From 8153cef68b45694d23899cf6d11f9b3d5dc4e3dd Mon Sep 17 00:00:00 2001
From: YotillaAntoni <92581297+YotillaAntoni@users.noreply.github.com>
Date: Tue, 19 Nov 2024 10:33:17 +0100
Subject: [PATCH 1/5] Fix CVE-2024-47535:
io.netty:netty-common:jar:4.1.108.Final:runtime (#68)
* generate new version. update keeper
* update versions
* added feedback: explicitly state that is a transitive production dependency
* added feedback: explicitly state that is a transitive production dependency
* fixed release date
---
.github/workflows/broken_links_checker.yml | 2 +
.github/workflows/ci-build-next-java.yml | 52 +++++------
.github/workflows/ci-build.yml | 7 +-
.github/workflows/dependencies_check.yml | 2 +-
.github/workflows/dependencies_update.yml | 16 ++--
.github/workflows/release.yml | 4 +-
.settings/org.eclipse.jdt.core.prefs | 28 ++++--
.settings/org.eclipse.jdt.ui.prefs | 6 ++
dependencies.md | 103 ++++++++++++---------
doc/changes/changelog.md | 1 +
doc/changes/changes_0.6.14.md | 54 +++++++++++
pk_generated_parent.pom | 63 ++++++++++---
pom.xml | 30 +++---
13 files changed, 237 insertions(+), 131 deletions(-)
create mode 100644 doc/changes/changes_0.6.14.md
diff --git a/.github/workflows/broken_links_checker.yml b/.github/workflows/broken_links_checker.yml
index d7a38b4..39612b7 100644
--- a/.github/workflows/broken_links_checker.yml
+++ b/.github/workflows/broken_links_checker.yml
@@ -13,6 +13,8 @@ on:
jobs:
linkChecker:
runs-on: ubuntu-latest
+ permissions:
+ contents: read
defaults:
run:
shell: "bash"
diff --git a/.github/workflows/ci-build-next-java.yml b/.github/workflows/ci-build-next-java.yml
index 8886e10..712a7cb 100644
--- a/.github/workflows/ci-build-next-java.yml
+++ b/.github/workflows/ci-build-next-java.yml
@@ -1,43 +1,39 @@
-# Generated by Project Keeper
-# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/ci-build-next-java.yml
+# This file was generated by Project Keeper.
name: CI Build next Java
on:
push:
- branches:
- - main
- pull_request:
-
+ branches: [
+ main
+ ]
+
+ pull_request: null
jobs:
- java-17-compatibility:
+ next-java-compatibility:
runs-on: ubuntu-latest
defaults:
- run:
- shell: "bash"
- permissions:
+ run: {
+ shell: bash
+ }
+ permissions: {
contents: read
- checks: write # Allow scacap/action-surefire-report
- concurrency:
- group: ${{ github.workflow }}-${{ github.ref }}
+ }
+ concurrency: {
+ group: '${{ github.workflow }}-${{ github.ref }}',
cancel-in-progress: true
+ }
steps:
- name: Checkout the repository
uses: actions/checkout@v4
- with:
+ with: {
fetch-depth: 0
+ }
- name: Set up JDK 17
uses: actions/setup-java@v4
- with:
- distribution: "temurin"
- java-version: 17
- cache: "maven"
- - name: Run tests and build with Maven
+ with: {
+ distribution: temurin,
+ java-version: '17',
+ cache: maven
+ }
+ - name: Run tests and build with Maven 17
run: |
- mvn --batch-mode --update-snapshots clean package -DtrimStackTrace=false \
- -Djava.version=17 \
- -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn
- - name: Publish Test Report for Java 17
- uses: scacap/action-surefire-report@v1
- if: ${{ always() && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]' }}
- with:
- github_token: ${{ secrets.GITHUB_TOKEN }}
- fail_if_no_tests: false
+ mvn --batch-mode clean package -DtrimStackTrace=false -Djava.version=17
diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml
index 7b0fc70..05a0e2c 100644
--- a/.github/workflows/ci-build.yml
+++ b/.github/workflows/ci-build.yml
@@ -15,8 +15,7 @@ jobs:
shell: bash
}
permissions: {
- contents: read,
- checks: write
+ contents: read
}
concurrency: {
group: '${{ github.workflow }}-${{ github.ref }}-${{ matrix.exasol_db_version }}',
@@ -51,7 +50,7 @@ jobs:
uses: actions/setup-java@v4
with:
distribution: temurin
- java-version: |
+ java-version: |-
11
17
cache: maven
@@ -128,7 +127,7 @@ jobs:
uses: actions/setup-java@v4
with:
distribution: temurin
- java-version: |
+ java-version: |-
11
17
cache: maven
diff --git a/.github/workflows/dependencies_check.yml b/.github/workflows/dependencies_check.yml
index 9c2365c..02c5aa0 100644
--- a/.github/workflows/dependencies_check.yml
+++ b/.github/workflows/dependencies_check.yml
@@ -35,7 +35,7 @@ jobs:
uses: actions/setup-java@v4
with:
distribution: temurin
- java-version: |
+ java-version: |-
11
17
cache: maven
diff --git a/.github/workflows/dependencies_update.yml b/.github/workflows/dependencies_update.yml
index 9f536ee..c901506 100644
--- a/.github/workflows/dependencies_update.yml
+++ b/.github/workflows/dependencies_update.yml
@@ -35,7 +35,7 @@ jobs:
uses: actions/setup-java@v4
with:
distribution: temurin
- java-version: |
+ java-version: |-
11
17
cache: maven
@@ -61,14 +61,6 @@ jobs:
env: {
CREATED_ISSUES: '${{ inputs.vulnerability_issues }}'
}
- - name: Project Keeper Fix
- id: project-keeper-fix
- run: |
- mvn --batch-mode com.exasol:project-keeper-maven-plugin:fix --projects .
- - name: Project Keeper Fix for updated Project Keeper version
- id: project-keeper-fix-2
- run: |
- mvn --batch-mode com.exasol:project-keeper-maven-plugin:fix --projects .
- name: Generate Pull Request comment
id: pr-comment
run: |
@@ -81,7 +73,11 @@ jobs:
echo 'It updates dependencies.' >> "$GITHUB_OUTPUT"
fi
echo >> "$GITHUB_OUTPUT"
- echo '# ⚠️ This PR does not trigger CI workflows by default ⚠️' >> "$GITHUB_OUTPUT"
+ echo '# ⚠️ Notes ⚠️' >> "$GITHUB_OUTPUT"
+ echo '## Run PK fix manually' >> "$GITHUB_OUTPUT"
+ echo 'Due to restrictions workflow `dependencies_update.yml` cannot update other workflows, see https://github.com/exasol/project-keeper/issues/578 for details.' >> "$GITHUB_OUTPUT"
+ echo 'Please checkout this PR locally and run `mvn com.exasol:project-keeper-maven-plugin:fix --projects .`' >> "$GITHUB_OUTPUT"
+ echo '## This PR does not trigger CI workflows' >> "$GITHUB_OUTPUT"
echo 'Please click the **Close pull request** button and then **Reopen pull request** to trigger running checks.' >> "$GITHUB_OUTPUT"
echo 'See https://github.com/exasol/project-keeper/issues/534 for details.' >> "$GITHUB_OUTPUT"
echo 'EOF' >> "$GITHUB_OUTPUT"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5be64c8..e4682a3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -52,7 +52,7 @@ jobs:
uses: actions/setup-java@v4
with:
distribution: temurin
- java-version: |
+ java-version: |-
11
17
cache: maven
@@ -67,7 +67,7 @@ jobs:
uses: actions/setup-java@v4
with:
distribution: temurin
- java-version: |
+ java-version: |-
11
17
cache: maven
diff --git a/.settings/org.eclipse.jdt.core.prefs b/.settings/org.eclipse.jdt.core.prefs
index bb40c3f..43365b0 100644
--- a/.settings/org.eclipse.jdt.core.prefs
+++ b/.settings/org.eclipse.jdt.core.prefs
@@ -1,15 +1,19 @@
eclipse.preferences.version=1
+org.eclipse.jdt.core.builder.annotationPath.allLocations=disabled
org.eclipse.jdt.core.compiler.annotation.inheritNullAnnotations=disabled
org.eclipse.jdt.core.compiler.annotation.missingNonNullByDefaultAnnotation=ignore
-org.eclipse.jdt.core.compiler.annotation.nonnull=org.eclipse.jdt.annotation.NonNull
+org.eclipse.jdt.core.compiler.annotation.nonnull=javax.annotation.Nonnull
org.eclipse.jdt.core.compiler.annotation.nonnull.secondary=
-org.eclipse.jdt.core.compiler.annotation.nonnullbydefault=org.eclipse.jdt.annotation.NonNullByDefault
+org.eclipse.jdt.core.compiler.annotation.nonnullbydefault=javax.annotation.ParametersAreNonnullByDefault
org.eclipse.jdt.core.compiler.annotation.nonnullbydefault.secondary=
-org.eclipse.jdt.core.compiler.annotation.nullable=org.eclipse.jdt.annotation.Nullable
+org.eclipse.jdt.core.compiler.annotation.notowning=org.eclipse.jdt.annotation.NotOwning
+org.eclipse.jdt.core.compiler.annotation.nullable=javax.annotation.Nullable
org.eclipse.jdt.core.compiler.annotation.nullable.secondary=
-org.eclipse.jdt.core.compiler.annotation.nullanalysis=disabled
+org.eclipse.jdt.core.compiler.annotation.nullanalysis=enabled
+org.eclipse.jdt.core.compiler.annotation.owning=org.eclipse.jdt.annotation.Owning
+org.eclipse.jdt.core.compiler.annotation.resourceanalysis=disabled
org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled
-org.eclipse.jdt.core.compiler.codegen.methodParameters=do not generate
+org.eclipse.jdt.core.compiler.codegen.methodParameters=generate
org.eclipse.jdt.core.compiler.codegen.targetPlatform=11
org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve
org.eclipse.jdt.core.compiler.compliance=11
@@ -17,6 +21,7 @@ org.eclipse.jdt.core.compiler.debug.lineNumber=generate
org.eclipse.jdt.core.compiler.debug.localVariable=generate
org.eclipse.jdt.core.compiler.debug.sourceFile=generate
org.eclipse.jdt.core.compiler.problem.APILeak=warning
+org.eclipse.jdt.core.compiler.problem.annotatedTypeArgumentToUnannotated=info
org.eclipse.jdt.core.compiler.problem.annotationSuperInterface=warning
org.eclipse.jdt.core.compiler.problem.assertIdentifier=error
org.eclipse.jdt.core.compiler.problem.autoboxing=ignore
@@ -39,8 +44,10 @@ org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning
org.eclipse.jdt.core.compiler.problem.hiddenCatchBlock=warning
org.eclipse.jdt.core.compiler.problem.includeNullInfoFromAsserts=disabled
org.eclipse.jdt.core.compiler.problem.incompatibleNonInheritedInterfaceMethod=warning
+org.eclipse.jdt.core.compiler.problem.incompatibleOwningContract=warning
org.eclipse.jdt.core.compiler.problem.incompleteEnumSwitch=warning
org.eclipse.jdt.core.compiler.problem.indirectStaticAccess=ignore
+org.eclipse.jdt.core.compiler.problem.insufficientResourceAnalysis=warning
org.eclipse.jdt.core.compiler.problem.localVariableHiding=ignore
org.eclipse.jdt.core.compiler.problem.methodWithConstructorName=warning
org.eclipse.jdt.core.compiler.problem.missingDefaultCase=ignore
@@ -56,15 +63,15 @@ org.eclipse.jdt.core.compiler.problem.noImplicitStringConversion=warning
org.eclipse.jdt.core.compiler.problem.nonExternalizedStringLiteral=ignore
org.eclipse.jdt.core.compiler.problem.nonnullParameterAnnotationDropped=warning
org.eclipse.jdt.core.compiler.problem.nonnullTypeVariableFromLegacyInvocation=warning
-org.eclipse.jdt.core.compiler.problem.nullAnnotationInferenceConflict=error
+org.eclipse.jdt.core.compiler.problem.nullAnnotationInferenceConflict=warning
org.eclipse.jdt.core.compiler.problem.nullReference=warning
-org.eclipse.jdt.core.compiler.problem.nullSpecViolation=error
-org.eclipse.jdt.core.compiler.problem.nullUncheckedConversion=warning
+org.eclipse.jdt.core.compiler.problem.nullSpecViolation=warning
+org.eclipse.jdt.core.compiler.problem.nullUncheckedConversion=ignore
org.eclipse.jdt.core.compiler.problem.overridingPackageDefaultMethod=warning
org.eclipse.jdt.core.compiler.problem.parameterAssignment=ignore
org.eclipse.jdt.core.compiler.problem.pessimisticNullAnalysisForFreeTypeVariables=warning
org.eclipse.jdt.core.compiler.problem.possibleAccidentalBooleanAssignment=ignore
-org.eclipse.jdt.core.compiler.problem.potentialNullReference=ignore
+org.eclipse.jdt.core.compiler.problem.potentialNullReference=warning
org.eclipse.jdt.core.compiler.problem.potentiallyUnclosedCloseable=ignore
org.eclipse.jdt.core.compiler.problem.rawTypeReference=warning
org.eclipse.jdt.core.compiler.problem.redundantNullAnnotation=warning
@@ -78,7 +85,8 @@ org.eclipse.jdt.core.compiler.problem.specialParameterHidingField=disabled
org.eclipse.jdt.core.compiler.problem.staticAccessReceiver=warning
org.eclipse.jdt.core.compiler.problem.suppressOptionalErrors=disabled
org.eclipse.jdt.core.compiler.problem.suppressWarnings=enabled
-org.eclipse.jdt.core.compiler.problem.syntacticNullAnalysisForFields=disabled
+org.eclipse.jdt.core.compiler.problem.suppressWarningsNotFullyAnalysed=info
+org.eclipse.jdt.core.compiler.problem.syntacticNullAnalysisForFields=enabled
org.eclipse.jdt.core.compiler.problem.syntheticAccessEmulation=ignore
org.eclipse.jdt.core.compiler.problem.terminalDeprecation=warning
org.eclipse.jdt.core.compiler.problem.typeParameterHiding=warning
diff --git a/.settings/org.eclipse.jdt.ui.prefs b/.settings/org.eclipse.jdt.ui.prefs
index 1add06a..54d02ac 100644
--- a/.settings/org.eclipse.jdt.ui.prefs
+++ b/.settings/org.eclipse.jdt.ui.prefs
@@ -76,6 +76,7 @@ sp_cleanup.add_missing_nls_tags=false
sp_cleanup.add_missing_override_annotations=true
sp_cleanup.add_missing_override_annotations_interface_methods=true
sp_cleanup.add_serial_version_id=false
+sp_cleanup.also_simplify_lambda=false
sp_cleanup.always_use_blocks=true
sp_cleanup.always_use_parentheses_in_expressions=true
sp_cleanup.always_use_this_for_non_static_field_access=true
@@ -130,6 +131,7 @@ sp_cleanup.one_if_rather_than_duplicate_blocks_that_fall_through=false
sp_cleanup.operand_factorization=false
sp_cleanup.organize_imports=true
sp_cleanup.overridden_assignment=false
+sp_cleanup.overridden_assignment_move_decl=false
sp_cleanup.plain_replacement=false
sp_cleanup.precompile_regex=false
sp_cleanup.primitive_comparison=false
@@ -159,10 +161,12 @@ sp_cleanup.remove_unnecessary_casts=true
sp_cleanup.remove_unnecessary_nls_tags=true
sp_cleanup.remove_unused_imports=true
sp_cleanup.remove_unused_local_variables=false
+sp_cleanup.remove_unused_method_parameters=false
sp_cleanup.remove_unused_private_fields=true
sp_cleanup.remove_unused_private_members=false
sp_cleanup.remove_unused_private_methods=true
sp_cleanup.remove_unused_private_types=true
+sp_cleanup.replace_deprecated_calls=false
sp_cleanup.return_expression=false
sp_cleanup.simplify_lambda_expression_and_method_ref=false
sp_cleanup.single_used_field=false
@@ -174,6 +178,8 @@ sp_cleanup.strictly_equal_or_different=false
sp_cleanup.stringbuffer_to_stringbuilder=false
sp_cleanup.stringbuilder=false
sp_cleanup.stringbuilder_for_local_vars=false
+sp_cleanup.stringconcat_stringbuffer_stringbuilder=false
+sp_cleanup.stringconcat_to_textblock=false
sp_cleanup.substring=false
sp_cleanup.switch=false
sp_cleanup.system_property=false
diff --git a/dependencies.md b/dependencies.md
index b14126d..af7d03f 100644
--- a/dependencies.md
+++ b/dependencies.md
@@ -37,26 +37,31 @@
| Dependency | License |
| ------------------------------------------------------- | ---------------------------------------------- |
-| [SonarQube Scanner for Maven][30] | [GNU LGPL 3][31] |
-| [Apache Maven Toolchains Plugin][32] | [Apache License, Version 2.0][12] |
-| [Maven Dependency Plugin][33] | [The Apache Software License, Version 2.0][34] |
-| [Project Keeper Maven plugin][35] | [The MIT License][36] |
-| [Apache Maven Compiler Plugin][37] | [Apache-2.0][12] |
-| [Apache Maven Enforcer Plugin][38] | [Apache-2.0][12] |
-| [Maven Flatten Plugin][39] | [Apache Software Licenese][12] |
-| [org.sonatype.ossindex.maven:ossindex-maven-plugin][40] | [ASL2][34] |
-| [Maven Surefire Plugin][41] | [Apache-2.0][12] |
-| [Versions Maven Plugin][42] | [Apache License, Version 2.0][12] |
-| [duplicate-finder-maven-plugin Maven Mojo][43] | [Apache License 2.0][44] |
-| [Apache Maven Deploy Plugin][45] | [Apache-2.0][12] |
-| [Apache Maven GPG Plugin][46] | [Apache-2.0][12] |
-| [Apache Maven Source Plugin][47] | [Apache License, Version 2.0][12] |
-| [Apache Maven Javadoc Plugin][48] | [Apache-2.0][12] |
-| [Nexus Staging Maven Plugin][49] | [Eclipse Public License][50] |
-| [Maven Failsafe Plugin][51] | [Apache-2.0][12] |
-| [JaCoCo :: Maven Plugin][52] | [EPL-2.0][6] |
-| [error-code-crawler-maven-plugin][53] | [MIT License][54] |
-| [Reproducible Build Maven Plugin][55] | [Apache 2.0][34] |
+| [Apache Maven Clean Plugin][30] | [Apache-2.0][12] |
+| [Apache Maven Install Plugin][31] | [Apache-2.0][12] |
+| [Apache Maven Resources Plugin][32] | [Apache-2.0][12] |
+| [Apache Maven Site Plugin][33] | [Apache License, Version 2.0][12] |
+| [SonarQube Scanner for Maven][34] | [GNU LGPL 3][35] |
+| [Apache Maven Toolchains Plugin][36] | [Apache-2.0][12] |
+| [Maven Dependency Plugin][37] | [The Apache Software License, Version 2.0][38] |
+| [Project Keeper Maven plugin][39] | [The MIT License][40] |
+| [Apache Maven Compiler Plugin][41] | [Apache-2.0][12] |
+| [Apache Maven Enforcer Plugin][42] | [Apache-2.0][12] |
+| [Maven Flatten Plugin][43] | [Apache Software Licenese][12] |
+| [org.sonatype.ossindex.maven:ossindex-maven-plugin][44] | [ASL2][38] |
+| [Maven Surefire Plugin][45] | [Apache-2.0][12] |
+| [Versions Maven Plugin][46] | [Apache License, Version 2.0][12] |
+| [duplicate-finder-maven-plugin Maven Mojo][47] | [Apache License 2.0][48] |
+| [Apache Maven Deploy Plugin][49] | [Apache-2.0][12] |
+| [Apache Maven GPG Plugin][50] | [Apache-2.0][12] |
+| [Apache Maven Source Plugin][51] | [Apache License, Version 2.0][12] |
+| [Apache Maven Javadoc Plugin][52] | [Apache-2.0][12] |
+| [Nexus Staging Maven Plugin][53] | [Eclipse Public License][54] |
+| [Maven Failsafe Plugin][55] | [Apache-2.0][12] |
+| [JaCoCo :: Maven Plugin][56] | [EPL-2.0][6] |
+| [Quality Summarizer Maven Plugin][57] | [MIT License][58] |
+| [error-code-crawler-maven-plugin][59] | [MIT License][60] |
+| [Reproducible Build Maven Plugin][61] | [Apache 2.0][38] |
[0]: https://github.com/eclipse-ee4j/jsonp
[1]: https://projects.eclipse.org/license/epl-2.0
@@ -88,29 +93,35 @@
[27]: https://github.com/itsallcode/junit5-system-extensions
[28]: http://www.eclipse.org/legal/epl-v20.html
[29]: https://github.com/eclipse-ee4j/parsson
-[30]: http://sonarsource.github.io/sonar-scanner-maven/
-[31]: http://www.gnu.org/licenses/lgpl.txt
-[32]: https://maven.apache.org/plugins/maven-toolchains-plugin/
-[33]: http://maven.apache.org/plugins/maven-dependency-plugin/
-[34]: http://www.apache.org/licenses/LICENSE-2.0.txt
-[35]: https://github.com/exasol/project-keeper/
-[36]: https://github.com/exasol/project-keeper/blob/main/LICENSE
-[37]: https://maven.apache.org/plugins/maven-compiler-plugin/
-[38]: https://maven.apache.org/enforcer/maven-enforcer-plugin/
-[39]: https://www.mojohaus.org/flatten-maven-plugin/
-[40]: https://sonatype.github.io/ossindex-maven/maven-plugin/
-[41]: https://maven.apache.org/surefire/maven-surefire-plugin/
-[42]: https://www.mojohaus.org/versions/versions-maven-plugin/
-[43]: https://basepom.github.io/duplicate-finder-maven-plugin
-[44]: http://www.apache.org/licenses/LICENSE-2.0.html
-[45]: https://maven.apache.org/plugins/maven-deploy-plugin/
-[46]: https://maven.apache.org/plugins/maven-gpg-plugin/
-[47]: https://maven.apache.org/plugins/maven-source-plugin/
-[48]: https://maven.apache.org/plugins/maven-javadoc-plugin/
-[49]: http://www.sonatype.com/public-parent/nexus-maven-plugins/nexus-staging/nexus-staging-maven-plugin/
-[50]: http://www.eclipse.org/legal/epl-v10.html
-[51]: https://maven.apache.org/surefire/maven-failsafe-plugin/
-[52]: https://www.jacoco.org/jacoco/trunk/doc/maven.html
-[53]: https://github.com/exasol/error-code-crawler-maven-plugin/
-[54]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE
-[55]: http://zlika.github.io/reproducible-build-maven-plugin
+[30]: https://maven.apache.org/plugins/maven-clean-plugin/
+[31]: https://maven.apache.org/plugins/maven-install-plugin/
+[32]: https://maven.apache.org/plugins/maven-resources-plugin/
+[33]: https://maven.apache.org/plugins/maven-site-plugin/
+[34]: http://sonarsource.github.io/sonar-scanner-maven/
+[35]: http://www.gnu.org/licenses/lgpl.txt
+[36]: https://maven.apache.org/plugins/maven-toolchains-plugin/
+[37]: http://maven.apache.org/plugins/maven-dependency-plugin/
+[38]: http://www.apache.org/licenses/LICENSE-2.0.txt
+[39]: https://github.com/exasol/project-keeper/
+[40]: https://github.com/exasol/project-keeper/blob/main/LICENSE
+[41]: https://maven.apache.org/plugins/maven-compiler-plugin/
+[42]: https://maven.apache.org/enforcer/maven-enforcer-plugin/
+[43]: https://www.mojohaus.org/flatten-maven-plugin/
+[44]: https://sonatype.github.io/ossindex-maven/maven-plugin/
+[45]: https://maven.apache.org/surefire/maven-surefire-plugin/
+[46]: https://www.mojohaus.org/versions/versions-maven-plugin/
+[47]: https://basepom.github.io/duplicate-finder-maven-plugin
+[48]: http://www.apache.org/licenses/LICENSE-2.0.html
+[49]: https://maven.apache.org/plugins/maven-deploy-plugin/
+[50]: https://maven.apache.org/plugins/maven-gpg-plugin/
+[51]: https://maven.apache.org/plugins/maven-source-plugin/
+[52]: https://maven.apache.org/plugins/maven-javadoc-plugin/
+[53]: http://www.sonatype.com/public-parent/nexus-maven-plugins/nexus-staging/nexus-staging-maven-plugin/
+[54]: http://www.eclipse.org/legal/epl-v10.html
+[55]: https://maven.apache.org/surefire/maven-failsafe-plugin/
+[56]: https://www.jacoco.org/jacoco/trunk/doc/maven.html
+[57]: https://github.com/exasol/quality-summarizer-maven-plugin/
+[58]: https://github.com/exasol/quality-summarizer-maven-plugin/blob/main/LICENSE
+[59]: https://github.com/exasol/error-code-crawler-maven-plugin/
+[60]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE
+[61]: http://zlika.github.io/reproducible-build-maven-plugin
diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md
index 106aecf..616e9f0 100644
--- a/doc/changes/changelog.md
+++ b/doc/changes/changelog.md
@@ -1,5 +1,6 @@
# Changes
+* [0.6.14](changes_0.6.14.md)
* [0.6.13](changes_0.6.13.md)
* [0.6.12](changes_0.6.12.md)
* [0.6.11](changes_0.6.11.md)
diff --git a/doc/changes/changes_0.6.14.md b/doc/changes/changes_0.6.14.md
new file mode 100644
index 0000000..124e9a2
--- /dev/null
+++ b/doc/changes/changes_0.6.14.md
@@ -0,0 +1,54 @@
+# Udf Debugging Java 0.6.14, released 2024-11-19
+
+Code name: Fix CVE-2024-47535: io.netty:netty-common:jar:4.1.108.Final:provided
+
+## Summary
+
+This release fixes CVE-2024-47535 in transitive production dependency `io.netty:netty-common:jar:4.1.108.Final:provided` added by `com.exasol:exasol-test-setup-abstraction-java`.
+
+## Security
+
+* #67: Fixed CVE-2024-47535 in `io.netty:netty-common:jar:4.1.108.Final:provided`
+
+## Dependency Updates
+
+### Compile Dependency Updates
+
+* Updated `com.exasol:bucketfs-java:3.1.2` to `3.2.0`
+* Updated `org.apache.commons:commons-compress:1.26.1` to `1.27.1`
+* Updated `org.slf4j:slf4j-jdk14:2.0.12` to `2.0.16`
+
+### Runtime Dependency Updates
+
+* Updated `org.eclipse.parsson:parsson:1.1.6` to `1.1.7`
+
+### Test Dependency Updates
+
+* Updated `com.exasol:exasol-testcontainers:7.0.1` to `7.1.1`
+* Updated `com.exasol:test-db-builder-java:3.5.4` to `3.6.0`
+* Updated `org.itsallcode:junit5-system-extensions:1.2.0` to `1.2.2`
+* Updated `org.junit.jupiter:junit-jupiter-engine:5.10.2` to `5.11.3`
+* Updated `org.junit.jupiter:junit-jupiter-params:5.10.2` to `5.11.3`
+* Updated `org.mockito:mockito-junit-jupiter:5.11.0` to `5.14.2`
+* Updated `org.testcontainers:junit-jupiter:1.19.7` to `1.20.3`
+
+### Plugin Dependency Updates
+
+* Updated `com.exasol:error-code-crawler-maven-plugin:2.0.2` to `2.0.3`
+* Updated `com.exasol:project-keeper-maven-plugin:4.3.0` to `4.4.0`
+* Added `com.exasol:quality-summarizer-maven-plugin:0.2.0`
+* Updated `io.github.zlika:reproducible-build-maven-plugin:0.16` to `0.17`
+* Updated `org.apache.maven.plugins:maven-clean-plugin:2.5` to `3.4.0`
+* Updated `org.apache.maven.plugins:maven-deploy-plugin:3.1.1` to `3.1.2`
+* Updated `org.apache.maven.plugins:maven-enforcer-plugin:3.4.1` to `3.5.0`
+* Updated `org.apache.maven.plugins:maven-failsafe-plugin:3.2.5` to `3.5.1`
+* Updated `org.apache.maven.plugins:maven-gpg-plugin:3.2.2` to `3.2.7`
+* Updated `org.apache.maven.plugins:maven-install-plugin:2.4` to `3.1.3`
+* Updated `org.apache.maven.plugins:maven-javadoc-plugin:3.6.3` to `3.10.1`
+* Updated `org.apache.maven.plugins:maven-resources-plugin:2.6` to `3.3.1`
+* Updated `org.apache.maven.plugins:maven-site-plugin:3.3` to `3.9.1`
+* Updated `org.apache.maven.plugins:maven-surefire-plugin:3.2.5` to `3.5.1`
+* Updated `org.apache.maven.plugins:maven-toolchains-plugin:3.1.0` to `3.2.0`
+* Updated `org.codehaus.mojo:versions-maven-plugin:2.16.2` to `2.17.1`
+* Updated `org.sonarsource.scanner.maven:sonar-maven-plugin:3.11.0.3922` to `4.0.0.4121`
+* Updated `org.sonatype.plugins:nexus-staging-maven-plugin:1.6.13` to `1.7.0`
diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom
index fea4b89..32c5a9f 100644
--- a/pk_generated_parent.pom
+++ b/pk_generated_parent.pom
@@ -3,7 +3,7 @@
4.0.0
com.exasol
udf-debugging-java-generated-parent
- 0.6.13
+ 0.6.14
pom
UTF-8
@@ -47,15 +47,35 @@
+
+ org.apache.maven.plugins
+ maven-clean-plugin
+ 3.4.0
+
+
+ org.apache.maven.plugins
+ maven-install-plugin
+ 3.1.3
+
+
+ org.apache.maven.plugins
+ maven-resources-plugin
+ 3.3.1
+
+
+ org.apache.maven.plugins
+ maven-site-plugin
+ 3.9.1
+
org.sonarsource.scanner.maven
sonar-maven-plugin
- 3.11.0.3922
+ 4.0.0.4121
org.apache.maven.plugins
maven-toolchains-plugin
- 3.1.0
+ 3.2.0
@@ -88,7 +108,7 @@
org.apache.maven.plugins
maven-enforcer-plugin
- 3.4.1
+ 3.5.0
enforce-maven
@@ -150,7 +170,7 @@
org.apache.maven.plugins
maven-surefire-plugin
- 3.2.5
+ 3.5.1
@@ -161,7 +181,7 @@
org.codehaus.mojo
versions-maven-plugin
- 2.16.2
+ 2.17.1
display-updates
@@ -215,7 +235,7 @@
org.apache.maven.plugins
maven-deploy-plugin
- 3.1.1
+ 3.1.2
true
@@ -223,7 +243,7 @@
org.apache.maven.plugins
maven-gpg-plugin
- 3.2.2
+ 3.2.7
sign-artifacts
@@ -244,8 +264,8 @@
org.apache.maven.plugins
maven-source-plugin
+ Failed to execute goal org.apache.maven.plugins:maven-source-plugin:3.3.0:jar-no-fork (attach-sources) on project project-keeper-shared-model-classes: Presumably you have configured maven-source-plugn to execute twice times in your build. You have to configure a classifier for at least on of them.
+ Using goal "jar-no-fork" didn't help. See https://stackoverflow.com/questions/76305897/maven-build-fails-after-upgrading-to-maven-source-plugin-from-3-2-1-to-3-3-0 -->
3.2.1
@@ -259,7 +279,7 @@
org.apache.maven.plugins
maven-javadoc-plugin
- 3.6.3
+ 3.10.1
attach-javadocs
@@ -281,7 +301,7 @@
org.sonatype.plugins
nexus-staging-maven-plugin
- 1.6.13
+ 1.7.0
true
ossrh
@@ -302,7 +322,7 @@
org.apache.maven.plugins
maven-failsafe-plugin
- 3.2.5
+ 3.5.1
-Djava.util.logging.config.file=src/test/resources/logging.properties ${argLine}
@@ -360,10 +380,23 @@
+
+ com.exasol
+ quality-summarizer-maven-plugin
+ 0.2.0
+
+
+ summarize-metrics
+
+ summarize
+
+
+
+
com.exasol
error-code-crawler-maven-plugin
- 2.0.2
+ 2.0.3
verify
@@ -376,7 +409,7 @@
io.github.zlika
reproducible-build-maven-plugin
- 0.16
+ 0.17
strip-jar
diff --git a/pom.xml b/pom.xml
index 62d0b00..40a8ca8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -2,12 +2,12 @@
4.0.0
udf-debugging-java
- 0.6.13
+ 0.6.14
udf-debugging-java
Utilities for debugging, profiling and code coverage measure for UDFs.
https://github.com/exasol/udf-debugging-java/
- 5.10.2
+ 5.11.3
0.8.12
@@ -19,7 +19,7 @@
org.eclipse.parsson
parsson
- 1.1.6
+ 1.1.7
runtime
@@ -42,22 +42,22 @@
com.exasol
bucketfs-java
- 3.1.2
+ 3.2.0
com.exasol
exasol-test-setup-abstraction-java
- 2.1.2
+ 2.1.6
+ in methods that are meant to be used with the exasol-test-setup-abstraction-java. -->
provided
org.apache.commons
commons-compress
- 1.26.1
+ 1.27.1
@@ -75,7 +75,7 @@
org.mockito
mockito-junit-jupiter
- 5.11.0
+ 5.14.2
test
@@ -88,32 +88,32 @@
com.exasol
exasol-testcontainers
- 7.0.1
+ 7.1.1
test
org.testcontainers
junit-jupiter
- 1.19.7
+ 1.20.3
test
com.exasol
test-db-builder-java
- 3.5.4
+ 3.6.0
test
org.itsallcode
junit5-system-extensions
- 1.2.0
+ 1.2.2
test
org.slf4j
slf4j-jdk14
- 2.0.12
+ 2.0.16
@@ -139,7 +139,7 @@
com.exasol
project-keeper-maven-plugin
- 4.3.0
+ 4.4.0
@@ -176,7 +176,7 @@
udf-debugging-java-generated-parent
com.exasol
- 0.6.13
+ 0.6.14
pk_generated_parent.pom
From fccf0a3160a89339b54b361223441f2ff3f581ec Mon Sep 17 00:00:00 2001
From: Christoph Pirkl <4711730+kaklakariada@users.noreply.github.com>
Date: Wed, 12 Feb 2025 12:34:35 +0100
Subject: [PATCH 2/5] #69 #70: Upgrade dependencies (#71)
---
.github/workflows/broken_links_checker.yml | 4 --
.github/workflows/ci-build-next-java.yml | 39 ------------
.github/workflows/ci-build.yml | 71 +++++++++++++++++++--
.project-keeper.yml | 17 +++--
.settings/org.eclipse.jdt.core.prefs | 8 +--
dependencies.md | 72 +++++++++++-----------
doc/changes/changelog.md | 1 +
doc/changes/changes_0.6.15.md | 40 ++++++++++++
pk_generated_parent.pom | 16 ++---
pom.xml | 18 +++---
10 files changed, 176 insertions(+), 110 deletions(-)
delete mode 100644 .github/workflows/ci-build-next-java.yml
create mode 100644 doc/changes/changes_0.6.15.md
diff --git a/.github/workflows/broken_links_checker.yml b/.github/workflows/broken_links_checker.yml
index 39612b7..90488ca 100644
--- a/.github/workflows/broken_links_checker.yml
+++ b/.github/workflows/broken_links_checker.yml
@@ -5,10 +5,6 @@ name: Broken Links Checker
on:
schedule:
- cron: "0 5 * * 0"
- push:
- branches:
- - main
- pull_request:
jobs:
linkChecker:
diff --git a/.github/workflows/ci-build-next-java.yml b/.github/workflows/ci-build-next-java.yml
deleted file mode 100644
index 712a7cb..0000000
--- a/.github/workflows/ci-build-next-java.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-# This file was generated by Project Keeper.
-name: CI Build next Java
-on:
- push:
- branches: [
- main
- ]
-
- pull_request: null
-jobs:
- next-java-compatibility:
- runs-on: ubuntu-latest
- defaults:
- run: {
- shell: bash
- }
- permissions: {
- contents: read
- }
- concurrency: {
- group: '${{ github.workflow }}-${{ github.ref }}',
- cancel-in-progress: true
- }
- steps:
- - name: Checkout the repository
- uses: actions/checkout@v4
- with: {
- fetch-depth: 0
- }
- - name: Set up JDK 17
- uses: actions/setup-java@v4
- with: {
- distribution: temurin,
- java-version: '17',
- cache: maven
- }
- - name: Run tests and build with Maven 17
- run: |
- mvn --batch-mode clean package -DtrimStackTrace=false -Djava.version=17
diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml
index 05a0e2c..062a061 100644
--- a/.github/workflows/ci-build.yml
+++ b/.github/workflows/ci-build.yml
@@ -9,7 +9,7 @@ on:
pull_request: null
jobs:
matrix-build:
- runs-on: ubuntu-20.04
+ runs-on: ubuntu-latest
defaults:
run: {
shell: bash
@@ -25,12 +25,12 @@ jobs:
fail-fast: false
matrix:
exasol_db_version: [
- 8.26.0,
- 7.1.26
+ 8.32.0,
+ 7.1.30
]
env: {
- DEFAULT_EXASOL_DB_VERSION: 8.26.0
+ DEFAULT_EXASOL_DB_VERSION: 8.32.0
}
steps:
- name: Free Disk Space
@@ -67,6 +67,11 @@ jobs:
id: enable-testcontainer-reuse,
run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties"
}
+ - {
+ name: Fix VM Crash in UDFs,
+ id: fix-vm-crash,
+ run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+ }
- name: Run tests and build with Maven
id: build-pk-verify
run: |
@@ -103,8 +108,61 @@ jobs:
path: '${{ steps.build-pk-verify.outputs.release-artifacts }}',
retention-days: 5
}
+ - name: Configure broken links checker
+ id: configure-link-check
+ run: |
+ mkdir -p ./target
+ echo '{"aliveStatusCodes": [429, 200], "ignorePatterns": [' \
+ '{"pattern": "^https?://(www|dev).mysql.com/"},' \
+ '{"pattern": "^https?://(www.)?opensource.org"}' \
+ '{"pattern": "^https?://(www.)?eclipse.org"}' \
+ '{"pattern": "^https?://projects.eclipse.org"}' \
+ ']}' > ./target/broken_links_checker.json
+ - uses: gaurav-nelson/github-action-markdown-link-check@v1
+ id: run-link-check
+ with: {
+ use-quiet-mode: yes,
+ use-verbose-mode: yes,
+ config-file: ./target/broken_links_checker.json
+ }
+ next-java-compatibility:
+ runs-on: ubuntu-latest
+ defaults:
+ run: {
+ shell: bash
+ }
+ permissions: {
+ contents: read
+ }
+ concurrency: {
+ group: '${{ github.workflow }}-next-java-${{ github.ref }}',
+ cancel-in-progress: true
+ }
+ steps:
+ - name: Checkout the repository
+ id: checkout
+ uses: actions/checkout@v4
+ with: {
+ fetch-depth: 0
+ }
+ - name: Set up JDK 17
+ id: setup-java
+ uses: actions/setup-java@v4
+ with: {
+ distribution: temurin,
+ java-version: '17',
+ cache: maven
+ }
+ - {
+ name: Run tests and build with Maven 17,
+ id: build-next-java,
+ run: mvn --batch-mode clean package -DtrimStackTrace=false -Djava.version=17
+ }
build:
- needs: matrix-build
+ needs: [
+ matrix-build,
+ next-java-compatibility
+ ]
runs-on: ubuntu-latest
defaults:
run: {
@@ -119,11 +177,13 @@ jobs:
}
steps:
- name: Checkout the repository
+ id: checkout
uses: actions/checkout@v4
with: {
fetch-depth: 0
}
- name: Set up JDKs
+ id: setup-java
uses: actions/setup-java@v4
with:
distribution: temurin
@@ -133,6 +193,7 @@ jobs:
cache: maven
- name: Check if release is needed
id: check-release
+ if: ${{ github.ref == 'refs/heads/main' }}
run: |
if mvn --batch-mode com.exasol:project-keeper-maven-plugin:verify-release --projects .; then
echo "### ✅ Release preconditions met, start release" >> "$GITHUB_STEP_SUMMARY"
diff --git a/.project-keeper.yml b/.project-keeper.yml
index 8531de6..e9264e9 100644
--- a/.project-keeper.yml
+++ b/.project-keeper.yml
@@ -7,9 +7,16 @@ sources:
linkReplacements:
- "https://github.com/hamcrest/JavaHamcrest/hamcrest-all|https://github.com/hamcrest/JavaHamcrest"
build:
- runnerOs: ubuntu-20.04
exasolDbVersions:
- - "8.26.0"
- - "7.1.26"
-excludes:
- - "E-PK-CORE-17: Missing required file: 'release_config.yml'"
+ - "8.32.0"
+ - "7.1.30"
+ workflows:
+ - name: ci-build.yml
+ stepCustomizations:
+ - action: INSERT_AFTER
+ job: matrix-build
+ stepId: enable-testcontainer-reuse
+ content:
+ name: Fix VM Crash in UDFs
+ id: fix-vm-crash
+ run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
diff --git a/.settings/org.eclipse.jdt.core.prefs b/.settings/org.eclipse.jdt.core.prefs
index 43365b0..6d0c568 100644
--- a/.settings/org.eclipse.jdt.core.prefs
+++ b/.settings/org.eclipse.jdt.core.prefs
@@ -2,14 +2,14 @@ eclipse.preferences.version=1
org.eclipse.jdt.core.builder.annotationPath.allLocations=disabled
org.eclipse.jdt.core.compiler.annotation.inheritNullAnnotations=disabled
org.eclipse.jdt.core.compiler.annotation.missingNonNullByDefaultAnnotation=ignore
-org.eclipse.jdt.core.compiler.annotation.nonnull=javax.annotation.Nonnull
+org.eclipse.jdt.core.compiler.annotation.nonnull=org.eclipse.jdt.annotation.NonNull
org.eclipse.jdt.core.compiler.annotation.nonnull.secondary=
-org.eclipse.jdt.core.compiler.annotation.nonnullbydefault=javax.annotation.ParametersAreNonnullByDefault
+org.eclipse.jdt.core.compiler.annotation.nonnullbydefault=org.eclipse.jdt.annotation.NonNullByDefault
org.eclipse.jdt.core.compiler.annotation.nonnullbydefault.secondary=
org.eclipse.jdt.core.compiler.annotation.notowning=org.eclipse.jdt.annotation.NotOwning
-org.eclipse.jdt.core.compiler.annotation.nullable=javax.annotation.Nullable
+org.eclipse.jdt.core.compiler.annotation.nullable=org.eclipse.jdt.annotation.Nullable
org.eclipse.jdt.core.compiler.annotation.nullable.secondary=
-org.eclipse.jdt.core.compiler.annotation.nullanalysis=enabled
+org.eclipse.jdt.core.compiler.annotation.nullanalysis=disabled
org.eclipse.jdt.core.compiler.annotation.owning=org.eclipse.jdt.annotation.Owning
org.eclipse.jdt.core.compiler.annotation.resourceanalysis=disabled
org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled
diff --git a/dependencies.md b/dependencies.md
index af7d03f..db51a8a 100644
--- a/dependencies.md
+++ b/dependencies.md
@@ -35,33 +35,33 @@
## Plugin Dependencies
-| Dependency | License |
-| ------------------------------------------------------- | ---------------------------------------------- |
-| [Apache Maven Clean Plugin][30] | [Apache-2.0][12] |
-| [Apache Maven Install Plugin][31] | [Apache-2.0][12] |
-| [Apache Maven Resources Plugin][32] | [Apache-2.0][12] |
-| [Apache Maven Site Plugin][33] | [Apache License, Version 2.0][12] |
-| [SonarQube Scanner for Maven][34] | [GNU LGPL 3][35] |
-| [Apache Maven Toolchains Plugin][36] | [Apache-2.0][12] |
-| [Maven Dependency Plugin][37] | [The Apache Software License, Version 2.0][38] |
-| [Project Keeper Maven plugin][39] | [The MIT License][40] |
-| [Apache Maven Compiler Plugin][41] | [Apache-2.0][12] |
-| [Apache Maven Enforcer Plugin][42] | [Apache-2.0][12] |
-| [Maven Flatten Plugin][43] | [Apache Software Licenese][12] |
-| [org.sonatype.ossindex.maven:ossindex-maven-plugin][44] | [ASL2][38] |
-| [Maven Surefire Plugin][45] | [Apache-2.0][12] |
-| [Versions Maven Plugin][46] | [Apache License, Version 2.0][12] |
-| [duplicate-finder-maven-plugin Maven Mojo][47] | [Apache License 2.0][48] |
-| [Apache Maven Deploy Plugin][49] | [Apache-2.0][12] |
-| [Apache Maven GPG Plugin][50] | [Apache-2.0][12] |
-| [Apache Maven Source Plugin][51] | [Apache License, Version 2.0][12] |
-| [Apache Maven Javadoc Plugin][52] | [Apache-2.0][12] |
-| [Nexus Staging Maven Plugin][53] | [Eclipse Public License][54] |
-| [Maven Failsafe Plugin][55] | [Apache-2.0][12] |
-| [JaCoCo :: Maven Plugin][56] | [EPL-2.0][6] |
-| [Quality Summarizer Maven Plugin][57] | [MIT License][58] |
-| [error-code-crawler-maven-plugin][59] | [MIT License][60] |
-| [Reproducible Build Maven Plugin][61] | [Apache 2.0][38] |
+| Dependency | License |
+| ------------------------------------------------------- | --------------------------------- |
+| [Apache Maven Clean Plugin][30] | [Apache-2.0][12] |
+| [Apache Maven Install Plugin][31] | [Apache-2.0][12] |
+| [Apache Maven Resources Plugin][32] | [Apache-2.0][12] |
+| [Apache Maven Site Plugin][33] | [Apache-2.0][12] |
+| [SonarQube Scanner for Maven][34] | [GNU LGPL 3][35] |
+| [Apache Maven Toolchains Plugin][36] | [Apache-2.0][12] |
+| [Apache Maven Dependency Plugin][37] | [Apache-2.0][12] |
+| [Project Keeper Maven plugin][38] | [The MIT License][39] |
+| [Apache Maven Compiler Plugin][40] | [Apache-2.0][12] |
+| [Apache Maven Enforcer Plugin][41] | [Apache-2.0][12] |
+| [Maven Flatten Plugin][42] | [Apache Software Licenese][12] |
+| [org.sonatype.ossindex.maven:ossindex-maven-plugin][43] | [ASL2][44] |
+| [Maven Surefire Plugin][45] | [Apache-2.0][12] |
+| [Versions Maven Plugin][46] | [Apache License, Version 2.0][12] |
+| [duplicate-finder-maven-plugin Maven Mojo][47] | [Apache License 2.0][48] |
+| [Apache Maven Deploy Plugin][49] | [Apache-2.0][12] |
+| [Apache Maven GPG Plugin][50] | [Apache-2.0][12] |
+| [Apache Maven Source Plugin][51] | [Apache License, Version 2.0][12] |
+| [Apache Maven Javadoc Plugin][52] | [Apache-2.0][12] |
+| [Nexus Staging Maven Plugin][53] | [Eclipse Public License][54] |
+| [Maven Failsafe Plugin][55] | [Apache-2.0][12] |
+| [JaCoCo :: Maven Plugin][56] | [EPL-2.0][6] |
+| [Quality Summarizer Maven Plugin][57] | [MIT License][58] |
+| [error-code-crawler-maven-plugin][59] | [MIT License][60] |
+| [Reproducible Build Maven Plugin][61] | [Apache 2.0][44] |
[0]: https://github.com/eclipse-ee4j/jsonp
[1]: https://projects.eclipse.org/license/epl-2.0
@@ -97,17 +97,17 @@
[31]: https://maven.apache.org/plugins/maven-install-plugin/
[32]: https://maven.apache.org/plugins/maven-resources-plugin/
[33]: https://maven.apache.org/plugins/maven-site-plugin/
-[34]: http://sonarsource.github.io/sonar-scanner-maven/
+[34]: http://docs.sonarqube.org/display/PLUG/Plugin+Library/sonar-maven-plugin
[35]: http://www.gnu.org/licenses/lgpl.txt
[36]: https://maven.apache.org/plugins/maven-toolchains-plugin/
-[37]: http://maven.apache.org/plugins/maven-dependency-plugin/
-[38]: http://www.apache.org/licenses/LICENSE-2.0.txt
-[39]: https://github.com/exasol/project-keeper/
-[40]: https://github.com/exasol/project-keeper/blob/main/LICENSE
-[41]: https://maven.apache.org/plugins/maven-compiler-plugin/
-[42]: https://maven.apache.org/enforcer/maven-enforcer-plugin/
-[43]: https://www.mojohaus.org/flatten-maven-plugin/
-[44]: https://sonatype.github.io/ossindex-maven/maven-plugin/
+[37]: https://maven.apache.org/plugins/maven-dependency-plugin/
+[38]: https://github.com/exasol/project-keeper/
+[39]: https://github.com/exasol/project-keeper/blob/main/LICENSE
+[40]: https://maven.apache.org/plugins/maven-compiler-plugin/
+[41]: https://maven.apache.org/enforcer/maven-enforcer-plugin/
+[42]: https://www.mojohaus.org/flatten-maven-plugin/
+[43]: https://sonatype.github.io/ossindex-maven/maven-plugin/
+[44]: http://www.apache.org/licenses/LICENSE-2.0.txt
[45]: https://maven.apache.org/surefire/maven-surefire-plugin/
[46]: https://www.mojohaus.org/versions/versions-maven-plugin/
[47]: https://basepom.github.io/duplicate-finder-maven-plugin
diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md
index 616e9f0..c34054b 100644
--- a/doc/changes/changelog.md
+++ b/doc/changes/changelog.md
@@ -1,5 +1,6 @@
# Changes
+* [0.6.15](changes_0.6.15.md)
* [0.6.14](changes_0.6.14.md)
* [0.6.13](changes_0.6.13.md)
* [0.6.12](changes_0.6.12.md)
diff --git a/doc/changes/changes_0.6.15.md b/doc/changes/changes_0.6.15.md
new file mode 100644
index 0000000..6123997
--- /dev/null
+++ b/doc/changes/changes_0.6.15.md
@@ -0,0 +1,40 @@
+# Udf Debugging Java 0.6.15, released 2025-02-12
+
+Code name: Fix vulnerabilities CVE-2025-25193 and CVE-2025-24970 in test dependencies
+
+## Summary
+
+This release fixes the following vulnerabilities in test dependencies:
+
+* `io.netty:netty-common:jar:4.1.115.Final:test`: CVE-2025-25193
+* `io.netty:netty-handler:jar:4.1.115.Final:test`: CVE-2025-24970
+
+## Security
+
+* #69: Fixed CVE-2025-25193 in `io.netty:netty-common:jar:4.1.115.Final:test`
+* #70: Fixed CVE-2025-24970 in `io.netty:netty-handler:jar:4.1.115.Final:test`
+
+## Dependency Updates
+
+### Compile Dependency Updates
+
+* Updated `com.exasol:bucketfs-java:3.2.0` to `3.2.1`
+
+### Test Dependency Updates
+
+* Updated `com.exasol:exasol-testcontainers:7.1.1` to `7.1.3`
+* Updated `org.junit.jupiter:junit-jupiter-engine:5.11.3` to `5.11.4`
+* Updated `org.junit.jupiter:junit-jupiter-params:5.11.3` to `5.11.4`
+* Updated `org.mockito:mockito-junit-jupiter:5.14.2` to `5.15.2`
+* Updated `org.testcontainers:junit-jupiter:1.20.3` to `1.20.4`
+
+### Plugin Dependency Updates
+
+* Updated `com.exasol:project-keeper-maven-plugin:4.4.0` to `4.5.0`
+* Updated `org.apache.maven.plugins:maven-deploy-plugin:3.1.2` to `3.1.3`
+* Updated `org.apache.maven.plugins:maven-failsafe-plugin:3.5.1` to `3.5.2`
+* Updated `org.apache.maven.plugins:maven-javadoc-plugin:3.10.1` to `3.11.1`
+* Updated `org.apache.maven.plugins:maven-site-plugin:3.9.1` to `3.21.0`
+* Updated `org.apache.maven.plugins:maven-surefire-plugin:3.5.1` to `3.5.2`
+* Updated `org.codehaus.mojo:versions-maven-plugin:2.17.1` to `2.18.0`
+* Updated `org.sonarsource.scanner.maven:sonar-maven-plugin:4.0.0.4121` to `5.0.0.4389`
diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom
index 32c5a9f..b7e005e 100644
--- a/pk_generated_parent.pom
+++ b/pk_generated_parent.pom
@@ -3,7 +3,7 @@
4.0.0
com.exasol
udf-debugging-java-generated-parent
- 0.6.14
+ 0.6.15
pom
UTF-8
@@ -65,12 +65,12 @@
org.apache.maven.plugins
maven-site-plugin
- 3.9.1
+ 3.21.0
org.sonarsource.scanner.maven
sonar-maven-plugin
- 4.0.0.4121
+ 5.0.0.4389
org.apache.maven.plugins
@@ -170,7 +170,7 @@
org.apache.maven.plugins
maven-surefire-plugin
- 3.5.1
+ 3.5.2
@@ -181,7 +181,7 @@
org.codehaus.mojo
versions-maven-plugin
- 2.17.1
+ 2.18.0
display-updates
@@ -235,7 +235,7 @@
org.apache.maven.plugins
maven-deploy-plugin
- 3.1.2
+ 3.1.3
true
@@ -279,7 +279,7 @@
org.apache.maven.plugins
maven-javadoc-plugin
- 3.10.1
+ 3.11.1
attach-javadocs
@@ -322,7 +322,7 @@
org.apache.maven.plugins
maven-failsafe-plugin
- 3.5.1
+ 3.5.2
-Djava.util.logging.config.file=src/test/resources/logging.properties ${argLine}
diff --git a/pom.xml b/pom.xml
index 40a8ca8..7c43be6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -2,12 +2,12 @@
4.0.0
udf-debugging-java
- 0.6.14
+ 0.6.15
udf-debugging-java
Utilities for debugging, profiling and code coverage measure for UDFs.
https://github.com/exasol/udf-debugging-java/
- 5.11.3
+ 5.11.4
0.8.12
@@ -42,12 +42,12 @@
com.exasol
bucketfs-java
- 3.2.0
+ 3.2.1
com.exasol
exasol-test-setup-abstraction-java
- 2.1.6
+ 2.1.7
From b23448a06ab76280d1a017e1f2c1794e962a194c Mon Sep 17 00:00:00 2001
From: Christoph Pirkl <4711730+kaklakariada@users.noreply.github.com>
Date: Mon, 2 Jun 2025 12:02:55 +0200
Subject: [PATCH 4/5] #74: Upgrade dependencies (#76)
---
.gitattributes | 1 +
.github/workflows/broken_links_checker.yml | 51 ++++++-----
.github/workflows/ci-build.yml | 21 +++--
.github/workflows/dependencies_check.yml | 6 +-
.project-keeper.yml | 18 +++-
.settings/org.eclipse.jdt.core.prefs | 4 +-
SECURITY.md | 25 ++++++
dependencies.md | 89 ++++++++++---------
doc/changes/changelog.md | 1 +
doc/changes/changes_0.6.16.md | 48 ++++++++++
pk_generated_parent.pom | 61 +++++++++----
pom.xml | 22 ++---
.../exasol/udfdebugging/PushDownTesting.java | 3 +
.../modules/coverage/CoverageModule.java | 3 +-
.../modules/coverage/CoverageModuleTest.java | 20 +++--
src/test/resources/logging.properties | 2 +-
16 files changed, 257 insertions(+), 118 deletions(-)
create mode 100644 SECURITY.md
create mode 100644 doc/changes/changes_0.6.16.md
diff --git a/.gitattributes b/.gitattributes
index be0dddc..fd991dc 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,3 +1,4 @@
+SECURITY.md linguist-generated=true
dependencies.md linguist-generated=true
doc/changes/changelog.md linguist-generated=true
pk_generated_parent.pom linguist-generated=true
diff --git a/.github/workflows/broken_links_checker.yml b/.github/workflows/broken_links_checker.yml
index 90488ca..09e4bac 100644
--- a/.github/workflows/broken_links_checker.yml
+++ b/.github/workflows/broken_links_checker.yml
@@ -1,35 +1,44 @@
-# Generated by Project Keeper
-# https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/broken_links_checker.yml
+# This file was generated by Project Keeper.
name: Broken Links Checker
-
on:
schedule:
- - cron: "0 5 * * 0"
-
+ - {
+ cron: 0 5 * * 0
+ }
+ workflow_dispatch: null
jobs:
linkChecker:
runs-on: ubuntu-latest
- permissions:
+ permissions: {
contents: read
+ }
defaults:
- run:
- shell: "bash"
- concurrency:
- group: ${{ github.workflow }}-${{ github.ref }}
+ run: {
+ shell: bash
+ }
+ concurrency: {
+ group: '${{ github.workflow }}-${{ github.ref }}',
cancel-in-progress: true
+ }
steps:
- - uses: actions/checkout@v4
- - name: Configure broken links checker
+ - {
+ id: checkout,
+ uses: actions/checkout@v4
+ }
+ - id: configure-broken-links-checker
+ name: Configure broken links checker
run: |
mkdir -p ./target
echo '{"aliveStatusCodes": [429, 200], "ignorePatterns": [' \
- '{"pattern": "^https?://(www|dev).mysql.com/"},' \
- '{"pattern": "^https?://(www.)?opensource.org"}' \
- '{"pattern": "^https?://(www.)?eclipse.org"}' \
- '{"pattern": "^https?://projects.eclipse.org"}' \
- ']}' > ./target/broken_links_checker.json
- - uses: gaurav-nelson/github-action-markdown-link-check@v1
- with:
- use-quiet-mode: "yes"
- use-verbose-mode: "yes"
+ '{"pattern": "^https?://(www|dev).mysql.com/"},' \
+ '{"pattern": "^https?://(www.)?opensource.org"}' \
+ '{"pattern": "^https?://(www.)?eclipse.org"}' \
+ '{"pattern": "^https?://projects.eclipse.org"}' \
+ ']}' > ./target/broken_links_checker.json
+ - id: run-broken-links-checker
+ uses: gaurav-nelson/github-action-markdown-link-check@v1
+ with: {
+ use-quiet-mode: yes,
+ use-verbose-mode: yes,
config-file: ./target/broken_links_checker.json
+ }
diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml
index 463b863..63f3e50 100644
--- a/.github/workflows/ci-build.yml
+++ b/.github/workflows/ci-build.yml
@@ -6,10 +6,17 @@ on:
main
]
- pull_request: null
+ pull_request:
+ types: [
+ opened,
+ synchronize,
+ reopened,
+ ready_for_review
+ ]
+
jobs:
matrix-build:
- runs-on: ubuntu-20.04
+ runs-on: ubuntu-24.04
defaults:
run: {
shell: bash
@@ -25,12 +32,11 @@ jobs:
fail-fast: false
matrix:
exasol_db_version: [
- 8.32.0,
- 7.1.30
+ 8.34.0
]
env: {
- DEFAULT_EXASOL_DB_VERSION: 8.32.0
+ DEFAULT_EXASOL_DB_VERSION: 8.34.0
}
steps:
- name: Free Disk Space
@@ -67,6 +73,11 @@ jobs:
id: enable-testcontainer-reuse,
run: echo 'testcontainers.reuse.enable=true' > "$HOME/.testcontainers.properties"
}
+ - {
+ name: Fix VM Crash in UDFs,
+ id: fix-vm-crash,
+ run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+ }
- name: Run tests and build with Maven
id: build-pk-verify
run: |
diff --git a/.github/workflows/dependencies_check.yml b/.github/workflows/dependencies_check.yml
index 02c5aa0..0832e80 100644
--- a/.github/workflows/dependencies_check.yml
+++ b/.github/workflows/dependencies_check.yml
@@ -46,9 +46,9 @@ jobs:
org.sonatype.ossindex.maven:ossindex-maven-plugin:audit-aggregate \
-Dossindex.reportFile=$(pwd)/ossindex-report.json \
-Dossindex.fail=false
- - name: Report Security Issues
- id: security-issues
- uses: exasol/python-toolbox/.github/actions/security-issues@main
+ - name: Create GitHub Issues
+ id: create-security-issues
+ uses: exasol/python-toolbox/.github/actions/security-issues@1.1.0
with: {
format: maven,
command: cat ossindex-report.json,
diff --git a/.project-keeper.yml b/.project-keeper.yml
index 850a718..bab3287 100644
--- a/.project-keeper.yml
+++ b/.project-keeper.yml
@@ -5,8 +5,18 @@ sources:
- maven_central
- integration_tests
build:
- # UDFs in Exasol 7.1 require Ubuntu 20.04
- runnerOs: ubuntu-20.04
+ runnerOs: ubuntu-24.04
exasolDbVersions:
- - "8.32.0"
- - "7.1.30"
+ - "8.34.0"
+ # UDFs in Exasol 7.1 with Ubuntu 20.04 will be fixed in the next Docker-DB release
+ # - "7.1.30"
+ workflows:
+ - name: ci-build.yml
+ stepCustomizations:
+ - action: INSERT_AFTER
+ job: matrix-build
+ stepId: enable-testcontainer-reuse
+ content:
+ name: Fix VM Crash in UDFs
+ id: fix-vm-crash
+ run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
diff --git a/.settings/org.eclipse.jdt.core.prefs b/.settings/org.eclipse.jdt.core.prefs
index 6d0c568..7644ed3 100644
--- a/.settings/org.eclipse.jdt.core.prefs
+++ b/.settings/org.eclipse.jdt.core.prefs
@@ -241,7 +241,7 @@ org.eclipse.jdt.core.formatter.indent_empty_lines=false
org.eclipse.jdt.core.formatter.indent_statements_compare_to_block=true
org.eclipse.jdt.core.formatter.indent_statements_compare_to_body=true
org.eclipse.jdt.core.formatter.indent_switchstatements_compare_to_cases=true
-org.eclipse.jdt.core.formatter.indent_switchstatements_compare_to_switch=false
+org.eclipse.jdt.core.formatter.indent_switchstatements_compare_to_switch=true
org.eclipse.jdt.core.formatter.indentation.size=4
org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_enum_constant=insert
org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_field=insert
@@ -447,7 +447,7 @@ org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_enum_constan
org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_method_declaration=do not insert
org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_method_invocation=do not insert
org.eclipse.jdt.core.formatter.join_lines_in_comments=true
-org.eclipse.jdt.core.formatter.join_wrapped_lines=true
+org.eclipse.jdt.core.formatter.join_wrapped_lines=false
org.eclipse.jdt.core.formatter.keep_annotation_declaration_on_one_line=one_line_never
org.eclipse.jdt.core.formatter.keep_anonymous_type_declaration_on_one_line=one_line_never
org.eclipse.jdt.core.formatter.keep_code_block_on_one_line=one_line_never
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..f0edc21
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,25 @@
+# Security
+
+If you believe you have found a new security vulnerability in this repository, please report it to us as follows.
+
+## Reporting Security Issues
+
+* Please do **not** report security vulnerabilities through public GitHub issues.
+
+* Please create a draft security advisory on the Github page: the reporting form is under `> Security > Advisories`. The URL is https://github.com/exasol/udf-debugging-java/security/advisories/new.
+
+* If you prefer to email, please send your report to `infosec@exasol.com`.
+
+## Guidelines
+
+* When reporting a vulnerability, please include as much information as possible, including the complete steps to reproduce the issue.
+
+* Avoid sending us executables.
+
+* Feel free to include any script you wrote and used but avoid sending us scripts that download and run binaries.
+
+* We will prioritise reports that show how the exploits work in realistic environments.
+
+* We prefer all communications to be in English.
+
+* We do not offer financial rewards. We are happy to acknowledge your research publicly when possible.
diff --git a/dependencies.md b/dependencies.md
index 8e4a0e0..3778478 100644
--- a/dependencies.md
+++ b/dependencies.md
@@ -11,7 +11,7 @@
| [BucketFS Java][7] | [MIT License][8] |
| [exasol-test-setup-abstraction-java][9] | [MIT License][10] |
| [Apache Commons Compress][11] | [Apache-2.0][12] |
-| [SLF4J JDK14 Provider][13] | [MIT License][14] |
+| [SLF4J JDK14 Provider][13] | [MIT][14] |
## Test Dependencies
@@ -35,33 +35,34 @@
## Plugin Dependencies
-| Dependency | License |
-| ------------------------------------------------------- | --------------------------------- |
-| [Apache Maven Clean Plugin][30] | [Apache-2.0][12] |
-| [Apache Maven Install Plugin][31] | [Apache-2.0][12] |
-| [Apache Maven Resources Plugin][32] | [Apache-2.0][12] |
-| [Apache Maven Site Plugin][33] | [Apache-2.0][12] |
-| [SonarQube Scanner for Maven][34] | [GNU LGPL 3][35] |
-| [Apache Maven Toolchains Plugin][36] | [Apache-2.0][12] |
-| [Apache Maven Dependency Plugin][37] | [Apache-2.0][12] |
-| [Project Keeper Maven plugin][38] | [The MIT License][39] |
-| [Apache Maven Compiler Plugin][40] | [Apache-2.0][12] |
-| [Apache Maven Enforcer Plugin][41] | [Apache-2.0][12] |
-| [Maven Flatten Plugin][42] | [Apache Software Licenese][12] |
-| [org.sonatype.ossindex.maven:ossindex-maven-plugin][43] | [ASL2][44] |
-| [Maven Surefire Plugin][45] | [Apache-2.0][12] |
-| [Versions Maven Plugin][46] | [Apache License, Version 2.0][12] |
-| [duplicate-finder-maven-plugin Maven Mojo][47] | [Apache License 2.0][48] |
-| [Apache Maven Deploy Plugin][49] | [Apache-2.0][12] |
-| [Apache Maven GPG Plugin][50] | [Apache-2.0][12] |
-| [Apache Maven Source Plugin][51] | [Apache License, Version 2.0][12] |
-| [Apache Maven Javadoc Plugin][52] | [Apache-2.0][12] |
-| [Nexus Staging Maven Plugin][53] | [Eclipse Public License][54] |
-| [Maven Failsafe Plugin][55] | [Apache-2.0][12] |
-| [JaCoCo :: Maven Plugin][56] | [EPL-2.0][6] |
-| [Quality Summarizer Maven Plugin][57] | [MIT License][58] |
-| [error-code-crawler-maven-plugin][59] | [MIT License][60] |
-| [Reproducible Build Maven Plugin][61] | [Apache 2.0][44] |
+| Dependency | License |
+| ------------------------------------------------------- | ------------------------------------------- |
+| [Apache Maven Clean Plugin][30] | [Apache-2.0][12] |
+| [Apache Maven Install Plugin][31] | [Apache-2.0][12] |
+| [Apache Maven Resources Plugin][32] | [Apache-2.0][12] |
+| [Apache Maven Site Plugin][33] | [Apache-2.0][12] |
+| [SonarQube Scanner for Maven][34] | [GNU LGPL 3][35] |
+| [Apache Maven Toolchains Plugin][36] | [Apache-2.0][12] |
+| [Apache Maven Dependency Plugin][37] | [Apache-2.0][12] |
+| [Project Keeper Maven plugin][38] | [The MIT License][39] |
+| [Apache Maven Compiler Plugin][40] | [Apache-2.0][12] |
+| [Apache Maven Enforcer Plugin][41] | [Apache-2.0][12] |
+| [Maven Flatten Plugin][42] | [Apache Software Licenese][12] |
+| [org.sonatype.ossindex.maven:ossindex-maven-plugin][43] | [ASL2][44] |
+| [Maven Surefire Plugin][45] | [Apache-2.0][12] |
+| [Versions Maven Plugin][46] | [Apache License, Version 2.0][12] |
+| [duplicate-finder-maven-plugin Maven Mojo][47] | [Apache License 2.0][48] |
+| [Apache Maven Artifact Plugin][49] | [Apache-2.0][12] |
+| [Apache Maven Deploy Plugin][50] | [Apache-2.0][12] |
+| [Apache Maven GPG Plugin][51] | [Apache-2.0][12] |
+| [Apache Maven Source Plugin][52] | [Apache License, Version 2.0][12] |
+| [Apache Maven Javadoc Plugin][53] | [Apache-2.0][12] |
+| [Nexus Staging Maven Plugin][54] | [Eclipse Public License][55] |
+| [Maven Failsafe Plugin][56] | [Apache-2.0][12] |
+| [JaCoCo :: Maven Plugin][57] | [EPL-2.0][6] |
+| [Quality Summarizer Maven Plugin][58] | [MIT License][59] |
+| [error-code-crawler-maven-plugin][60] | [MIT License][61] |
+| [Git Commit Id Maven Plugin][62] | [GNU Lesser General Public License 3.0][63] |
[0]: https://github.com/eclipse-ee4j/jsonp
[1]: https://projects.eclipse.org/license/epl-2.0
@@ -77,7 +78,7 @@
[11]: https://commons.apache.org/proper/commons-compress/
[12]: https://www.apache.org/licenses/LICENSE-2.0.txt
[13]: http://www.slf4j.org
-[14]: http://www.opensource.org/licenses/mit-license.php
+[14]: https://opensource.org/license/mit
[15]: https://junit.org/junit5/
[16]: https://www.eclipse.org/legal/epl-v20.html
[17]: https://github.com/mockito/mockito
@@ -97,7 +98,7 @@
[31]: https://maven.apache.org/plugins/maven-install-plugin/
[32]: https://maven.apache.org/plugins/maven-resources-plugin/
[33]: https://maven.apache.org/plugins/maven-site-plugin/
-[34]: http://docs.sonarqube.org/display/PLUG/Plugin+Library/sonar-maven-plugin
+[34]: http://docs.sonarqube.org/display/PLUG/Plugin+Library/sonar-scanner-maven/sonar-maven-plugin
[35]: http://www.gnu.org/licenses/lgpl.txt
[36]: https://maven.apache.org/plugins/maven-toolchains-plugin/
[37]: https://maven.apache.org/plugins/maven-dependency-plugin/
@@ -112,16 +113,18 @@
[46]: https://www.mojohaus.org/versions/versions-maven-plugin/
[47]: https://basepom.github.io/duplicate-finder-maven-plugin
[48]: http://www.apache.org/licenses/LICENSE-2.0.html
-[49]: https://maven.apache.org/plugins/maven-deploy-plugin/
-[50]: https://maven.apache.org/plugins/maven-gpg-plugin/
-[51]: https://maven.apache.org/plugins/maven-source-plugin/
-[52]: https://maven.apache.org/plugins/maven-javadoc-plugin/
-[53]: http://www.sonatype.com/public-parent/nexus-maven-plugins/nexus-staging/nexus-staging-maven-plugin/
-[54]: http://www.eclipse.org/legal/epl-v10.html
-[55]: https://maven.apache.org/surefire/maven-failsafe-plugin/
-[56]: https://www.jacoco.org/jacoco/trunk/doc/maven.html
-[57]: https://github.com/exasol/quality-summarizer-maven-plugin/
-[58]: https://github.com/exasol/quality-summarizer-maven-plugin/blob/main/LICENSE
-[59]: https://github.com/exasol/error-code-crawler-maven-plugin/
-[60]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE
-[61]: http://zlika.github.io/reproducible-build-maven-plugin
+[49]: https://maven.apache.org/plugins/maven-artifact-plugin/
+[50]: https://maven.apache.org/plugins/maven-deploy-plugin/
+[51]: https://maven.apache.org/plugins/maven-gpg-plugin/
+[52]: https://maven.apache.org/plugins/maven-source-plugin/
+[53]: https://maven.apache.org/plugins/maven-javadoc-plugin/
+[54]: http://www.sonatype.com/public-parent/nexus-maven-plugins/nexus-staging/nexus-staging-maven-plugin/
+[55]: http://www.eclipse.org/legal/epl-v10.html
+[56]: https://maven.apache.org/surefire/maven-failsafe-plugin/
+[57]: https://www.jacoco.org/jacoco/trunk/doc/maven.html
+[58]: https://github.com/exasol/quality-summarizer-maven-plugin/
+[59]: https://github.com/exasol/quality-summarizer-maven-plugin/blob/main/LICENSE
+[60]: https://github.com/exasol/error-code-crawler-maven-plugin/
+[61]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE
+[62]: https://github.com/git-commit-id/git-commit-id-maven-plugin
+[63]: http://www.gnu.org/licenses/lgpl-3.0.txt
diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md
index c34054b..39e84a8 100644
--- a/doc/changes/changelog.md
+++ b/doc/changes/changelog.md
@@ -1,5 +1,6 @@
# Changes
+* [0.6.16](changes_0.6.16.md)
* [0.6.15](changes_0.6.15.md)
* [0.6.14](changes_0.6.14.md)
* [0.6.13](changes_0.6.13.md)
diff --git a/doc/changes/changes_0.6.16.md b/doc/changes/changes_0.6.16.md
new file mode 100644
index 0000000..f085995
--- /dev/null
+++ b/doc/changes/changes_0.6.16.md
@@ -0,0 +1,48 @@
+# Udf Debugging Java 0.6.16, released 2025-06-02
+
+Code name: Security updates on top of 0.6.15
+
+## Summary
+
+This release is a security update. We updated the dependencies of the project to fix transitive security issues.
+
+We also added an exception for the OSSIndex for CVE-2024-55551, which is a false positive in Exasol's JDBC driver.
+This issue has been fixed quite a while back now, but the OSSIndex unfortunately does not contain the fix version of 24.2.1 (2024-12-10) set.
+
+## Security
+
+* #74: Fix CVE-2024-55551 in com.exasol:exasol-jdbc:jar:24.2.1
+
+## Dependency Updates
+
+### Compile Dependency Updates
+
+* Updated `org.jacoco:org.jacoco.core:0.8.12` to `0.8.13`
+* Updated `org.slf4j:slf4j-jdk14:2.0.16` to `2.0.17`
+
+### Test Dependency Updates
+
+* Updated `com.exasol:exasol-testcontainers:7.1.3` to `7.1.5`
+* Updated `com.exasol:test-db-builder-java:3.6.0` to `3.6.1`
+* Updated `org.jacoco:org.jacoco.agent:0.8.12` to `0.8.13`
+* Updated `org.junit.jupiter:junit-jupiter-engine:5.11.4` to `5.13.0`
+* Updated `org.junit.jupiter:junit-jupiter-params:5.11.4` to `5.13.0`
+* Updated `org.mockito:mockito-junit-jupiter:5.15.2` to `5.18.0`
+* Updated `org.testcontainers:junit-jupiter:1.20.4` to `1.21.1`
+
+### Plugin Dependency Updates
+
+* Updated `com.exasol:project-keeper-maven-plugin:4.5.0` to `5.1.0`
+* Added `io.github.git-commit-id:git-commit-id-maven-plugin:9.0.1`
+* Removed `io.github.zlika:reproducible-build-maven-plugin:0.17`
+* Added `org.apache.maven.plugins:maven-artifact-plugin:3.6.0`
+* Updated `org.apache.maven.plugins:maven-clean-plugin:3.4.0` to `3.4.1`
+* Updated `org.apache.maven.plugins:maven-compiler-plugin:3.13.0` to `3.14.0`
+* Updated `org.apache.maven.plugins:maven-deploy-plugin:3.1.3` to `3.1.4`
+* Updated `org.apache.maven.plugins:maven-failsafe-plugin:3.5.2` to `3.5.3`
+* Updated `org.apache.maven.plugins:maven-install-plugin:3.1.3` to `3.1.4`
+* Updated `org.apache.maven.plugins:maven-javadoc-plugin:3.11.1` to `3.11.2`
+* Updated `org.apache.maven.plugins:maven-surefire-plugin:3.5.2` to `3.5.3`
+* Updated `org.codehaus.mojo:flatten-maven-plugin:1.6.0` to `1.7.0`
+* Updated `org.jacoco:jacoco-maven-plugin:0.8.12` to `0.8.13`
+* Updated `org.sonarsource.scanner.maven:sonar-maven-plugin:5.0.0.4389` to `5.1.0.4751`
diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom
index b7e005e..26ca8c2 100644
--- a/pk_generated_parent.pom
+++ b/pk_generated_parent.pom
@@ -3,11 +3,12 @@
4.0.0
com.exasol
udf-debugging-java-generated-parent
- 0.6.15
+ 0.6.16
pom
UTF-8
UTF-8
+ ${git.commit.time}
11
exasol
https://sonarcloud.io
@@ -50,12 +51,12 @@
org.apache.maven.plugins
maven-clean-plugin
- 3.4.0
+ 3.4.1
org.apache.maven.plugins
maven-install-plugin
- 3.1.3
+ 3.1.4
org.apache.maven.plugins
@@ -70,7 +71,7 @@
org.sonarsource.scanner.maven
sonar-maven-plugin
- 5.0.0.4389
+ 5.1.0.4751
org.apache.maven.plugins
@@ -94,7 +95,7 @@
org.apache.maven.plugins
maven-compiler-plugin
- 3.13.0
+ 3.14.0
${java.version}
${java.version}
@@ -118,7 +119,7 @@
- 3.6.3
+ 3.8.7
17
@@ -131,7 +132,7 @@
org.codehaus.mojo
flatten-maven-plugin
- 1.6.0
+ 1.7.0
true
oss
@@ -170,7 +171,7 @@
org.apache.maven.plugins
maven-surefire-plugin
- 3.5.2
+ 3.5.3
@@ -185,7 +186,7 @@
display-updates
- package
+ verify
display-plugin-updates
display-dependency-updates
@@ -202,6 +203,7 @@
true
true
true
+ false
false
true
true
@@ -232,10 +234,24 @@
false
+
+ org.apache.maven.plugins
+ maven-artifact-plugin
+ 3.6.0
+
+
+ check-build-plan
+ verify
+
+ check-buildplan
+
+
+
+
org.apache.maven.plugins
maven-deploy-plugin
- 3.1.3
+ 3.1.4
true
@@ -279,7 +295,7 @@
org.apache.maven.plugins
maven-javadoc-plugin
- 3.11.1
+ 3.11.2
attach-javadocs
@@ -322,7 +338,7 @@
org.apache.maven.plugins
maven-failsafe-plugin
- 3.5.2
+ 3.5.3
-Djava.util.logging.config.file=src/test/resources/logging.properties ${argLine}
@@ -342,7 +358,7 @@
org.jacoco
jacoco-maven-plugin
- 0.8.12
+ 0.8.13
prepare-agent
@@ -407,18 +423,25 @@
- io.github.zlika
- reproducible-build-maven-plugin
- 0.17
+ io.github.git-commit-id
+ git-commit-id-maven-plugin
+ 9.0.1
- strip-jar
- package
+ get-the-git-infos
- strip-jar
+ revision
+ initialize
+
+ true
+ UTC
+
+ git.commit.time
+
+
diff --git a/pom.xml b/pom.xml
index 07c4024..b55779c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -2,13 +2,13 @@
4.0.0
udf-debugging-java
- 0.6.15
+ 0.6.16
udf-debugging-java
Utilities for debugging, profiling and code coverage measure for UDFs.
https://github.com/exasol/udf-debugging-java/
- 5.11.4
- 0.8.12
+ 5.13.0
+ 0.8.13
@@ -75,7 +75,7 @@
org.mockito
mockito-junit-jupiter
- 5.15.2
+ 5.18.0
test
@@ -88,19 +88,19 @@
com.exasol
exasol-testcontainers
- 7.1.3
+ 7.1.5
test
org.testcontainers
junit-jupiter
- 1.20.4
+ 1.21.1
test
com.exasol
test-db-builder-java
- 3.6.0
+ 3.6.1
test
@@ -113,7 +113,7 @@
org.slf4j
slf4j-jdk14
- 2.0.16
+ 2.0.17
@@ -139,7 +139,7 @@
com.exasol
project-keeper-maven-plugin
- 4.5.0
+ 5.1.0
@@ -168,6 +168,8 @@
CVE-2017-10355
+
+ CVE-2024-55551
@@ -176,7 +178,7 @@
udf-debugging-java-generated-parent
com.exasol
- 0.6.15
+ 0.6.16
pk_generated_parent.pom
diff --git a/src/main/java/com/exasol/udfdebugging/PushDownTesting.java b/src/main/java/com/exasol/udfdebugging/PushDownTesting.java
index 2ac6488..f09f147 100644
--- a/src/main/java/com/exasol/udfdebugging/PushDownTesting.java
+++ b/src/main/java/com/exasol/udfdebugging/PushDownTesting.java
@@ -9,6 +9,9 @@
* This class contains helper functions for testing virtual schema push down queries.
*/
public class PushDownTesting {
+ private PushDownTesting() {
+ // Not instanciable
+ }
/**
* Get the push-down SQL query generated by a Virtual Schema adapter call.
diff --git a/src/main/java/com/exasol/udfdebugging/modules/coverage/CoverageModule.java b/src/main/java/com/exasol/udfdebugging/modules/coverage/CoverageModule.java
index 2f3672c..055bd1a 100644
--- a/src/main/java/com/exasol/udfdebugging/modules/coverage/CoverageModule.java
+++ b/src/main/java/com/exasol/udfdebugging/modules/coverage/CoverageModule.java
@@ -1,7 +1,6 @@
package com.exasol.udfdebugging.modules.coverage;
import java.io.FileNotFoundException;
-import java.io.IOException;
import java.net.InetSocketAddress;
import java.nio.file.Path;
import java.util.concurrent.TimeoutException;
@@ -63,7 +62,7 @@ private void uploadAgentToBucketFs(final Bucket bucket) {
}
@Override
- public void close() throws IOException {
+ public void close() {
// nothing to close
}
}
diff --git a/src/test/java/com/exasol/udfdebugging/modules/coverage/CoverageModuleTest.java b/src/test/java/com/exasol/udfdebugging/modules/coverage/CoverageModuleTest.java
index 40129a8..7d09754 100644
--- a/src/test/java/com/exasol/udfdebugging/modules/coverage/CoverageModuleTest.java
+++ b/src/test/java/com/exasol/udfdebugging/modules/coverage/CoverageModuleTest.java
@@ -18,11 +18,14 @@
class CoverageModuleTest {
@Test
+ @SuppressWarnings("try") // auto-closeable resource coverageModule is never referenced in body of try statement
void testUpload() throws BucketAccessException, TimeoutException, FileNotFoundException {
final Bucket bucket = mock(Bucket.class);
- new CoverageModule((port) -> new InetSocketAddress("1.2.3.4", port), bucket);
- verify(bucket).uploadFile(Path.of("target", "jacoco-agent", "org.jacoco.agent-runtime.jar"),
- "org.jacoco.agent-runtime.jar");
+ try (CoverageModule coverageModule = new CoverageModule(port -> new InetSocketAddress("1.2.3.4", port),
+ bucket)) {
+ verify(bucket).uploadFile(Path.of("target", "jacoco-agent", "org.jacoco.agent-runtime.jar"),
+ "org.jacoco.agent-runtime.jar");
+ }
}
@Test
@@ -30,9 +33,10 @@ void testGetJvmOptions() {
final Bucket bucket = mock(Bucket.class);
when(bucket.getBucketFsName()).thenReturn("my_bucketfs");
when(bucket.getBucketName()).thenReturn("my_bucket");
- final CoverageModule coverageModule = new CoverageModule((port) -> new InetSocketAddress("1.2.3.4", port),
- bucket);
- assertThat(coverageModule.getJvmOptions().collect(Collectors.toList()), contains(
- "-javaagent:/buckets/my_bucketfs/my_bucket/org.jacoco.agent-runtime.jar=output=tcpclient,address=1.2.3.4,port=3002"));
+ try (final CoverageModule coverageModule = new CoverageModule(port -> new InetSocketAddress("1.2.3.4", port),
+ bucket)) {
+ assertThat(coverageModule.getJvmOptions().collect(Collectors.toList()), contains(
+ "-javaagent:/buckets/my_bucketfs/my_bucket/org.jacoco.agent-runtime.jar=output=tcpclient,address=1.2.3.4,port=3002"));
+ }
}
-}
\ No newline at end of file
+}
diff --git a/src/test/resources/logging.properties b/src/test/resources/logging.properties
index 8c97abe..8d41bf2 100644
--- a/src/test/resources/logging.properties
+++ b/src/test/resources/logging.properties
@@ -2,5 +2,5 @@ handlers=java.util.logging.ConsoleHandler
.level=INFO
java.util.logging.ConsoleHandler.level=ALL
java.util.logging.ConsoleHandler.formatter=java.util.logging.SimpleFormatter
-java.util.logging.SimpleFormatter.format=%1$tF %1$tT.%1$tL [%4$-7s] %5$s %n
+java.util.logging.SimpleFormatter.format=%1$tF %1$tT.%1$tL [%4$-7s] %5$s %6$s%n
com.exasol.level=ALL
From e04eb6b84ae18e17c837682aa4ea35a9efeb50a2 Mon Sep 17 00:00:00 2001
From: Pieterjan Spoelders
Date: Thu, 31 Jul 2025 06:00:29 -0400
Subject: [PATCH 5/5] CVE-2025-48924 (#79)
* CVE-2025-48924
* Apply suggestions from code review
---
.github/workflows/ci-build.yml | 3 +-
.github/workflows/dependencies_check.yml | 4 +-
.github/workflows/dependencies_update.yml | 2 +-
.github/workflows/release.yml | 29 ++++++++++++---
.vscode/settings.json | 5 ++-
dependencies.md | 31 ++++++++--------
doc/changes/changelog.md | 1 +
doc/changes/changes_0.6.17.md | 44 ++++++++++++++++++++++
pk_generated_parent.pom | 45 ++++++++---------------
pom.xml | 12 +++---
10 files changed, 114 insertions(+), 62 deletions(-)
create mode 100644 doc/changes/changes_0.6.17.md
diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml
index 63f3e50..2dd25b6 100644
--- a/.github/workflows/ci-build.yml
+++ b/.github/workflows/ci-build.yml
@@ -227,5 +227,6 @@ jobs:
}
uses: ./.github/workflows/release.yml
with: {
- started-from-ci: true
+ started-from-ci: true,
+ maven-central-auto-publish: true
}
diff --git a/.github/workflows/dependencies_check.yml b/.github/workflows/dependencies_check.yml
index 0832e80..41c1253 100644
--- a/.github/workflows/dependencies_check.yml
+++ b/.github/workflows/dependencies_check.yml
@@ -18,7 +18,7 @@ jobs:
issues: write
}
outputs: {
- created-issues: '${{ steps.security-issues.outputs.created-issues }}'
+ created-issues: '${{ steps.create-security-issues.outputs.created-issues }}'
}
concurrency: {
group: '${{ github.workflow }}-report_security_issues',
@@ -60,7 +60,7 @@ jobs:
echo "$CREATED_ISSUES" > test.jsonl
cat test.jsonl
env: {
- CREATED_ISSUES: '${{ steps.security-issues.outputs.created-issues }}'
+ CREATED_ISSUES: '${{ steps.create-security-issues.outputs.created-issues }}'
}
start_dependency_udpate:
needs: report_security_issues
diff --git a/.github/workflows/dependencies_update.yml b/.github/workflows/dependencies_update.yml
index c901506..007215d 100644
--- a/.github/workflows/dependencies_update.yml
+++ b/.github/workflows/dependencies_update.yml
@@ -172,5 +172,5 @@ jobs:
message_format: '{workflow} created Pull Request ${{ steps.create-pr.outputs.pr_url }}'
}
env: {
- SLACK_WEBHOOK_URL: '${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }}'
+ SLACK_WEBHOOK_URL: '${{ secrets.INTEGRATION_TEAM_SECURITY_UPDATES_WEBHOOK }}'
}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e4682a3..db9d10a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,6 +9,12 @@ on:
required: true,
default: false
}
+ maven-central-auto-publish: {
+ description: 'Automatically publish to Maven Central. Deactivate to manually publish at https://central.sonatype.com/publishing/deployments',
+ required: true,
+ type: boolean,
+ default: true
+ }
workflow_dispatch:
inputs:
skip-maven-central: {
@@ -17,6 +23,12 @@ on:
type: boolean,
default: false
}
+ maven-central-auto-publish: {
+ description: 'Automatically publish to Maven Central. Deactivate to manually publish at https://central.sonatype.com/publishing/deployments',
+ required: true,
+ type: boolean,
+ default: true
+ }
skip-github-release: {
description: Skip creating the GitHub release,
required: true,
@@ -56,7 +68,7 @@ jobs:
11
17
cache: maven
- server-id: ossrh
+ server-id: maven-central-portal
server-username: MAVEN_USERNAME
server-password: MAVEN_PASSWORD
gpg-private-key: ${{ secrets.OSSRH_GPG_SECRET_KEY }}
@@ -120,11 +132,18 @@ jobs:
if: ${{ true && (! inputs.skip-maven-central) }}
run: |
echo "#### Maven Central Release" >> "$GITHUB_STEP_SUMMARY"
- mvn --batch-mode -Dgpg.skip=false -DskipTests deploy
- echo "Published to Maven Central ✅" >> "$GITHUB_STEP_SUMMARY"
+ mvn --batch-mode -Dgpg.skip=false -DskipTests deploy \
+ -Dcentral-publishing.deploymentName="Auto release of repo ${{ github.repository }} using PK release.yml" \
+ -Dcentral-publishing.autoPublish=${{ inputs.maven-central-auto-publish }}
+ if [[ "${{ inputs.maven-central-auto-publish }}" == "true" ]]; then
+ echo "Published to Maven Central ✅" >> "$GITHUB_STEP_SUMMARY"
+ else
+ echo "Uploaded to Maven Central ✅" >> "$GITHUB_STEP_SUMMARY"
+ echo "⚠️ Go to https://central.sonatype.com/publishing/deployments to publish the release ⚠️" >> "$GITHUB_STEP_SUMMARY"
+ fi
env: {
- MAVEN_USERNAME: '${{ secrets.OSSRH_USERNAME }}',
- MAVEN_PASSWORD: '${{ secrets.OSSRH_PASSWORD }}',
+ MAVEN_USERNAME: '${{ secrets.MAVEN_CENTRAL_PORTAL_USERNAME }}',
+ MAVEN_PASSWORD: '${{ secrets.MAVEN_CENTRAL_PORTAL_TOKEN }}',
MAVEN_GPG_PASSPHRASE: '${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}'
}
- name: Calculate Artifact Checksums
diff --git a/.vscode/settings.json b/.vscode/settings.json
index 30f0f3f..f673fd5 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -18,5 +18,6 @@
"sonarlint.connectedMode.project": {
"connectionId": "exasol",
"projectKey": "com.exasol:udf-debugging-java"
- }
-}
+ },
+ "java.configuration.updateBuildConfiguration": "automatic"
+}
\ No newline at end of file
diff --git a/dependencies.md b/dependencies.md
index 3778478..b8962ce 100644
--- a/dependencies.md
+++ b/dependencies.md
@@ -57,12 +57,12 @@
| [Apache Maven GPG Plugin][51] | [Apache-2.0][12] |
| [Apache Maven Source Plugin][52] | [Apache License, Version 2.0][12] |
| [Apache Maven Javadoc Plugin][53] | [Apache-2.0][12] |
-| [Nexus Staging Maven Plugin][54] | [Eclipse Public License][55] |
-| [Maven Failsafe Plugin][56] | [Apache-2.0][12] |
-| [JaCoCo :: Maven Plugin][57] | [EPL-2.0][6] |
-| [Quality Summarizer Maven Plugin][58] | [MIT License][59] |
-| [error-code-crawler-maven-plugin][60] | [MIT License][61] |
-| [Git Commit Id Maven Plugin][62] | [GNU Lesser General Public License 3.0][63] |
+| [Central Publishing Maven Plugin][54] | [The Apache License, Version 2.0][12] |
+| [Maven Failsafe Plugin][55] | [Apache-2.0][12] |
+| [JaCoCo :: Maven Plugin][56] | [EPL-2.0][6] |
+| [Quality Summarizer Maven Plugin][57] | [MIT License][58] |
+| [error-code-crawler-maven-plugin][59] | [MIT License][60] |
+| [Git Commit Id Maven Plugin][61] | [GNU Lesser General Public License 3.0][62] |
[0]: https://github.com/eclipse-ee4j/jsonp
[1]: https://projects.eclipse.org/license/epl-2.0
@@ -118,13 +118,12 @@
[51]: https://maven.apache.org/plugins/maven-gpg-plugin/
[52]: https://maven.apache.org/plugins/maven-source-plugin/
[53]: https://maven.apache.org/plugins/maven-javadoc-plugin/
-[54]: http://www.sonatype.com/public-parent/nexus-maven-plugins/nexus-staging/nexus-staging-maven-plugin/
-[55]: http://www.eclipse.org/legal/epl-v10.html
-[56]: https://maven.apache.org/surefire/maven-failsafe-plugin/
-[57]: https://www.jacoco.org/jacoco/trunk/doc/maven.html
-[58]: https://github.com/exasol/quality-summarizer-maven-plugin/
-[59]: https://github.com/exasol/quality-summarizer-maven-plugin/blob/main/LICENSE
-[60]: https://github.com/exasol/error-code-crawler-maven-plugin/
-[61]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE
-[62]: https://github.com/git-commit-id/git-commit-id-maven-plugin
-[63]: http://www.gnu.org/licenses/lgpl-3.0.txt
+[54]: https://central.sonatype.org
+[55]: https://maven.apache.org/surefire/maven-failsafe-plugin/
+[56]: https://www.jacoco.org/jacoco/trunk/doc/maven.html
+[57]: https://github.com/exasol/quality-summarizer-maven-plugin/
+[58]: https://github.com/exasol/quality-summarizer-maven-plugin/blob/main/LICENSE
+[59]: https://github.com/exasol/error-code-crawler-maven-plugin/
+[60]: https://github.com/exasol/error-code-crawler-maven-plugin/blob/main/LICENSE
+[61]: https://github.com/git-commit-id/git-commit-id-maven-plugin
+[62]: http://www.gnu.org/licenses/lgpl-3.0.txt
diff --git a/doc/changes/changelog.md b/doc/changes/changelog.md
index 39e84a8..0df245b 100644
--- a/doc/changes/changelog.md
+++ b/doc/changes/changelog.md
@@ -1,5 +1,6 @@
# Changes
+* [0.6.17](changes_0.6.17.md)
* [0.6.16](changes_0.6.16.md)
* [0.6.15](changes_0.6.15.md)
* [0.6.14](changes_0.6.14.md)
diff --git a/doc/changes/changes_0.6.17.md b/doc/changes/changes_0.6.17.md
new file mode 100644
index 0000000..5c18ce0
--- /dev/null
+++ b/doc/changes/changes_0.6.17.md
@@ -0,0 +1,44 @@
+# Udf Debugging Java 0.6.17, released 2025-07-31
+
+Code name: Fix CVE-2025-48924 in `org.apache.commons:commons-lang3:jar:3.16.0:compile`
+
+## Summary
+
+This release fixes the following vulnerabilities:
+
+### CVE-2025-48924 (CWE-674) in dependency `org.apache.commons:commons-lang3:jar:3.16.0:compile`
+
+Uncontrolled Recursion vulnerability in Apache Commons Lang.
+
+This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
+
+The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
+StackOverflowError could cause an application to stop.
+
+Users are recommended to upgrade to version 3.18.0, which fixes the issue.
+
+CVE: CVE-2025-48924
+CWE: CWE-674
+
+#### References
+
+- https://ossindex.sonatype.org/vulnerability/CVE-2025-48924?component-type=maven&component-name=org.apache.commons%2Fcommons-lang3&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
+- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-48924
+- https://github.com/advisories/GHSA-j288-q9x7-2f5v
+
+## Security
+
+* #77: Fixed vulnerability CVE-2025-48924 in dependency `org.apache.commons:commons-lang3:jar:3.16.0:compile`
+
+## Dependency Updates
+
+### Compile Dependency Updates
+
+* Updated `org.apache.commons:commons-compress:1.27.1` to `1.28.0`
+
+### Plugin Dependency Updates
+
+* Updated `com.exasol:error-code-crawler-maven-plugin:2.0.3` to `2.0.4`
+* Updated `com.exasol:project-keeper-maven-plugin:5.1.0` to `5.2.3`
+* Added `org.sonatype.central:central-publishing-maven-plugin:0.7.0`
+* Removed `org.sonatype.plugins:nexus-staging-maven-plugin:1.7.0`
diff --git a/pk_generated_parent.pom b/pk_generated_parent.pom
index 26ca8c2..b55af02 100644
--- a/pk_generated_parent.pom
+++ b/pk_generated_parent.pom
@@ -3,7 +3,7 @@
4.0.0
com.exasol
udf-debugging-java-generated-parent
- 0.6.16
+ 0.6.17
pom
UTF-8
@@ -14,17 +14,11 @@
https://sonarcloud.io
true
+ false
+ false
+ validated
+ Manual deployment of repo udf-debugging-java
-
-
- ossrh
- https://oss.sonatype.org/content/repositories/snapshots
-
-
- ossrh
- https://oss.sonatype.org/service/local/staging/deploy/maven2/
-
-
MIT License
@@ -315,25 +309,18 @@
- org.sonatype.plugins
- nexus-staging-maven-plugin
- 1.7.0
+ org.sonatype.central
+ central-publishing-maven-plugin
+ 0.7.0
+ true
- true
- ossrh
- https://oss.sonatype.org/
- 15
- 30
+ maven-central-portal
+
+ ${central-publishing.autoPublish}
+ ${central-publishing.waitUntil}
+ ${central-publishing.deploymentName}
+ ${central-publishing.skipPublishing}
-
-
- default-deploy
- deploy
-
- deploy
-
-
-
org.apache.maven.plugins
@@ -412,7 +399,7 @@
com.exasol
error-code-crawler-maven-plugin
- 2.0.3
+ 2.0.4
verify
diff --git a/pom.xml b/pom.xml
index b55779c..eb5ed0d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1,8 +1,8 @@
-
+
4.0.0
udf-debugging-java
- 0.6.16
+ 0.6.17
udf-debugging-java
Utilities for debugging, profiling and code coverage measure for UDFs.
https://github.com/exasol/udf-debugging-java/
@@ -57,7 +57,7 @@
org.apache.commons
commons-compress
- 1.27.1
+ 1.28.0
@@ -139,7 +139,7 @@
com.exasol
project-keeper-maven-plugin
- 5.1.0
+ 5.2.3
@@ -168,7 +168,7 @@
CVE-2017-10355
-
+
CVE-2024-55551
@@ -178,7 +178,7 @@
udf-debugging-java-generated-parent
com.exasol
- 0.6.16
+ 0.6.17
pk_generated_parent.pom