#43: Fix vulnerability in io.projectreactor.netty:reactor-netty-http (

#44)

.github/workflows/ci-build.yml

@@ -1,5 +1,4 @@
 name: CI Build
-
 on:
   push:
     branches:
@@ -10,8 +9,14 @@ jobs:
   build:
     runs-on: ubuntu-20.04 # UDFs fail with "VM error: Internal error: VM crashed" on ubuntu-latest
     concurrency:
-      group: ${{ github.workflow }}-${{ github.ref }}
+      group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.exasol_db_version }}
       cancel-in-progress: true
+    strategy:
+      fail-fast: false
+      matrix:
+        exasol_db_version: ["7.1.24"]
+    env:
+      DEFAULT_EXASOL_DB_VERSION: "7.1.24"
     steps:
       - name: Checkout the repository
         uses: actions/checkout@v4
@@ -31,6 +36,8 @@ jobs:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
           restore-keys: ${{ runner.os }}-sonar
+      - name: Enable testcontainer reuse
+        run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties"
       - name: Write ADLSG2 accountkey file
         run: |
           echo "$ACCOUNTKEY" > accountkey.txt
@@ -45,14 +52,15 @@ jobs:
         run: |
           JAVA_HOME=$JAVA_HOME_11_X64 mvn --batch-mode clean verify \
               -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
-              -DtrimStackTrace=false
+              -DtrimStackTrace=false \
+              -Dcom.exasol.dockerdb.image=${{ matrix.exasol_db_version }}
       - name: Publish Test Report
         uses: scacap/action-surefire-report@v1
         if: ${{ always() && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]' }}
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
       - name: Sonar analysis
-        if: ${{ env.SONAR_TOKEN != null }}
+        if: ${{ env.SONAR_TOKEN != null && matrix.exasol_db_version == env.DEFAULT_EXASOL_DB_VERSION }}
         run: |
           JAVA_HOME=$JAVA_HOME_17_X64 mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
               -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \

.project-keeper.yml

@@ -9,3 +9,8 @@ linkReplacements:
 excludes:
   - "E-PK-CORE-18: Outdated content: '.github/workflows/ci-build.yml'"
   - "E-PK-CORE-18: Outdated content: '.github/workflows/release_droid_prepare_original_checksum.yml'"
+build:
+  runnerOs: ubuntu-20.04
+  freeDiskSpace: false
+  exasolDbVersions:
+    - "7.1.24"

doc/changes/changes_1.4.5.md

@@ -0,0 +1,38 @@
+# Virtual Schema for Document Data in Files on Azure Data Lake Storage Gen 2 1.4.5, released 2023-11-22
+
+Code name: Fix CVE-2023-34062 in `io.projectreactor.netty:reactor-netty-http`
+
+## Summary
+
+This release fixes CVE-2023-34062 (CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (7.5)) in compile dependency `io.projectreactor.netty:reactor-netty-http`.
+
+## Security
+
+* #43: Fix CVE-2023-34062 in `io.projectreactor.netty:reactor-netty-http`
+
+## Dependency Updates
+
+### Compile Dependency Updates
+
+* Updated `com.azure:azure-core:1.44.1` to `1.45.0`
+* Updated `com.azure:azure-identity:1.10.4` to `1.11.0`
+* Updated `com.azure:azure-storage-file-datalake:12.17.0` to `12.18.0`
+* Updated `com.exasol:virtual-schema-common-document-files:7.3.5` to `7.3.6`
+* Added `io.projectreactor.netty:reactor-netty-http:1.0.39`
+
+### Test Dependency Updates
+
+* Updated `com.exasol:exasol-test-setup-abstraction-java:2.0.4` to `2.1.0`
+* Updated `com.exasol:hamcrest-resultset-matcher:1.6.1` to `1.6.3`
+* Updated `com.exasol:test-db-builder-java:3.5.1` to `3.5.2`
+* Updated `com.exasol:virtual-schema-common-document-files:7.3.5` to `7.3.6`
+* Updated `nl.jqno.equalsverifier:equalsverifier:3.15.2` to `3.15.3`
+* Updated `org.junit.jupiter:junit-jupiter-params:5.10.0` to `5.10.1`
+* Updated `org.mockito:mockito-core:5.6.0` to `5.7.0`
+
+### Plugin Dependency Updates
+
+* Updated `com.exasol:project-keeper-maven-plugin:2.9.14` to `2.9.16`
+* Updated `org.apache.maven.plugins:maven-dependency-plugin:3.6.0` to `3.6.1`
+* Updated `org.apache.maven.plugins:maven-failsafe-plugin:3.1.2` to `3.2.2`
+* Updated `org.apache.maven.plugins:maven-surefire-plugin:3.1.2` to `3.2.2`

doc/user_guide/user_guide.md

@@ -17,7 +17,7 @@ Next create the Adapter Script:
  ```sql
 CREATE OR REPLACE JAVA ADAPTER SCRIPT ADAPTER.AZURE_DATALAKE_STORAGE_GEN2_FILES_ADAPTER AS
     %scriptclass com.exasol.adapter.RequestDispatcher;
-    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-7.3.5-azure-datalake-storage-gen2-1.4.4.jar;
+    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-7.3.6-azure-datalake-storage-gen2-1.4.5.jar;
 /
 ```
 
@@ -30,7 +30,7 @@ CREATE OR REPLACE JAVA SET SCRIPT ADAPTER.IMPORT_FROM_AZURE_DATA_LAKE_STORAGE_GE
   CONNECTION_NAME VARCHAR(500))
   EMITS(...) AS
     %scriptclass com.exasol.adapter.document.UdfEntryPoint;
-    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-7.3.5-azure-datalake-storage-gen2-1.4.4.jar;
+    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-7.3.6-azure-datalake-storage-gen2-1.4.5.jar;
 /
 ```