#37: Fix vulnerabilities CVE-2023-42503, CVE-2023-42503 and CVE-2023-…

…4759 (#38)

.gitattributes

@@ -11,3 +11,6 @@ pk_generated_parent.pom                                          linguist-genera
 doc/changes/changelog.md                                         linguist-generated=true
 
 cloudSetup/.terraform.lock.hcl linguist-generated=true
+
+.settings/org.eclipse.jdt.core.prefs linguist-generated=true
+.settings/org.eclipse.jdt.ui.prefs   linguist-generated=true

.github/workflows/ci-build.yml

@@ -8,18 +8,23 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04 # UDFs fail with "VM error: Internal error: VM crashed" on ubuntu-latest
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: true
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Set up JDK 11
+      - name: Set up JDK 11 & 17
         uses: actions/setup-java@v3
         with:
-          distribution: 'temurin'
-          java-version: 11
-          cache: 'maven'
+          distribution: "temurin"
+          java-version: |
+            17
+            11
+          cache: "maven"
       - name: Cache SonarCloud packages
         uses: actions/cache@v3
         with:
@@ -38,7 +43,7 @@ jobs:
           ACCOUNTNAME: ${{ secrets.ACCOUNTNAME }}
       - name: Run tests and build with Maven
         run: |
-          mvn --batch-mode clean verify \
+          JAVA_HOME=$JAVA_HOME_11_X64 mvn --batch-mode clean verify \
               -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
               -DtrimStackTrace=false
       - name: Publish Test Report
@@ -49,12 +54,12 @@ jobs:
       - name: Sonar analysis
         if: ${{ env.SONAR_TOKEN != null }}
         run: |
-          mvn --batch-mode sonar:sonar \
+          JAVA_HOME=$JAVA_HOME_17_X64 mvn --batch-mode org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
               -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
               -DtrimStackTrace=false \
               -Dsonar.organization=exasol \
               -Dsonar.host.url=https://sonarcloud.io \
-              -Dsonar.login=$SONAR_TOKEN
+              -Dsonar.token=$SONAR_TOKEN
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.github/workflows/ci_isolation_ci_build.yml

@@ -8,15 +8,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up JDK 11
         uses: actions/setup-java@v3
         with:
-          distribution: 'temurin'
+          distribution: "temurin"
           java-version: 11
-          cache: 'maven'
+          cache: "maven"
       - name: Write ADLSG2 accountkey file
         run: |
           echo "$ACCOUNTKEY" > accountkey.txt
@@ -28,4 +28,4 @@ jobs:
         env:
           ACCOUNTNAME: ${{ secrets.ACCOUNTNAME }}
       - name: Run tests and build with Maven
-        run: mvn --batch-mode --update-snapshots clean verify --file ci-isolation/pom.xml -DtrimStackTrace=false
+        run: mvn --batch-mode --update-snapshots clean verify --file ci-isolation/pom.xml -DtrimStackTrace=false

.github/workflows/manual_run_regression_tests.yml

@@ -13,7 +13,7 @@ jobs:
       - name: Print tag name
         run: echo ${{ github.event.release.tag_name }}
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up JDK 11

.github/workflows/release_droid_prepare_original_checksum.yml

@@ -5,18 +5,20 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04 # UDFs fail with "VM error: Internal error: VM crashed" on ubuntu-latest
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up JDK 11
         uses: actions/setup-java@v3
         with:
-          distribution: 'temurin'
+          distribution: "temurin"
           java-version: 11
-          cache: 'maven'
+          cache: "maven"
+      - name: Enable testcontainer reuse
+        run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties"
       - name: Write ADLSG2 accountkey file
         run: |
           echo "$ACCOUNTKEY" > accountkey.txt
@@ -36,4 +38,4 @@ jobs:
         with:
           name: original_checksum
           retention-days: 5
-          path: original_checksum
+          path: original_checksum

.project-keeper.yml

@@ -6,7 +6,6 @@ sources:
       - udf_coverage
       - jar_artifact
 linkReplacements:
-  - "https://github.com/FasterXML/jackson-modules-java8/jackson-datatype-jsr310|https://github.com/FasterXML/jackson-modules-java8/tree/2.14/datetime"
 excludes:
   - "E-PK-CORE-18: Outdated content: '.github/workflows/ci-build.yml'"
-  - "E-PK-CORE-18: Outdated content: '.github/workflows/release_droid_prepare_original_checksum.yml'"
+  - "E-PK-CORE-18: Outdated content: '.github/workflows/release_droid_prepare_original_checksum.yml'"

doc/changes/changes_1.4.3.md

@@ -0,0 +1,53 @@
+# Virtual Schema for Document Data in Files on Azure Data Lake Storage Gen 2 1.4.3, released 2023-09-28
+
+Code name: Fix vulnerabilities in dependencies
+
+## Summary
+
+This release fixes the following vulnerabilities in dependencies:
+
+* `org.apache.commons:commons-compress:compile`: CVE-2023-42503 CWE-20: Improper Input Validation (5.5)
+* `org.xerial.snappy:snappy-java:compile`: CVE-2023-43642 CWE-770: Allocation of Resources Without Limits or Throttling (7.5)
+* `org.eclipse.jgit:org.eclipse.jgit:test`: CVE-2023-4759: CWE-178: Improper Handling of Case Sensitivity (8.8)
+
+**Known issue:** Transitive dependency `io.netty:netty-handler` of `com.azure:azure-storage-file-datalake` contains vulnerability CVE-2023-4586 (CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') (6.5)). We assume that the Azure client's usage of `netty-handler` is not affected by the vulnerability.
+
+## Security
+
+* #37: Fix vulnerabilities in dependencies
+
+## Dependency Updates
+
+### Compile Dependency Updates
+
+* Updated `com.azure:azure-core:1.40.0` to `1.43.0`
+* Updated `com.azure:azure-identity:1.9.1` to `1.10.1`
+* Updated `com.azure:azure-storage-file-datalake:12.15.3` to `12.17.0`
+* Updated `com.exasol:virtual-schema-common-document-files:7.3.3` to `7.3.4`
+
+### Test Dependency Updates
+
+* Updated `com.exasol:exasol-test-setup-abstraction-java:2.0.2` to `2.0.4`
+* Updated `com.exasol:hamcrest-resultset-matcher:1.6.0` to `1.6.1`
+* Updated `com.exasol:performance-test-recorder-java:0.1.2` to `0.1.3`
+* Updated `com.exasol:test-db-builder-java:3.4.2` to `3.5.1`
+* Updated `com.exasol:udf-debugging-java:0.6.8` to `0.6.11`
+* Updated `com.exasol:virtual-schema-common-document-files:7.3.3` to `7.3.4`
+* Updated `nl.jqno.equalsverifier:equalsverifier:3.14.3` to `3.15.2`
+* Updated `org.jacoco:org.jacoco.agent:0.8.9` to `0.8.10`
+* Updated `org.junit.jupiter:junit-jupiter-params:5.9.3` to `5.10.0`
+* Updated `org.mockito:mockito-core:5.4.0` to `5.5.0`
+
+### Plugin Dependency Updates
+
+* Updated `com.exasol:error-code-crawler-maven-plugin:1.2.3` to `1.3.0`
+* Updated `com.exasol:project-keeper-maven-plugin:2.9.7` to `2.9.12`
+* Updated `org.apache.maven.plugins:maven-assembly-plugin:3.5.0` to `3.6.0`
+* Updated `org.apache.maven.plugins:maven-dependency-plugin:3.5.0` to `3.6.0`
+* Updated `org.apache.maven.plugins:maven-enforcer-plugin:3.3.0` to `3.4.0`
+* Updated `org.apache.maven.plugins:maven-failsafe-plugin:3.0.0` to `3.1.2`
+* Updated `org.apache.maven.plugins:maven-surefire-plugin:3.0.0` to `3.1.2`
+* Updated `org.basepom.maven:duplicate-finder-maven-plugin:1.5.1` to `2.0.1`
+* Updated `org.codehaus.mojo:flatten-maven-plugin:1.4.1` to `1.5.0`
+* Updated `org.codehaus.mojo:versions-maven-plugin:2.15.0` to `2.16.0`
+* Updated `org.jacoco:jacoco-maven-plugin:0.8.9` to `0.8.10`

doc/user_guide/user_guide.md

@@ -17,7 +17,7 @@ Next create the Adapter Script:
  ```sql
 CREATE OR REPLACE JAVA ADAPTER SCRIPT ADAPTER.AZURE_DATALAKE_STORAGE_GEN2_FILES_ADAPTER AS
     %scriptclass com.exasol.adapter.RequestDispatcher;
-    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-7.3.3-azure-datalake-storage-gen2-1.4.2.jar;
+    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-7.3.4-azure-datalake-storage-gen2-1.4.3.jar;
 /
 ```
 
@@ -30,7 +30,7 @@ CREATE OR REPLACE JAVA SET SCRIPT ADAPTER.IMPORT_FROM_AZURE_DATA_LAKE_STORAGE_GE
   CONNECTION_NAME VARCHAR(500))
   EMITS(...) AS
     %scriptclass com.exasol.adapter.document.UdfEntryPoint;
-    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-7.3.3-azure-datalake-storage-gen2-1.4.2.jar;
+    %jar /buckets/bfsdefault/default/document-files-virtual-schema-dist-7.3.4-azure-datalake-storage-gen2-1.4.3.jar;
 /
 ```