#135: Fix CVE-2023-43642, CVE-2023-42503 & CVE-2023-4759 (#136)

.github/workflows/ci-build.yml

@@ -8,13 +8,13 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04 # UDFs fail with "VM error: Internal error: VM crashed" on ubuntu-latest
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}
       cancel-in-progress: true
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up JDK 11 & 17
@@ -57,7 +57,10 @@ jobs:
           echo "owner = ${{ secrets.AWS_TAG_OWNER }}" > test_config.properties
           echo "s3CacheBucket = persistent-s3-vs-test-file-cache" >> test_config.properties
       - name: Run tests and build with Maven
-        run: JAVA_HOME=$JAVA_HOME_11_X64 mvn --batch-mode clean verify -DtrimStackTrace=false
+        run: |
+          JAVA_HOME=$JAVA_HOME_11_X64 mvn --batch-mode clean verify \
+              -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
+              -DtrimStackTrace=false
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -77,10 +80,11 @@ jobs:
         if: ${{ env.SONAR_TOKEN != null }}
         run: |
           JAVA_HOME=$JAVA_HOME_17_X64 mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
+              -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
               -DtrimStackTrace=false \
               -Dsonar.organization=exasol \
               -Dsonar.host.url=https://sonarcloud.io \
-              -Dsonar.login=$SONAR_TOKEN
+              -Dsonar.token=$SONAR_TOKEN
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.github/workflows/ci_isolation_ci_build.yml

@@ -8,14 +8,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up JDK 11
         uses: actions/setup-java@v3
         with:
-          distribution: 'temurin'
+          distribution: "temurin"
           java-version: 11
-          cache: 'maven'
+          cache: "maven"
       - name: Run tests and build with Maven
-        run: mvn --batch-mode --update-snapshots clean verify --file ci-isolation/pom.xml -DtrimStackTrace=false
+        run: mvn --batch-mode --update-snapshots clean verify --file ci-isolation/pom.xml -DtrimStackTrace=false

.github/workflows/manual_run_regression_tests.yml

@@ -13,7 +13,7 @@ jobs:
       - name: Print tag name
         run: echo ${{ github.event.release.tag_name }}
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up JDK 11

.github/workflows/release_droid_prepare_original_checksum.yml

@@ -5,10 +5,10 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04 # UDFs fail with "VM error: Internal error: VM crashed" on ubuntu-latest
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up JDK 11

.github/workflows/release_droid_upload_github_release_assets.yml

@@ -4,23 +4,23 @@ on:
   workflow_dispatch:
     inputs:
       upload_url:
-        description: 'Assets upload URL'
+        description: "Assets upload URL"
         required: true
 
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up JDK 11
         uses: actions/setup-java@v3
         with:
-          distribution: 'temurin'
+          distribution: "temurin"
           java-version: 11
-          cache: 'maven'
+          cache: "maven"
       - name: Build with Maven skipping tests
         run: mvn --batch-mode clean verify -DskipTests
       - name: Generate sha256sum files

.project-keeper.yml

@@ -10,7 +10,6 @@ sources:
 version:
   fromSource: pom.xml
 linkReplacements:
-  - https://netty.io/netty-codec/|https://netty.io/
 excludes:
   - "E-PK-CORE-18: Outdated content: '.github/workflows/ci-build.yml'"
   - "E-PK-CORE-18: Outdated content: '.github/workflows/release_droid_prepare_original_checksum.yml'"

doc/changes/changes_2.8.1.md

@@ -1,9 +1,21 @@
-# S3 Document Files Virtual Schema 2.8.1, released 2023-??-??
+# S3 Document Files Virtual Schema 2.8.1, released 2023-09-28
 
-Code name:
+Code name: Fix vulnerabilities in dependencies
 
 ## Summary
 
+This release fixes the following vulnerabilities in dependencies:
+
+* `org.apache.commons:commons-compress:compile`: CVE-2023-42503 CWE-20: Improper Input Validation (5.5)
+* `org.xerial.snappy:snappy-java:compile`: CVE-2023-43642 CWE-770: Allocation of Resources Without Limits or Throttling (7.5)
+* `org.eclipse.jgit:org.eclipse.jgit:test`: CVE-2023-4759: CWE-178: Improper Handling of Case Sensitivity (8.8)
+
+**Known issue:** Transitive dependency `io.netty:netty-handler` of `software.amazon.awssdk:s3` contains vulnerability CVE-2023-4586 (CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') (6.5)). We assume that the AWS client's usage of `netty-handler` is not affected by the vulnerability.
+
+## Security
+
+* #135: Fix vulnerabilities in dependencies
+
 ## Documentation
 
 * #132: Fixed wording in hands-on-guide for MinIO
@@ -12,7 +24,32 @@ Code name:
 
 ### Virtual Schema for Document Data in Files on AWS S3
 
+#### Compile Dependency Updates
+
+* Updated `com.exasol:virtual-schema-common-document-files:7.3.3` to `7.3.4`
+* Updated `software.amazon.awssdk:s3:2.20.122` to `2.20.156`
+
+#### Runtime Dependency Updates
+
+* Updated `org.slf4j:slf4j-jdk14:2.0.7` to `2.0.9`
+
+#### Test Dependency Updates
+
+* Updated `com.amazonaws:aws-java-sdk-s3:1.12.525` to `1.12.559`
+* Updated `com.exasol:exasol-test-setup-abstraction-java:2.0.2` to `2.0.4`
+* Updated `com.exasol:extension-manager-integration-test-java:0.5.0` to `0.5.1`
+* Updated `com.exasol:hamcrest-resultset-matcher:1.6.0` to `1.6.1`
+* Updated `com.exasol:java-class-list-verifier:0.2.4` to `0.2.5`
+* Updated `com.exasol:performance-test-recorder-java:0.1.2` to `0.1.3`
+* Updated `com.exasol:test-db-builder-java:3.4.2` to `3.5.1`
+* Updated `com.exasol:udf-debugging-java:0.6.10` to `0.6.11`
+* Updated `com.exasol:virtual-schema-common-document-files:7.3.3` to `7.3.4`
+* Updated `nl.jqno.equalsverifier:equalsverifier:3.15.1` to `3.15.2`
+* Updated `org.mockito:mockito-core:5.4.0` to `5.5.0`
+* Updated `org.testcontainers:junit-jupiter:1.18.3` to `1.19.0`
+* Updated `org.testcontainers:localstack:1.18.3` to `1.19.0`
+
 #### Plugin Dependency Updates
 
-* Updated `com.exasol:project-keeper-maven-plugin:2.9.10` to `2.9.11`
+* Updated `com.exasol:project-keeper-maven-plugin:2.9.10` to `2.9.12`
 * Updated `org.apache.maven.plugins:maven-enforcer-plugin:3.3.0` to `3.4.0`

doc/hands_on/hands_on.md

@@ -62,7 +62,7 @@ For the document Virtual Schemas, and by that also the S3 Virtual Schema, this i
 To install the Virtual Schema adapter, download its latest jar from the [releases](https://github.com/exasol/s3-document-files-virtual-schema/releases) and upload to BucketFS:
 
 ``` shell script
-curl -I -X PUT -T document-files-virtual-schema-dist-7.3.3-s3-2.8.1.jar http://w:writepw@<YOUR_DB_IP>:2580/default/
+curl -I -X PUT -T document-files-virtual-schema-dist-7.3.4-s3-2.8.1.jar http://w:writepw@<YOUR_DB_IP>:2580/default/
 ```
 
 (If you have never used BucketFS, you can check out [its documentation](https://docs.exasol.com/database_concepts/bucketfs/bucketfs.htm))
@@ -75,7 +75,7 @@ CREATE SCHEMA ADAPTER;
 --/
 CREATE OR REPLACE JAVA ADAPTER SCRIPT ADAPTER.S3_FILES_ADAPTER AS
     %scriptclass com.exasol.adapter.RequestDispatcher;
-    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-7.3.3-s3-2.8.1.jar;
+    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-7.3.4-s3-2.8.1.jar;
 /
 
 --/
@@ -85,7 +85,7 @@ CREATE OR REPLACE JAVA SET SCRIPT ADAPTER.IMPORT_FROM_S3_DOCUMENT_FILES(
   CONNECTION_NAME VARCHAR(500))
   EMITS(...) AS
     %scriptclass com.exasol.adapter.document.UdfEntryPoint;
-    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-7.3.3-s3-2.8.1.jar;
+    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-7.3.4-s3-2.8.1.jar;
 /
 ```
 

doc/hands_on/hands_on_parquet.md

@@ -47,7 +47,7 @@ For the document Virtual Schemas, and by that also the S3 Virtual Schema, this i
 To install the Virtual Schema adapter, download its latest jar from the [releases](https://github.com/exasol/s3-document-files-virtual-schema/releases) and upload to BucketFS:
 
 ``` shell script
-curl -I -X PUT -T document-files-virtual-schema-dist-7.3.3-s3-2.8.1.jar http://w:writepw@<YOUR_DB_IP>:2580/default/
+curl -I -X PUT -T document-files-virtual-schema-dist-7.3.4-s3-2.8.1.jar http://w:writepw@<YOUR_DB_IP>:2580/default/
 ```
 
 (If you have never used BucketFS, you can check out [its documentation](https://docs.exasol.com/database_concepts/bucketfs/bucketfs.htm))
@@ -59,7 +59,7 @@ CREATE SCHEMA ADAPTER;
 
 CREATE OR REPLACE JAVA ADAPTER SCRIPT ADAPTER.S3_FILES_ADAPTER AS
     %scriptclass com.exasol.adapter.RequestDispatcher;
-    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-7.3.3-s3-2.8.1.jar;
+    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-7.3.4-s3-2.8.1.jar;
 /
 
 CREATE OR REPLACE JAVA SET SCRIPT ADAPTER.IMPORT_FROM_S3_DOCUMENT_FILES(
@@ -68,7 +68,7 @@ CREATE OR REPLACE JAVA SET SCRIPT ADAPTER.IMPORT_FROM_S3_DOCUMENT_FILES(
   CONNECTION_NAME VARCHAR(500))
   EMITS(...) AS
     %scriptclass com.exasol.adapter.document.UdfEntryPoint;
-    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-7.3.3-s3-2.8.1.jar;
+    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-7.3.4-s3-2.8.1.jar;
 /
 ```
 

doc/user_guide/user_guide.md

@@ -17,7 +17,7 @@ Next create the Adapter Script:
 ```sql
 CREATE OR REPLACE JAVA ADAPTER SCRIPT ADAPTER.S3_FILES_ADAPTER AS
     %scriptclass com.exasol.adapter.RequestDispatcher;
-    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-7.3.3-s3-2.8.1.jar;
+    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-7.3.4-s3-2.8.1.jar;
 /
 ```
 
@@ -30,7 +30,7 @@ CREATE OR REPLACE JAVA SET SCRIPT ADAPTER.IMPORT_FROM_S3_DOCUMENT_FILES(
   CONNECTION_NAME VARCHAR(500))
   EMITS(...) AS
     %scriptclass com.exasol.adapter.document.UdfEntryPoint;
-    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-7.3.3-s3-2.8.1.jar;
+    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-7.3.4-s3-2.8.1.jar;
 /
 ```
 
@@ -126,7 +126,7 @@ In DbVisualizer use exactly this command:
 --/
 CREATE OR REPLACE JAVA ADAPTER SCRIPT ADAPTER.S3_FILES_ADAPTER AS
    %scriptclass com.exasol.adapter.RequestDispatcher;
-   %jar /buckets/bfsdefault/default/vs/document-files-virtual-schema-dist-7.3.3-s3-2.8.1.jar;
+   %jar /buckets/bfsdefault/default/vs/document-files-virtual-schema-dist-7.3.4-s3-2.8.1.jar;
 /
 ```
 

extension/src/addInstance.ts

@@ -1,7 +1,7 @@
 import { Context, Instance, ParameterValues } from "@exasol/extension-manager-interface";
 import { Parameter } from "@exasol/extension-manager-interface/dist/parameters";
-import { ADAPTER_SCRIPT_NAME, convertSchemaNameToInstanceId, ExtensionInfo, getConnectionName } from "./common";
-import { getAllParameterDefinitions, ScopedParameter } from "./parameterDefinitions";
+import { ADAPTER_SCRIPT_NAME, EXTENSION_NAME, ExtensionInfo, convertSchemaNameToInstanceId, getConnectionName } from "./common";
+import { ScopedParameter, getAllParameterDefinitions } from "./parameterDefinitions";
 
 
 export function addInstance(context: Context, extensionInfo: ExtensionInfo, versionToInstall: string, paramValues: ParameterValues): Instance {
@@ -16,7 +16,7 @@ export function addInstance(context: Context, extensionInfo: ExtensionInfo, vers
     context.sqlClient.execute(createConnectionStatement(connectionName, paramValues));
     context.sqlClient.execute(createVirtualSchemaStatement(virtualSchemaName, context.extensionSchemaName, connectionName, mapping));
 
-    const comment = `Created by extension manager for S3 virtual schema ${escapeSingleQuotes(virtualSchemaName)}`;
+    const comment = `Created by Extension Manager for ${EXTENSION_NAME} ${escapeSingleQuotes(virtualSchemaName)}`;
     context.sqlClient.execute(`COMMENT ON CONNECTION "${connectionName}" IS '${comment}'`);
     context.sqlClient.execute(`COMMENT ON SCHEMA "${virtualSchemaName}" IS '${comment}'`);
     return { id: convertSchemaNameToInstanceId(virtualSchemaName), name: virtualSchemaName }

extension/src/common.ts

@@ -1,6 +1,7 @@
 
 export const ADAPTER_SCRIPT_NAME = "S3_FILES_ADAPTER";
 export const IMPORT_SCRIPT_NAME = "IMPORT_FROM_S3_DOCUMENT_FILES";
+export const EXTENSION_NAME = "S3 Virtual Schema";
 
 export interface ExtensionInfo {
     version: string;