [Apache-2.0][18] | -| [Versions Maven Plugin][35] | [Apache License, Version 2.0][18] | -| [duplicate-finder-maven-plugin Maven Mojo][36] | [Apache License 2.0][37] | -| [Apache Maven Assembly Plugin][38] | [Apache-2.0][18] | -| [Apache Maven JAR Plugin][39] | [Apache License, Version 2.0][18] | -| [Artifact reference checker and unifier][40] | [MIT License][41] | -| [Maven Failsafe Plugin][42] | [Apache-2.0][18] | -| [JaCoCo :: Maven Plugin][43] | [Eclipse Public License 2.0][44] | -| [error-code-crawler-maven-plugin][45] | [MIT License][46] | -| [Reproducible Build Maven Plugin][47] | [Apache 2.0][5] | -| [Maven Clean Plugin][48] | [The Apache Software License, Version 2.0][5] | -| [Maven Resources Plugin][49] | [The Apache Software License, Version 2.0][5] | -| [Maven Install Plugin][50] | [The Apache Software License, Version 2.0][5] | -| [Maven Deploy Plugin][51] | [The Apache Software License, Version 2.0][5] | -| [Maven Site Plugin 3][52] | [The Apache Software License, Version 2.0][5] | +| Dependency | License | +| ------------------------------------------------------- | ------------------------------------- | +| [SonarQube Scanner for Maven][24] | [GNU LGPL 3][25] | +| [OpenFastTrace Maven Plugin][26] | [GNU General Public License v3.0][27] | +| [Project keeper maven plugin][28] | [The MIT License][29] | +| [Apache Maven Compiler Plugin][30] | [Apache-2.0][18] | +| [Apache Maven Enforcer Plugin][31] | [Apache-2.0][18] | +| [Maven Flatten Plugin][32] | [Apache Software Licenese][18] | +| [org.sonatype.ossindex.maven:ossindex-maven-plugin][33] | [ASL2][5] | +| [Maven Surefire Plugin][34] | [Apache-2.0][18] | +| [Versions Maven Plugin][35] | [Apache License, Version 2.0][18] | +| [duplicate-finder-maven-plugin Maven Mojo][36] | [Apache License 2.0][37] | +| [Apache Maven Assembly Plugin][38] | [Apache-2.0][18] | +| [Apache Maven JAR Plugin][39] | [Apache License, Version 2.0][18] | +| [Artifact reference checker and unifier][40] | [MIT License][41] | +| [Maven Failsafe Plugin][42] | [Apache-2.0][18] | +| [JaCoCo :: Maven Plugin][43] | [Eclipse Public License 2.0][44] | +| [error-code-crawler-maven-plugin][45] | [MIT License][46] | +| [Reproducible Build Maven Plugin][47] | [Apache 2.0][5] | [0]: https://github.com/exasol/bucketfs-java/ [1]: https://github.com/exasol/bucketfs-java/blob/main/LICENSE @@ -88,7 +83,7 @@ [33]: https://sonatype.github.io/ossindex-maven/maven-plugin/ [34]: https://maven.apache.org/surefire/maven-surefire-plugin/ [35]: https://www.mojohaus.org/versions/versions-maven-plugin/ -[36]: https://github.com/basepom/duplicate-finder-maven-plugin +[36]: https://basepom.github.io/duplicate-finder-maven-plugin [37]: http://www.apache.org/licenses/LICENSE-2.0.html [38]: https://maven.apache.org/plugins/maven-assembly-plugin/ [39]: https://maven.apache.org/plugins/maven-jar-plugin/ @@ -100,8 +95,3 @@ [45]: https://github.com/exasol/error-code-crawler-maven-plugin/ [46]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE [47]: http://zlika.github.io/reproducible-build-maven-plugin -[48]: http://maven.apache.org/plugins/maven-clean-plugin/ -[49]: http://maven.apache.org/plugins/maven-resources-plugin/ -[50]: http://maven.apache.org/plugins/maven-install-plugin/ -[51]: http://maven.apache.org/plugins/maven-deploy-plugin/ -[52]: http://maven.apache.org/plugins/maven-site-plugin/ diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md index 3715fa0..1300747 100644 --- a/doc/changes/changelog.md +++ b/doc/changes/changelog.md @@ -1,5 +1,6 @@ # Changes +* [1.1.4](changes_1.1.4.md) * [1.1.3](changes_1.1.3.md) * [1.1.2](changes_1.1.2.md) * [1.1.1](changes_1.1.1.md) diff --git a/doc/changes/changes_1.1.4.md b/doc/changes/changes_1.1.4.md new file mode 100644 index 0000000..080aa68 --- /dev/null +++ b/doc/changes/changes_1.1.4.md @@ -0,0 +1,36 @@ +# Bucketfs Client 1.1.4, released 2023-10-25 + +Code name: Dependency Upgrade + +## Summary + +This release fixes vulnerability CVE-2023-42503 in transitive test dependency to `org.apache.commons:commons-compress` via `exasol-testcontainers` by updating dependencies. + +## Security + +* #34: Fixed vulnerability CVE-2023-42503 in test dependency `org.apache.commons:commons-compress` + +## Dependency Updates + +### Compile Dependency Updates + +* Updated `com.exasol:bucketfs-java:3.1.0` to `3.1.1` + +### Test Dependency Updates + +* Updated `com.exasol:exasol-testcontainers:6.6.1` to `6.6.2` +* Updated `nl.jqno.equalsverifier:equalsverifier:3.15.1` to `3.15.2` +* Updated `org.junit-pioneer:junit-pioneer:2.0.1` to `2.1.0` +* Updated `org.mockito:mockito-junit-jupiter:5.5.0` to `5.6.0` +* Updated `org.slf4j:slf4j-jdk14:2.0.7` to `2.0.9` +* Updated `org.testcontainers:junit-jupiter:1.19.0` to `1.19.1` + +### Plugin Dependency Updates + +* Updated `com.exasol:error-code-crawler-maven-plugin:1.3.0` to `1.3.1` +* Updated `com.exasol:project-keeper-maven-plugin:2.9.11` to `2.9.14` +* Updated `org.apache.maven.plugins:maven-enforcer-plugin:3.4.0` to `3.4.1` +* Updated `org.basepom.maven:duplicate-finder-maven-plugin:1.5.1` to `2.0.1` +* Updated `org.codehaus.mojo:versions-maven-plugin:2.16.0` to `2.16.1` +* Updated `org.jacoco:jacoco-maven-plugin:0.8.10` to `0.8.11` +* Updated `org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.1.2184` to `3.10.0.2594` diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom index 74d823c..d018900 100644 --- a/pk_generated_parent.pom +++ b/pk_generated_parent.pom @@ -3,7 +3,7 @@ 4.0.0 com.exasol bucketfs-client-generated-parent - 1.1.3 + 1.1.4 pom UTF-8 @@ -37,7 +37,7 @@ org.sonarsource.scanner.maven sonar-maven-plugin - 3.9.1.2184 + 3.10.0.2594 org.apache.maven.plugins @@ -51,7 +51,7 @@ org.apache.maven.plugins maven-enforcer-plugin - 3.4.0 + 3.4.1 enforce-maven @@ -61,7 +61,7 @@ - [3.8.7,3.9.0) + 3.6.3 @@ -121,7 +121,7 @@ org.codehaus.mojo versions-maven-plugin - 2.16.0 + 2.16.1 display-updates @@ -235,7 +235,7 @@ org.jacoco jacoco-maven-plugin - 0.8.10 + 0.8.11 prepare-agent @@ -276,7 +276,7 @@ com.exasol error-code-crawler-maven-plugin - 1.3.0 + 1.3.1 verify diff --git a/pom.xml b/pom.xml index c44407e..f47debd 100644 --- a/pom.xml +++ b/pom.xml @@ -2,7 +2,7 @@ 4.0.0 bucketfs-client - 1.1.3 + 1.1.4 Command line client for BucketFS https://github.com/exasol/bucketfs-client/ @@ -27,7 +27,7 @@ com.exasol bucketfs-java - 3.1.0 + 3.1.1 com.exasol @@ -66,25 +66,25 @@ org.mockito mockito-junit-jupiter - 5.5.0 + 5.6.0 test com.exasol exasol-testcontainers - 6.6.1 + 6.6.2 test org.testcontainers junit-jupiter - 1.19.0 + 1.19.1 test nl.jqno.equalsverifier equalsverifier - 3.15.1 + 3.15.2 test @@ -96,14 +96,14 @@ org.junit-pioneer junit-pioneer - 2.0.1 + 2.1.0 test org.slf4j slf4j-jdk14 - 2.0.7 + 2.0.9 test @@ -134,7 +134,7 @@ com.exasol project-keeper-maven-plugin - 2.9.11 + 2.9.14 @@ -172,38 +172,12 @@ - - org.basepom.maven - duplicate-finder-maven-plugin - 1.5.1 - - - default - verify - - check - - - - - true - true - true - true - true - true - false - true - true - false - - bucketfs-client-generated-parent com.exasol - 1.1.3 + 1.1.4 pk_generated_parent.pom diff --git a/src/test/java/com/exasol/bucketfs/ProcessExecutor.java b/src/test/java/com/exasol/bucketfs/ProcessExecutor.java index a6fdbe2..8fc3ebb 100644 --- a/src/test/java/com/exasol/bucketfs/ProcessExecutor.java +++ b/src/test/java/com/exasol/bucketfs/ProcessExecutor.java @@ -19,7 +19,7 @@ public class ProcessExecutor { /** Name of the JAR file */ - public static final String JAR_NAME = "bfsc-1.1.3.jar"; + public static final String JAR_NAME = "bfsc-1.1.4.jar"; /** * Create a {@link ProcessExecutor} for the jar built by for the current projects. The Jar file must be built before diff --git a/src/test/java/com/exasol/bucketfs/client/DeleteCommandIT.java b/src/test/java/com/exasol/bucketfs/client/DeleteCommandIT.java index 5b653ba..92c40be 100644 --- a/src/test/java/com/exasol/bucketfs/client/DeleteCommandIT.java +++ b/src/test/java/com/exasol/bucketfs/client/DeleteCommandIT.java @@ -37,7 +37,10 @@ void testFileInRoot() throws Exception { @Test void testFileInDirectory() throws Exception { - SETUP.createRemoteFiles("folder/delete.txt"); + // "aa.txt" in same folder ensures folder to still be observable after + // file "delete.txt" has been deleted. Otherwise folder would no longer be observable + // as BucketFS only manages a list of flat file paths but not a hierarchy of folders and files. + SETUP.createRemoteFiles("folder/delete.txt", "folder/aa.txt"); verifyDelete("folder/delete.txt"); }